I plugged in my USB that was previously used in a printing shop into my laptop and I have been getting these detection from Avast lately (URL: http://copertps.com/a/; specrtop; etproprc.ru). Applications are not starting up and besides that I have connected my external HD to it. I’m wondering if my external HD is infected as well? Please help i have done the scans and attached the logs.
hey and welcome to the forum.
thanks for attaching the needed logs, a malware expert will help you from here when one is online later today.
I plugged in my USB that was previously used in a printing shopdisconnect your USB devices.... then follow the[b] MCShield[/b] guide here and [b]attach[/b] the log http://forum.avast.com/index.php?topic=126226.msg948366#msg948366
DO NOT follow the OTL instruction posted below in that post…only MCShield instructions
malware removal experts are notified…
I formatted my thumbdrive so nothing appeared in the MCShield Scan. As for the external HD it found something and I manually deleted it. I forgot to save the log but there is no more malware detected in the external HD.
Hi,
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-2918466235-2902820834-1778583763-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKU\S-1-5-21-2918466235-2902820834-1778583763-1001..\Run: [96f] C:\Users\Sunbun\AppData\Roaming\80ed\96f.js ()
O4 - Startup: C:\Users\Sunbun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c4b.js ()
O33 - MountPoints2\{23f38f4e-a9b6-11e1-9898-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{23f38f4e-a9b6-11e1-9898-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Password.exe
:files
C:\Users\Sunbun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c4b.js
ipconfig /flushdns /c
:commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
Check USB storage devices / removable drives
Download MCShield from one of the following links:
MyCity - Official download link
Softpedija - Mirror download link
[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that has made MCShield.
Start → All Programs → MCShield → Logs
Attach here → AllScans.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
I ran what you told me to on OTL and it still had detections. So I re-ran it in safe mode and it seemed like the there is no longer any detections but the applications still cannot be started. Here are the logs
Please run OTL again > Run Scan
There are still detections and I can’t seem to run OTL because it keeps closing itself. So I ran scan in safe mode.
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
O4 - HKU\S-1-5-21-2918466235-2902820834-1778583763-1001..\Run: [96f] C:\Users\Sunbun\AppData\Roaming\80ed\96f.js ()
:files
C:\Users\Sunbun\AppData\Roaming\80ed\96f.js
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
It did not reboot the system. Here is the log report
OK, any problems?
So far no detection. But programs are either closing immediately after opening or not even starting.
What programs, explain a little bit better.
Programs like ccleaner closes immediately after it opens. OTL, adwcleaner cannot be run. Then there is detections again. I rerun the whole scan in safe mode again.
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
O4 - HKU\S-1-5-21-2918466235-2902820834-1778583763-1001..\Run: [96f] C:\Users\Sunbun\AppData\Roaming\80ed\96f.js ()
O4 - Startup: C:\Users\Sunbun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c2ba.js ()
[2013/06/14 21:55:19 | 000,049,015 | ---- | M] () -- C:\Users\Sunbun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c2ba.js
[2013/06/14 21:00:00 | 000,049,015 | ---- | C] () -- C:\Users\Sunbun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c2ba.js
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
Here is the log. ccleaner, OTL and adwcleaner can be opened now. wscript.exe can no longer be seen running in the process tab in the task manager. I think you have done it!
Please new OTL log.
Here is the new OTL log.
This looks good.
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:files
C:\81758
C:\Users\Sunbun\AppData\Roaming\80ed
C:\Users\Sunbun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
:commands
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
.
Step2
Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/
Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.
[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe
[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”
[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
Please attach the two following logs from the mbar folder:
system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.
It says that no cleanup is required.