Infected wscript.exe, non functioning regedit and other applications

Dear all,

I think I got this virus through my pendrive that I had used for a brief time at a printing outlet. Now both my pendrive and laptop are infected. The scans do not show any infection, but on starting my computer everytime I get a notification from AVAST that something was blocked from c:/windows/system32/wscript.exe. The blocks are of type http://etpsoprc.ru/a/, http://copertps.com/a/ and https://specrtop.org/a/.

Other issues:
Regedit opens and closes immediately
No folder options found
No control panel.
I can open these applications immediately after bootup, therefore have enabled folder options and control panel as per instructions received elsewhere. But enabling them does not show this on my computer
All applications except the browser closes immediately

Thus I have to run everything on safe mode to make them work. On the safe mode I have got the following logs. I hope this helps.
Thanks for the assistance

the malwarebytes log attached here. Few things were identified here but that did not solve the problem

recomended program. http://mcshield.net/
but wait with installing it until the removers have checked your logs, they are notified

it seems you have avast and AVG installed…
never install multiple AV, this will give you a slow machine, windows errors and false detections

uninstall one, then run the vendors removal tool and reboot to clear any leftover files that may conflict
tools found here. http://singularlabs.com/uninstallers/security-software/

OK lets see if we can get it in one

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O4 - HKLM..\Run: [Search Protection] C:\Documents and Settings\All Users\Application Data\Search Protection\SearchProtection.exe File not found
O4 - HKU\S-1-5-21-57989841-1644491937-1177238915-1003..\Run: [ed3] C:\Documents and Settings\Evita\Application Data\fb2\ed3.js ()
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\b975b.js ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\b975b.js ()
O4 - Startup: C:\Documents and Settings\Austine\Start Menu\Programs\Startup\b975b.js ()
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\b975b.js ()
O4 - Startup: C:\Documents and Settings\Evita\Start Menu\Programs\Startup\b975b.js ()
[2013/06/11 19:13:09 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Evita\Application Data\fb2
[2013/06/11 19:13:09 | 000,000,000 | -HSD | C] -- C:\Program Files\e4
[2013/06/11 19:13:08 | 000,000,000 | -HSD | C] -- C:\fa8

:Files
C:\Documents and Settings\Evita\Start Menu\Programs\Startup\*.js
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*.js
C:\Documents and Settings\Austine\Start Menu\Programs\Startup\*.js
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\*.js 
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\*.js

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Dear Pondus, I have removed AVG and run the removal tool per your instructions. Thank you. :slight_smile:
Dear essexboy, I started running OTL, since around 9 hours its showing “killing processes. Don not interrurpt”. Is it normal for it to run for so long?. Thank you :slight_smile:

My application became non responsive, so had to restart the computer. On safe mode I ran OLT again and this time it was quick. Once it restarted I ran the Quick Scan. I have attached the logs of both ‘run fix’ and ‘quick scan’ here.

I have not seen any notifications of virus since on restarting the computer. Applications and regedit are opening without issues. But I still can’t find my control panel at login and ‘folder options’. The regedit shows NofolderOptions as ‘1’ and NoControlPanel as ‘1’

Lets fix that now, once done let me know of any remaining problems

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NofolderOptions = 1

:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Log is attached

The programs are functioning well now.

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

I am having the same problems. Please help me. I am attaching the following files as well.

Make a new topic here with the logs:
http://forum.avast.com/index.php?board=4.0

Dear Essexboy, Followed all the steps, updated my comp, it feels all fresh and clean again. Thank you so very much. :slight_smile: You’re the best!
ESD

remeber MCShield usb protector…see my first reply abowe. :wink:

@vivekB I have created a topic for you with a fix
http://forum.avast.com/index.php?topic=127129.new#new

Dear essexboy, I dont know if my comp is fully clean of virus’s yet. My comp was hanging often after the clean up, I uninstalled as many programs, cleaned my drives of unwanted files, defragmented, no matter what it just keeps hanging. Some processes are using a lot of memory. Therefore I ran malwarebytes and I see the same set of infections popping again and again after removing them. I am attaching a pic of the scan results and the log.

Thank you

Hi they are Possible Unwanted Modifications and as such are of no import…

So is the computer just running slow ?

Hello,

Having same problem here. Besides the already mentioned problems, it also opens a page called "brasil-pesquisa.pw"on startup, and spawns windows update notifications which disappear when I pass the cursor over them.

“brasil-pesquisa.pw” has also been made the default initial page for IE and Chrome. I managed to turn that off on chrome, but not on IE.

I ran AdwCleaner and OTL, and attached the results

thank you

Also, a short time after posting this, my internet slowed almost to dial up modem speed.

IuriBhering fix here http://forum.avast.com/index.php?topic=127679.new#new