system
October 18, 2014, 4:22pm
1
Hello there!
Can you help me to fix wscript.exe?
http://i.imgur.com/sTp7SH3.png
I can’t access “Start Task Manager”. :‘( :’(
http://i.imgur.com/HxY3yID.png
You see in the picture. the black rectangle.
pagefile.sys = VIRUS
hiberfil.sys = VIRUS
$RECYCLE.BIN = VIRUS
I put my friend’s usb to my computer then my pc got slow.
Please help me! :((
Asyn
October 18, 2014, 4:41pm
2
Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
The FRST scan is only partial, could you re-run it
Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note : You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.
https://dl.dropboxusercontent.com/u/73555776/frst.JPG
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.
THEN
Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG
Plug in the drive and McShield will start a scan
Then get the log which will be located under the logs tab on the main page
And post that
I still need the main FRST log as I am getting just fragments
You should have and FRST,txt file on the desktop attach that
Let me know what problems remain after this
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKU\S-1-5-21-32617649-587432352-3770057819-1001\...\Run: [iFunBox Price Watch] => C:\Program Files (x86)\iFunbox 2013\iFunBox2013.exe /tray
HKU\S-1-5-21-32617649-587432352-3770057819-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-32617649-587432352-3770057819-1001\...\Run: [Df5serv] => Wscript.exe //e:VBScript "C:\Users\richard\Documents\df5srvc.bfe"
HKU\S-1-5-21-32617649-587432352-3770057819-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Df5serv] => Wscript.exe //e:VBScript "C:\Users\richard\Documents\df5srvc.bfe"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Refresh.lnk
ShortcutTarget: Refresh.lnk -> C:\Windows\Mango Skin Pack\Tools\Refresh.cmd (No File)
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Before = http://tuvaro.com/ws/?source=4c3f95e5&tbp=homepage&toolbarid=base&u=742a4636000000000000002511c2a5ab
URLSearchHook: HKLM-x32 - Default Value = {74198672-5F7D-4FE9-A611-4AC1D5A66A15}
URLSearchHook: HKCU - Default Value = {74198672-5F7D-4FE9-A611-4AC1D5A66A15}
SearchScopes: HKCU - ÛŸÆîZ§’2¹Þpv¨IÍá*X(Ž2s(ÛÎÀJºÔÓµ± vË°!×—(ä¼48иpatm6êo^Mp`Ëõ÷_i£w˜¾!„Áû†x¢8€ÙjÀÿþ ´Ñ;áa´[¦†8 º~RÙxœòÜ8'£-)xä URL =
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> H:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll No File
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> H:\Program Files (x86)\Internet Download Manager\IDMIECC.dll No File
FF Plugin HKCU: xyzgl-plugin@xyz-soft.com -> C:\Program Files (x86)\Alfheim\npxyzgl.dll No File
CHR Extension: (Funmoods) - C:\Users\richard\AppData\Local\Google\Chrome\User Data\Profile 17\Extensions\bbjciahceamgodcoidkjpchnokgfpphh [2013-05-31]
CHR Extension: (Funmoods) - C:\Users\richard\AppData\Local\Google\Chrome\User Data\Profile 18\Extensions\bbjciahceamgodcoidkjpchnokgfpphh [2013-06-01]
CHR Extension: (Funmoods) - C:\Users\richard\AppData\Local\Google\Chrome\User Data\Profile 26\Extensions\bbjciahceamgodcoidkjpchnokgfpphh [2013-07-14]
S3 X6va017; \??\C:\Windows\SysWOW64\Drivers\X6va017 [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
U3 aswMBR; \??\C:\Users\richard\AppData\Local\Temp\aswMBR.sys [X]
2014-10-19 00:29 - 2014-10-19 00:29 - 00007247 _____ () C:\Windows\system32\rad67BD5.tmp
2014-10-18 23:51 - 2014-10-18 23:51 - 00007247 _____ () C:\Windows\system32\radAF845.tmp
2014-10-18 23:04 - 2014-10-18 23:04 - 00007247 _____ () C:\Windows\system32\rad6455F.tmp
2014-10-18 22:55 - 2014-10-18 22:55 - 00007247 _____ () C:\Windows\system32\rad8E652.tmp
2014-10-18 21:57 - 2014-10-18 21:57 - 00007247 _____ () C:\Windows\system32\rad19FD4.tmp
2014-10-18 20:45 - 2014-10-18 20:45 - 00007247 _____ () C:\Windows\system32\rad63DC5.tmp
2014-10-18 20:44 - 2014-10-18 20:44 - 00007247 _____ () C:\Windows\system32\radEC9D3.tmp
2014-10-18 20:44 - 2014-10-18 20:44 - 00007247 _____ () C:\Windows\system32\radD4EC4.tmp
2014-10-18 20:44 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radDED51.tmp
2014-10-18 20:44 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radC6CA3.tmp
2014-10-18 20:44 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radC4B8B.tmp
2014-10-18 20:43 - 2014-10-18 20:43 - 00000744 _____ () C:\Windows\SysWOW64\AdvancedInstallers.lnk
2014-10-18 20:43 - 2014-10-18 20:43 - 00000734 _____ () C:\Windows\SysWOW64\AI_RecycleBin.lnk
2014-10-18 20:43 - 2014-10-18 20:43 - 00000724 _____ () C:\Windows\system32\AdvancedInstallers.lnk
2014-10-18 20:43 - 2014-10-18 20:43 - 00000716 _____ () C:\Windows\SysWOW64\0409.lnk
2014-10-18 20:43 - 2014-10-18 20:43 - 00000696 _____ () C:\Windows\system32\0409.lnk
2014-10-18 20:43 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\Tasks\dekstop.ini
2014-10-18 20:43 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\SysWOW64\dekstop.ini
2014-10-18 20:43 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\dekstop.ini
2014-10-18 20:43 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system\dekstop.ini
2014-10-18 20:43 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\Minidump\dekstop.ini
2014-10-18 20:42 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\dekstop.ini
2014-10-18 20:42 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\richard\dekstop.ini
2014-10-18 20:42 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\Public\dekstop.ini
2014-10-18 20:42 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\Default\dekstop.ini
2014-10-18 20:42 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\ale\dekstop.ini
2014-10-18 20:42 - 2006-02-04 19:30 - 00011330 __RSH () C:\ProgramData\Microsoft\Windows\Start Menu\dekstop.ini
2014-10-18 20:41 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\Public\Documents\dekstop.ini
2014-10-18 20:41 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\Public\Desktop\dekstop.ini
2014-10-18 20:41 - 2006-02-04 19:30 - 00011330 __RSH () C:\ProgramData\dekstop.ini
2014-10-18 20:40 - 2006-02-04 19:30 - 00011330 _RSHC () C:\Program Files\dekstop.ini
2014-10-18 20:40 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\dekstop.ini
2014-10-18 20:40 - 2006-02-04 19:30 - 00011330 __RSH () C:\Program Files\Common Files\dekstop.ini
2014-10-18 20:40 - 2006-02-04 19:30 - 00011330 __RSH () C:\Program Files (x86)\dekstop.ini
2014-10-18 20:35 - 2014-10-19 00:29 - 00000000 _____ () C:\Windows\system32\Serv60d.dll
2014-10-18 20:35 - 2014-10-18 20:35 - 00007247 _____ () C:\Windows\system32\radFF515.tmp
2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radFBC28.tmp
2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radE8DED.tmp
2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radC1B4E.tmp
2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radAAE3D.tmp
2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radA3B79.tmp
2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\rad94B75.tmp
2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\rad556F0.tmp
2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\richard\Documents\df5srvc.bfe
2014-10-18 20:41 - 2013-03-03 00:13 - 00000000 ____D () C:\ProgramData\boost_interprocess
C:\Users\richard\Documents\df5srvc.bfe
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
system
October 18, 2014, 6:57pm
12
I don’t know which one is. Sorry T^T
system
October 18, 2014, 7:01pm
13
FRST: Fixlog.txt
I’m going to sleep now.
Let me know of any problems when you wake
system
October 19, 2014, 2:19am
15
Im here now. My problem is i can’t access “Start Task Manager” and my pc got slow.
the virus is trojan horse/cantix/jenxcus.
system
October 19, 2014, 2:54am
16
I go to folder options > view > advance settings. and i tick “Show hidden files, folder, and drives”
“Desktop.ini” file is virus.
http://i.imgur.com/8KqFgLv.png
system
October 19, 2014, 5:13am
17
Desktop.ini is legitimate, but the ones I deleted dektop.ini were malware
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications , usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Are you able to access those folders now ?
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\radA73DA.tmp
c:\windows\system32\rad679E4.tmp
c:\windows\system32\rad9592B.tmp
c:\windows\system32\rad574C5.tmp
c:\windows\system32\Serv60d.dll
c:\windows\system32\radB0DD6.tmp
c:\windows\system32\rad04A58.tmp
Folder::
c:\programdata\TweakBit
c:\program files (x86)\TweakBit
Save this as CFScript.txt , in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.