Suggestions to get rid of http://jsh37.net/a/ ......MALWARE

Viruses and worms
1

Hello!

I’m having the same problem as this person http://forum.avast.com/index.php?topic=119713.0
I’ll just be copying parts of the post:

"I inserted an usb drive into my laptop and scanned it while opening the drive many files are not visible, and folders were displayed as shortcuts.
after that i could see that below 2 urls are invoked at regular intervals and blocked by avast
http://nnh42.name/a/
http://jsh37.net/a/
also the windows update icon in the tray keeps multiplying.
how to get rid of this problem.help!

2

Hi there after a few goes at this it is now relatively easy to remove

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

3

Hello,

I did the OTL scan. The Logs are attached.

4

First we will need to disable C:\windows\system32\wscript.exe

Using windows explorer go to C:\windows\system32
Right click Wscript.exe
Select Properties
Select Security Tab
Select Advanced
Select Owner
Select Edit
Select your account
Click Apply
OK the warning
Click OK
Then delete Wscript.exe to the recycle bin

https://dl.dropbox.com/u/73555776/wscript%20ownership.JPG

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
SRV - [2013/04/05 00:52:28 | 000,109,064 | ---- | M] (Wajam) [Auto | Running] -- C:\Program Files\Wajam\Updater\WajamUpdater.exe -- (WajamUpdater)
IE - HKLM\..\SearchScopes\{3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Z7xdm354YYin&ptnrS=Z7xdm354YYin&si=124514_race_gcIND&ptb=12FE1BD2-7E27-45E5-A034-9DD81847D53C&psa=&ind=2012061804&st=sb&n=77eda06c&searchfor={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2790392
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - No CLSID value found
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - SOFTWARE\Classes\CLSID\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\InprocServer32 File not found
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&AF=108921&tt=290312_bexdll&babsrc=SP_ss&mntrId=9822e933000000000000000000000000
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\SearchScopes\{3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Z7xdm354YYin&ptnrS=Z7xdm354YYin&si=124514_race_gcIND&ptb=12FE1BD2-7E27-45E5-A034-9DD81847D53C&psa=&ind=2012061804&st=sb&n=77eda06c&searchfor={searchTerms}
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2790392
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb178/?search={searchTerms}&loc=IB_DS&a=6R8CWeu0gh&i=26
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}: C:\Program Files\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi [2013/04/05 00:52:28 | 000,037,909 | ---- | M] ()
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Wajam) - {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} - C:\Program Files\Wajam\IE\priam_bho.dll (Wajam)
O3 - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\Toolbar\WebBrowser: (no name) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No CLSID value found.
O4 - HKU\S-1-5-21-2338478908-853316361-2382320542-1000..\Run: [98c69] C:\Users\vaibhav\AppData\Roaming\8ed0\98c69.js ()
O4 - HKU\S-1-5-21-2338478908-853316361-2382320542-1000..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe File not found
O4 - Startup: C:\Users\vaibhav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c4c4c.js ()
O33 - MountPoints2\{23500543-458f-11df-93a3-001dd9f8f5c0}\Shell\AutoRun\command - "" = H:\cache\tmp983.exe
O33 - MountPoints2\{23500543-458f-11df-93a3-001dd9f8f5c0}\Shell\oPEN\coMmaNd - "" = H:\cache\tmp983.exe
O33 - MountPoints2\{29e3727f-1658-11e1-a3c3-a8787e70be29}\Shell - "" = AutoRun
O33 - MountPoints2\{29e3727f-1658-11e1-a3c3-a8787e70be29}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{34b5682e-7f18-11e0-a922-c8de0e3bfeb7}\Shell - "" = AutoRun
O33 - MountPoints2\{34b5682e-7f18-11e0-a922-c8de0e3bfeb7}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{34c7c229-ab65-11df-92cc-001dd9f8f5c0}\Shell\AutoRun\command - "" = H:\NIKOLIC\\baswala.exe
O33 - MountPoints2\{34c7c229-ab65-11df-92cc-001dd9f8f5c0}\Shell\explore\command - "" = H:\NIKOLIC\\\baswala.exe
O33 - MountPoints2\{34c7c229-ab65-11df-92cc-001dd9f8f5c0}\Shell\open\command - "" = H:\NIKOLIC\\\baswala.exe
O33 - MountPoints2\{36c98d01-6bf3-11e0-b332-fb77929a60e2}\Shell - "" = AutoRun
O33 - MountPoints2\{36c98d01-6bf3-11e0-b332-fb77929a60e2}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{60983e63-8364-11e0-b9f2-8a9d666004aa}\Shell - "" = AutoRun
O33 - MountPoints2\{60983e63-8364-11e0-b9f2-8a9d666004aa}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{66a83c17-0765-11e1-89e3-ae78ec07dce2}\Shell - "" = AutoRun
O33 - MountPoints2\{66a83c17-0765-11e1-89e3-ae78ec07dce2}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{66a83c27-0765-11e1-89e3-ae78ec07dce2}\Shell - "" = AutoRun
O33 - MountPoints2\{66a83c27-0765-11e1-89e3-ae78ec07dce2}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{73862434-b5d4-11df-9c05-001b38a2f4e8}\Shell\AutoRun\command - "" = H:\DUSKO\\\svjetlana.exe
O33 - MountPoints2\{73862434-b5d4-11df-9c05-001b38a2f4e8}\Shell\explore\command - "" = H:\DUSKO\\\\svjetlana.exe
O33 - MountPoints2\{73862434-b5d4-11df-9c05-001b38a2f4e8}\Shell\open\command - "" = H:\DUSKO\\\\svjetlana.exe
O33 - MountPoints2\{8c1d25a2-2c45-11df-8771-001b38a2f4e8}\Shell\AutoRun\command - "" = H:\cache\tmp983.exe
O33 - MountPoints2\{8c1d25a2-2c45-11df-8771-001b38a2f4e8}\Shell\oPEN\coMmaNd - "" = H:\cache\tmp983.exe
O33 - MountPoints2\{8d2418e8-a0d8-11e2-b97c-806e6f6e6963}\Shell\AutoRun\command - "" = G:\8e8\g9fc49.js
O33 - MountPoints2\{8d2418e8-a0d8-11e2-b97c-806e6f6e6963}\Shell\explore\command - "" = G:\8e8\g9fc49.js
O33 - MountPoints2\{8d2418e8-a0d8-11e2-b97c-806e6f6e6963}\Shell\open\command - "" = G:\8e8\g9fc49.js
O33 - MountPoints2\{9bc3808e-1a91-11e1-9674-e7d93968262f}\Shell - "" = AutoRun
O33 - MountPoints2\{9bc3808e-1a91-11e1-9674-e7d93968262f}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{a7ddbf82-7ebd-11e0-914b-989e7a7bf4da}\Shell - "" = AutoRun
O33 - MountPoints2\{a7ddbf82-7ebd-11e0-914b-989e7a7bf4da}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{a7ddbfa3-7ebd-11e0-914b-989e7a7bf4da}\Shell - "" = AutoRun
O33 - MountPoints2\{a7ddbfa3-7ebd-11e0-914b-989e7a7bf4da}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{b514b11b-7f8a-11e0-9eaa-a68f40ebc0f8}\Shell - "" = AutoRun
O33 - MountPoints2\{b514b11b-7f8a-11e0-9eaa-a68f40ebc0f8}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{bf049174-4e2d-11df-b3d7-001b38a2f4e8}\Shell\AutoRun\command - "" = H:\cache\tmp983.exe
O33 - MountPoints2\{bf049174-4e2d-11df-b3d7-001b38a2f4e8}\Shell\oPEN\coMmaNd - "" = H:\cache\tmp983.exe
O33 - MountPoints2\{cd9847d4-6e51-11e0-9872-eabe28869fe6}\Shell - "" = AutoRun
O33 - MountPoints2\{cd9847d4-6e51-11e0-9872-eabe28869fe6}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{d05ab49b-4f79-11df-b917-001b38a2f4e8}\Shell\Auto\command - "" = I:\msbackup.exe
O33 - MountPoints2\{d05ab49b-4f79-11df-b917-001b38a2f4e8}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL I:\msbackup.exe
O33 - MountPoints2\{d67d1264-68ec-11e0-8fb8-8b1bded65ded}\Shell - "" = AutoRun
O33 - MountPoints2\{d67d1264-68ec-11e0-8fb8-8b1bded65ded}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{d67d1268-68ec-11e0-8fb8-8b1bded65ded}\Shell - "" = AutoRun
O33 - MountPoints2\{d67d1268-68ec-11e0-8fb8-8b1bded65ded}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{e6aacaaf-6a40-11e0-ae98-a178bd7d08ed}\Shell - "" = AutoRun
O33 - MountPoints2\{e6aacaaf-6a40-11e0-ae98-a178bd7d08ed}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{f99e3b75-6bcc-11df-b166-001b38a2f4e8}\Shell\AutoRun\command - "" = H:\b.exe
O33 - MountPoints2\{f99e3b75-6bcc-11df-b166-001b38a2f4e8}\Shell\explore\Command - "" = H:\b.exe
O33 - MountPoints2\{f99e3b75-6bcc-11df-b166-001b38a2f4e8}\Shell\open\Command - "" = H:\b.exe
[2013/04/09 23:30:55 | 000,000,000 | ---D | C] -- C:\Users\vaibhav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wajam
[2013/04/09 23:30:44 | 000,000,000 | ---D | C] -- C:\Users\vaibhav\AppData\Local\Wajam
[2013/04/09 23:30:23 | 000,000,000 | ---D | C] -- C:\Program Files\Wajam
[2013/04/09 11:21:52 | 000,000,000 | -HSD | C] -- C:\Users\vaibhav\AppData\Roaming\8ed0
[2013/04/10 01:00:05 | 000,045,644 | ---- | C] () -- C:\Users\vaibhav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c4c4c.js

:Files
C:\Users\vaibhav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Program Files\Web Assistant

:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

5

I am unable to delete the wscript.exe

“DESTINATION FOLDER ACCESS DENIED” error!

6

hey essexbox will help you when he comes back online today.

have you run his fix in the post above?

7

I tried to delete wscript.exe as suggested but could not do it…

I get “DESTINATION FOLDER ACCESS DENIED” error!

any other method to delete the app?

8

Was that on the entire system32 folder or just wscript ?

9

the wscript.exe file

10

Download this small zip file to your desktop
https://dl.dropbox.com/u/73555776/TakeOwnership.zip
Extract the takeownership. reg file
Double click and allow to merge with the registry
Then go to Wscript and right click
Select take ownership

Let me know if that works

11

the takeownership.reg got added to registry . But when right clicked on wscript.exe there is no Take ownership option.
most of the files in system32 folder when right clicked show this option bt not this one.One more wscui.cpl file doesnt show that take ownership option too

12

Did you get any errors when you tried to take ownership via the original method ?

OK what I will do then is use a specialist tool to delete wscript and then once done I will give you a new copy of the file

  1. Please download The Avenger by Swandog46 to your Desktop.
    [*]Right click on the Avenger.zip folder and select “Extract All…”
    [*] Follow the prompts and extract the avenger folder to your desktop
  2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

https://dl.dropbox.com/u/73555776/avenger.jpg

Begin copying here: 
Files to delete:
C:\windows\system32\wscript.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

  1. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
    [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
    [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  2. Please copy/paste the content of c:\avenger.txt into your reply[/b].

THEN

Run the OTL scrip as previously posted

13

Thank you.

Finally removed the wscript.exe through Avengers.

Ran the OTL too.

Good, the windows update icon in the tray has stopped multiplying!

both avenger.txt & OTL.txt is attached.

14

OK final stretch, run the OTL fix first and after the reboot then download the wscript.exe file

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O3 - HKLM\..\Toolbar: (no name) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C17590D2-ECB4-4B15-8820-F58798DCC118} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
[2013/04/09 11:21:52 | 000,000,000 | -HSD | C] -- C:\8f9ea

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download wscript.exe from here and place it in your C:\windows\system32 folder

https://dl.dropbox.com/u/73555776/wscript.exe

Reboot again and let me know how the computer is behaving

15

I have done the “Run Fix” & “Quick Scan”.
here are the logs

16

Have copied wscript.exe to system32 folder.

Now I dont get any virus alert even when i am online.

17

I have copied the wscript.exe file to the system32 folder.

No more virus alerts are there.

18

OK are you happy for me to remove my tools now ?

19

Thank You very much for the guidance…

20

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

https://dl.dropbox.com/u/73555776/disc%20clean.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: