Virus! JS:Redirector-BOS [Trj]

Hi guys,

I’ve been getting popups from avast! since last night telling me it saved it me from JS:Redirector-BOS [Trj]. I get the notification every few seconds even after I’ve run scans with avast! and YAC.

I’d upload the MBAM logs, except my laptop isn’t letting me install it (or execute ANY .exe files actually). I’ve downloaded the install file directly from the Malwarebytes site and from the links provided in the instruction thread, but I keep getting an error message that the “setup files are corrupted” and to “please obtain a new copy of the program”. I’ve tried installing AdwCleaner coz it was recommended on a few threads, but same thing happened. Is this the spastic virus wreaking havoc with my computer?! God I hope not. T_T

As for aswMBR, I’m running Windows 8 so I can’t use it.

OTL is working though, and I’ve uploaded the two .txt files.

My computer literacy is… well, non-existent tbh. I have no idea what to do to get rid of this stupid trojan, or how I even got it in the first place. Any help would be greatly appreciated!

[EDIT]

I thought it might help to mention I’m posting from Australia so my times won’t exactly match up with yours, if the “time posted” stat next to my topic is anything to go by, haha. Anyway, please understand if there’s like a 12 hour gap between my replies!

OK one of your torrent seeds is responsible for this. I do not use torrent myself so I hope you know how to delete them

I would like to run a different programme for the moment to determine the main cause

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Hey essexboy, thanks for the reply :slight_smile:

I’ve tried to run FRST (both versions) on my laptop, but the same problem that happened with MBAM happened again. My laptop can’t seem to run it properly. I don’t quite know how to explain it so I took a bunch of screencaps instead. I know in your reply you said only one of them will run, but I get the same error message for both the 32-bit and the 64-bit files shown in the screencaps I took. Did I do something wrong? I’ve tried just double clicking them and running them as Admin, but neither worked. I thought maybe it was just the computer having an off day so I thought I’d try the next evening, but to no effect whatsoever.

There is one thing that strikes me as strange though: in the third screencap I’ve attached, you can see I’ve downloaded multiple copies of the FRST install file, but they’re also all slightly different sizes. I’m not well-versed on these things so I can’t be sure, but shouldn’t they all be the same size? I mean, I’m downloading the one file from the one site, right? Is my computer totally out of whack? ><

As for the torrent seed, do you know which seed it is? Or do I have to get rid of all of them? Is it a matter of disabling the seed in uTorrent, or do I have to delete the files (as in, out of the recycle bin as well) associated with the torrent itself?

Oh dear, this just got a lot more complicated, didn’t it? T_T

Thank you so much for offering your help though, I’m so lost right now.

have you tried to run from safe mode?

You guys are quick!

No, I haven’t. I’m running Windows 8, can I still I get into safe mode by pressing F8 before it starts up?

Oh, and do I have to download the install file again, or can I just run any of the ones I’ve already downloaded?

Hello essexboy,

I have downloaded farbar and followed these instruction you posted:

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please copy and paste log back here.
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Much like ‘geniee’ I’m not really computer savvy but hopefully I will be able to resolve this issue with the help of you guys.

I have the logs you require but am a bit worried about posting them here because I do not know what information I would be sharing…can you advise please?

Thanks!

@LewisHoltby

For help start your own topic and attach the requested logs… see logs guide at top in this forum section

No personal info are in the logs … but you can edit posts and remove the logs when the work is done

@geniee
You have turn on SmartScreen. You can turn it off or you or in contrary you need to allow FRST to be run by clicking Run anyway in SS pop-up.:

  • Wen you run FRST/FRST64, click on Run anyway (again Run button on UAC screen) and tool should start.
    or…
  • Disable SmartScreen by clicking flag in system tray > Action Center > Change Windows SmartScreen settings > Don’t do anything (turn off…) > Ok

    http://fotkica.com/thumbs3/1_tmb_92721660_W8_SS.jpg

Thanks Pondus!

As magna said it is windows safe screen … If you click run anyway you will then be able to run it

Hey guys,

So I’ve tried clicking ‘Run anyway’ on the SmartScreen pop-up, but SmartScreen then tells me “This app can’t run on your PC”.

Then I tried what magna86 suggested (turning off SS) and tried running FRST that way, but I still get the “This app can’t run on your PC” message.

The same thing happens for both the 32-bit file and the 64-bit file.

Any tips on how I should proceed? I feel like the FRST install files I’m downloading are somehow incomplete, because the size of the file differs slightly every time. Argh, frustrating!

Try this link https://dl.dropboxusercontent.com/u/73555776/FRST64.exe

Omg magic! It’s working, thanks! I’ll get the logs to you as soon it’s finished =)

Here are the logs from FRST =)

Hi one of your torrent seeds is infected… However, I am unable to determine which one I am afraid

Ah… Sad, sad day. I guess it was bound to happen at one point, huh.

So does that mean I have to I have to delete the files associated with each torrent as well, or just make all seeds stop being active?

Thanks heaps for your help, I was starting to panic if my computer was dying, haha.

Unfortunately I do not use torrent, but, if you are able to disable the seeds one at a time, that will enable you to determine which one is bad

Sounds good, I’ll do that :slight_smile:

Just a quick question, is there any way for me to know if this trojan has done funny things to my PC? Because I’ve noticed ever since those avast! alerts have started popping up, my browsing experience has taken a significant hit; everything, from downloading a file to just loading a page, is slower and my connection drops out intermittently (sometimes my WiFi connection itself drops). Plus I have that problem with downloading working install files when it never happened before the alerts. MBAM still won’t install! Grr.

Hopefully deleting the rubbish torrent will solve it though! crosses fingers

OK lets look deeper :slight_smile:

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Heya essexboy,

Here’s my ComboFix log =)