wscript.exe and copertps.com/a: please fix my problem

Hi, I’m Francesco from Italy. It’s my first message on the forum. I’ve got the same problem as other users. In a shop my usb pendrive took this kind of virus/malware/spyware (don’t know what it is). Folders become links, control panel and other programs can’t be open.
I need your help to fix. Following the other similar threads I downloaded OTL. Please tell me the steps I have to do and I’ll do them to get rid of this problem. Thank you for your help :slight_smile:

hey and welcome to the avast forum.

plaese follow this guide and attach your logs

we need the logs from adwclener,mbam,otl and aswmbr.

http://forum.avast.com/index.php?topic=53253.0

Hi thank you! :slight_smile:
Ok see you later

Monitoring

Hi, well… I killed the process Wscript.exe in task manager, otherwise I can work only in safe mode.
Attached 3 logs, if they’re enough to fix my problem :slight_smile: (OTL does’t give the “Extra” log, I don’t know why)
If not, ok I go on with the other steps

Sorry for my English, if there are mistakes.
Thank you for your help again!

I forgot the aswMBR log… I’ll post it in a couple of minutes, sorry

I can’t have the whole log from aswMBR :-
It stops before finishing…

Hi,
Have you read our Disclaimer?

• Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...) • Please DO NOT run any other tools or scans whilst you are being helped.

Attach here C:\Combofix.txt logreport.

  • You have been running OTLFix few days ago. Where did you run that and what script you have been used?

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:Otl
O3 - HKU\S-1-5-21-3844118948-3775513344-3769683098-1006\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-3844118948-3775513344-3769683098-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O4 - HKU\S-1-5-21-3844118948-3775513344-3769683098-1006..\Run: [dcb3] C:\Documents and Settings\Peter Parker\Dati applicazioni\caa5\dcb3.js ()

:Files
ipconfig /flushdns /c
C:\Documents and Settings\Peter Parker\Dati applicazioni\caa5\*.js
C:\Documents and Settings\Peter Parker\Dati applicazioni\caa5
C:\Programmi\d5ad
C:\cb

:Commands
[CREATERESTOREPOINT]
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

======== THEN ========

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Sorry for CF, I tried to use it cause it helped me years ago. Sorry
Sorry for OTLFix with another script. I thought it was the same for everybody, later I have read it needs one for one pc only.
Thank you very much for you help. I don’t know if my pc is ok. I attach the report file

Hi magna86, I have done the procedure again, following the steps from the guide. This time I paid attention to the steps and did not touch anything :slight_smile:
Attached the logs of the four programs. Please, can you check if all is ok?
Thank you very much indeed for your help.

Hi,

Again, we’re going back to the same.

You didn’t attach Combofix log as I’ve asked, You didn’t attach MCShield log as I’ve asked, didn’t tell me what OTL script you have been used, you have been running AdwCleaner even 4 times by now and you never attach his true (first) log, and I did not tell you to follow the procedure again from the beginning. ;D

You know, It’s very hard to catch up everything you do on your own so on this question I have no answer.

Please, can you check if all is ok?
Attached logs looks good. :)

:smiley: LOL magna you’re completely right!! If it’s necessary I can run combofix and post the log (can’t find the old one, maybe I deleted it).

I still have a problem: control panel disappeared, restriction when do right-click on “computer propriety”. I know that this problem can be solved coming back on a previous restore point. What do you suggest about it?

Many thanks for your patient help! :slight_smile: :slight_smile:

Let’s re-check all;

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

====== THEN ========

Please download Farbar Service Scanner and run it on the computer with the issue.
[*]Make sure the following options are checked:

[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center/Action Center
[*]Windows Update
[*]Windows Defender

[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[
]Please copy and paste the log to your reply.

Thank you magna. I’ll do it and then post the logs in the next reply

Done. Put the logs below. :slight_smile: :smiley:

P.S. After CF and FSS finished, I clicked on “start” and noticed the control panel appears again! Right click+propriety on “Computer” works as well! Wow, you’re great magna!

I see no active malware on your system. You are clean. First, we need to remove Combofix.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

========= THEN ==========

Please download zoek.exe (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this instruction.

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system



createsrpoint
resetwmi;
wscript.exe;z


  1. Save notepad as zoekscript.txt

http://www.mcshield.net/personal/magna86/Images/zoekscript_big.gif

[*]Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag zoekscript.txt into zoek.exe.
Zoek will run. When finished, it will produce a zoek-results.log for you.
Note: It will also create a log in the C:\ directory named “zoek-results.log

Please attach it to your reply.

Ok CF has been uninstalled. Below the result from zoek

How is your system running after zoek script?