Hi there,

I have received the same problem as in the thread:
https://forum.avast.com/index.php?topic=138715.0

A colleague borrowed my flash drive and brought it back infected, so now whenever I insert the drive into my computer I can only see links to an application in System32.

I have completed the steps as suggested by TwinHeadedEagle and have now produced the attached logs (GMER, FRST, Addition, AdwCleaner[S1], MCShield-AllScans).

I now need a remover to please provide me with assistance on the next steps I should take.

Thanks in advance for your support.

Best regards,
Rob

Here is my MCShield Scan result…

you need to copy and paste MCShield log or we cant read it (a forum issue)

[b]A colleague borrowed my flash drive[/b] and brought it back infected, so now whenever I insert the drive into my computer I can only see links to an application in System32.

Okay, here it is…

MCShield AllScans.txt <<<

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<

14/05/2016 13:25:53 > Drive C: - scan started (SYSTEM ~465 GB, NTFS HDD )…

=> The drive is clean.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<

14/05/2016 13:27:56 > Drive F: - scan started (IPCONVOPC ~7382 MB, FAT32 flash drive )…

—> Executing generic S&D routine… Searching for files hidden by malware…

—> Items to process: 26

—> F:\RX1501.txt > unhidden.

—> F:\ROXII_v2.6_RX1500_User-Guide_CLI_EN.pdf > unhidden.

—> F:\ROXII_v2.6_RX1500_User-Guide_WebUI_EN.pdf > unhidden.

—> F:\SVC-PLUS_Plant_Control_HAJ.pdf > unhidden.

—> F:\SVC-PLUS_Plant_Control.ppt > unhidden.

—> F:\speech.docx > unhidden.

—> F:\Tim email.docx > unhidden.

—> F:\DOC040216-04022016014921.pdf > unhidden.

—> F:\N-000077_E_D4_6302_2_HAJ_D.pdf > unhidden.

—> F:\SVC Hail Al Jouf Cubicles_2015_06_12.pdf > unhidden.

—> F:\Overtime sheet - Mar 2016.pdf > unhidden.

—> F:\DOC040516-04052016021904.pdf > unhidden.

—> F:\DOC040516-04052016022216.pdf > unhidden.

—> F:\DOC040616-04062016051637.pdf > unhidden.

—> F:\DOC040616-04062016200752.pdf > unhidden.

—> F:\58. 160407_HAIL_AL_JOUF_=X3+P1_REV.pdf > unhidden.

—> F:\DOC040716-04072016050932.pdf > unhidden.

—> F:\Site_Layout.pdf > unhidden.

—> F:\Lothar_Passport.pdf > unhidden.

—> F:\Shadeed Steel SVC Trip.zip > unhidden.

—> F:.text > unhidden.

—> F:.rdata > unhidden.

—> F:.data > unhidden.

—> F:.pdata > unhidden.

—> F:.rsrc > unhidden.

—> F:.reloc > unhidden.

F:\RX1501.lnk - Malware > Deleted. (16.05.14. 13.29 RX1501.lnk.755825; MD5: cbc31d01d9aee47c6f30cfb3942f15a4)

F:\ROXII_v2.lnk - Malware > Deleted. (16.05.14. 13.29 ROXII_v2.lnk.548332; MD5: 11e308e143e56e132d95a5402cfc9549)

F:\SVC-PLUS_Plant_Control_HAJ.lnk - Malware > Deleted. (16.05.14. 13.29 SVC-PLUS_Plant_Control_HAJ.lnk.259893; MD5: 6d93b09630bbc5ce3476adafccee9541)

F:\SVC-PLUS_Plant_Control.lnk - Malware > Deleted. (16.05.14. 13.29 SVC-PLUS_Plant_Control.lnk.468151; MD5: 35bc8889e0643bf36a3941b774ba44eb)

F:\speech.lnk - Malware > Deleted. (16.05.14. 13.29 speech.lnk.157890; MD5: b9576e76a2f00a6920a0774f4386d026)

F:\Tim email.lnk - Malware > Deleted. (16.05.14. 13.29 Tim email.lnk.918035; MD5: b10b479ef28c219dd19acf462c2d5d2d)

F:\DOC040216-04022016014921.lnk - Malware > Deleted. (16.05.14. 13.29 DOC040216-04022016014921.lnk.122752; MD5: b3a243c8e00c85277201bba2cd91f6e2)

F:\N-000077_E_D4_6302_2_HAJ_D.lnk - Malware > Deleted. (16.05.14. 13.29 N-000077_E_D4_6302_2_HAJ_D.lnk.72384; MD5: 29876ed9923d598f699cdb727974a314)

F:\SVC Hail Al Jouf Cubicles_2015_06_12.lnk - Malware > Deleted. (16.05.14. 13.29 SVC Hail Al Jouf Cubicles_2015_06_12.lnk.616629; MD5: 630bfc51ec9a3c0232f40e98418553a3)

F:\Overtime sheet - Mar 2016.lnk - Malware > Deleted. (16.05.14. 13.29 Overtime sheet - Mar 2016.lnk.547676; MD5: 8d2aff40b254201b1f31d499092f515d)

F:\DOC040516-04052016021904.lnk - Malware > Deleted. (16.05.14. 13.29 DOC040516-04052016021904.lnk.109196; MD5: b2d871cef1be4ab28b1212a75bcd8298)

F:\DOC040516-04052016022216.lnk - Malware > Deleted. (16.05.14. 13.29 DOC040516-04052016022216.lnk.721574; MD5: 40fd13eecd60636b539ba216162cd3da)

F:\DOC040616-04062016051637.lnk - Malware > Deleted. (16.05.14. 13.29 DOC040616-04062016051637.lnk.120325; MD5: 89fcaf1418d80f6399f4298367c89a24)

F:\DOC040616-04062016200752.lnk - Malware > Deleted. (16.05.14. 13.29 DOC040616-04062016200752.lnk.487852; MD5: 0973cbdf6ef1fc4f2b2c620d6e979cea)

F:\58.lnk - Malware > Deleted. (16.05.14. 13.29 58.lnk.667161; MD5: fc3410b400653dbc74653105516f4eb9)

F:\DOC040716-04072016050932.lnk - Malware > Deleted. (16.05.14. 13.29 DOC040716-04072016050932.lnk.817651; MD5: 12d1338de3295e201de48b7ca162d26c)

F:\Site_Layout.lnk - Malware > Deleted. (16.05.14. 13.29 Site_Layout.lnk.398805; MD5: 0f3b85450d2856848be5f24f05e8a497)

F:\Lothar_Passport.lnk - Malware > Deleted. (16.05.14. 13.29 Lothar_Passport.lnk.609337; MD5: 8077bffd856957096d3b90f8fb95aab4)

F:\Shadeed Steel SVC Trip.lnk - Malware > Deleted. (16.05.14. 13.29 Shadeed Steel SVC Trip.lnk.275942; MD5: 8032ebabd0544a347a5557480c23da1b)

F:.lnk - Malware > Deleted. (16.05.14. 13.29 .lnk.292440; MD5: eb221c0f3ed83f379d6089b041e0504b)

F:\VID-20152415-WA011.MP4.js - Malware > Deleted. (16.05.14. 13.29 VID-20152415-WA011.MP4.js.659924; MD5: e687f7ba6edaeefd06125e460c54d90f)

F:\ROX_Upgrade_Keys_L3SE_Order_1347267_PO_3312981152.lnk - Malware > Deleted. (16.05.14. 13.29 ROX_Upgrade_Keys_L3SE_Order_1347267_PO_3312981152.lnk.369254; MD5: 426ba904b65517dfaec108e39b709daf)

F:\repository.lnk - Malware > Deleted. (16.05.14. 13.29 repository.lnk.195259; MD5: 431e62a549e4f8e70daac1cdefee699b)

F:\aljouf test.lnk - Malware > Deleted. (16.05.14. 13.29 aljouf test.lnk.15447; MD5: c0e00dfad0b78257deb485725d08e6a6)

F:\SCAN.lnk - Malware > Deleted. (16.05.14. 13.29 SCAN.lnk.243297; MD5: 911bd1ec57ec4cfd19eb3ebb8df2eaf3)

F:\160510.lnk - Malware > Deleted. (16.05.14. 13.29 160510.lnk.123529; MD5: aab31fb91813e6b2c94abd4a19ec31aa)

F:\HAJ_Changes_Redmarks.lnk - Malware > Deleted. (16.05.14. 13.29 HAJ_Changes_Redmarks.lnk.499146; MD5: 1423ee5ba1fd149d0b00fd63c6db0d07)

F:\IDP.lnk - Malware > Deleted. (16.05.14. 13.29 IDP.lnk.795130; MD5: fae91ba05622d8384bf8523abf6d8153)

F:\160414.lnk - Malware > Deleted. (16.05.14. 13.29 160414.lnk.205382; MD5: 81f748abdd551a970eb10ddfaeff0a2d)

F:\160424.lnk - Malware > Deleted. (16.05.14. 13.29 160424.lnk.194198; MD5: 6835e7c7c59bcd151ca9898ab6296a94)

F:\AX NF ZZ.lnk - Malware > Deleted. (16.05.14. 13.29 AX NF ZZ.lnk.57112; MD5: b27269cbc74f2ccb083d127afa9ce9f5)

F:\Safaniya IBS Berichte.lnk - Malware > Deleted. (16.05.14. 13.29 Safaniya IBS Berichte.lnk.219103; MD5: 28e00363c6264ea973782325dbc0a208)

F:\160508.lnk - Malware > Deleted. (16.05.14. 13.29 160508.lnk.173544; MD5: ee23a1b2168bd2cffb80a736d6b29346)

F:\160509.lnk - Malware > Deleted. (16.05.14. 13.29 160509.lnk.333261; MD5: 0789f5bdfa9b39730ea95b48e5ca34ea)

F:\SEC Checklist.lnk - Malware > Deleted. (16.05.14. 13.29 SEC Checklist.lnk.621154; MD5: 3993769919f4a190b778c3bcf098a17c)

F:\160511.lnk - Malware > Deleted. (16.05.14. 13.29 160511.lnk.586836; MD5: 579a894465c3135e7ab23d7aa2057ddf)

F:\System Volume Information.lnk - Malware > Deleted. (16.05.14. 13.29 System Volume Information.lnk.643785; MD5: b41432ba1e3d80029a1389f648215b93)

F:\160502_Protocols.lnk - Malware > Deleted. (16.05.14. 13.29 160502_Protocols.lnk.771141; MD5: 89f25e9ea1b168e7ec1dcabf833561e2)

F:\S7.lnk - Malware > Deleted. (16.05.14. 13.29 S7.lnk.608647; MD5: 0072ac8bc38cdc4a6a86e2130e25242d)

F:\Hail_Pics.lnk - Malware > Deleted. (16.05.14. 13.29 Hail_Pics.lnk.50124; MD5: d36339fae89d705c2a5800f7f2c276cf)

F:\160514.lnk - Malware > Deleted. (16.05.14. 13.29 160514.lnk.289475; MD5: 89fd16d018b7164cc9e2c5e646040fae)

Resetting attributes: F:\ROX_Upgrade_Keys_L3SE_Order_1347267_PO_3312981152 < Successful.

Resetting attributes: F:\repository < Successful.

Resetting attributes: F:\aljouf test < Successful.

Resetting attributes: F:\SCAN < Successful.

Resetting attributes: F:\160510 < Successful.

Resetting attributes: F:\HAJ_Changes_Redmarks < Successful.

Resetting attributes: F:\IDP < Successful.

Resetting attributes: F:\160414 < Successful.

Resetting attributes: F:\160424 < Successful.

Resetting attributes: F:\AX NF ZZ < Successful.

Resetting attributes: F:\Safaniya IBS Berichte < Successful.

Resetting attributes: F:\160508 < Successful.

Resetting attributes: F:\160509 < Successful.

Resetting attributes: F:\SEC Checklist < Successful.

Resetting attributes: F:\160511 < Successful.

Resetting attributes: F:\System Volume Information < Successful.

Resetting attributes: F:\160502_Protocols < Successful.

Resetting attributes: F:\S7 < Successful.

Resetting attributes: F:\Hail_Pics < Successful.

Resetting attributes: F:\160514 < Successful.

=> Malicious files : 41/41 deleted.
=> Hidden folders : 20/20 unhidden.
=> Hidden files : 26/26 unhidden.

::::: Scan duration: 1min 38sec ::::::::::::

It may take some hours before a malware expert is online

Let me know of any problems after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-776561741-789336058-725345543-438191\...\Run: [VID-20152415-WA011] => wscript.exe //B "C:\Users\ROBERT~1.LEO\AppData\Local\Temp\VID-20152415-WA011.MP4.js" <===== ATTENTION Startup: C:\Users\robert.leone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID-20152415-WA011.MP4.js [2015-10-08] () BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Hi essexboy,

Thanks for the fast response.

Please find the log attached.

Regards,
Rob

Any further problems ?

Nope, everything looks fine thanks. I’ve been monitoring it and still no problems. Thank you very much for your help and fast responses. Great work!!

Hi I am the colleague from Rob.

I have the same virus and another from us as well.

If you can help me as well this would be great.

you also need MCShield log

Okay here it is:

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<

15.05.2016 09:41:18 > Drive E: - scan started (HP V210W ~3815 MB, FAT32 flash drive )…

—> Executing generic S&D routine… Searching for files hidden by malware…

—> Items to process: 12

—> E:\160512_SVC HAJ_-Z0_AC Distribution.pdf > unhidden.

—> E:\160512_SVC HAJ_-Z0_BatteryCharger (3).pdf > unhidden.

—> E:\SVC HAIL=Z0_Interconnection Diagram_Rev0_2016-04-04.pdf > unhidden.

—> E:\Z0 interconnection Diagram Drawing.pdf > unhidden.

—> E:\DOC051416-05142016052832.pdf > unhidden.

—> E:\Ausschnitt1.pdf > unhidden.

—> E:\Ausschnitt2.pdf > unhidden.

—> E:\Ausschnitt3.pdf > unhidden.

—> E:\Ausschnitt4.pdf > unhidden.

—> E:\Ausschnitt 5.pdf > unhidden.

—> E:\Ausschnitt6.pdf > unhidden.

—> E:\Ausschnitt7.pdf > unhidden.

E:\160512_SVC HAJ_-Z0_AC Distribution.lnk - Malware > Deleted. (16.05.15. 09.41 160512_SVC HAJ_-Z0_AC Distribution.lnk.552365; MD5: aab4b0dd6fff3ee549bcc1ef8864c728)

E:\160512_SVC HAJ_-Z0_BatteryCharger (3).lnk - Malware > Deleted. (16.05.15. 09.41 160512_SVC HAJ_-Z0_BatteryCharger (3).lnk.344871; MD5: aa98a888b87178b6e6a6a709ba3ca82c)

E:\SVC HAIL=Z0_Interconnection Diagram_Rev0_2016-04-04.lnk - Malware > Deleted. (16.05.15. 09.41 SVC HAIL=Z0_Interconnection Diagram_Rev0_2016-04-04.lnk.498510; MD5: 7123ccccdb45137f935d19789861344d)

E:\Z0 interconnection Diagram Drawing.lnk - Malware > Deleted. (16.05.15. 09.41 Z0 interconnection Diagram Drawing.lnk.769085; MD5: 9a62ce277d56c86b42751c53ee5b4a4a)

E:\DOC051416-05142016052832.lnk - Malware > Deleted. (16.05.15. 09.41 DOC051416-05142016052832.lnk.957359; MD5: 3c5644ef18722051af6b91665c45da08)

E:\Ausschnitt1.lnk - Malware > Deleted. (16.05.15. 09.41 Ausschnitt1.lnk.655187; MD5: c19c08c80ddbbcae49001c5ee005fd0b)

E:\Ausschnitt2.lnk - Malware > Deleted. (16.05.15. 09.41 Ausschnitt2.lnk.296122; MD5: 54e1256b8709b2d1cda148cb7fc753c3)

E:\Ausschnitt3.lnk - Malware > Deleted. (16.05.15. 09.41 Ausschnitt3.lnk.370389; MD5: 26eff402548dd4a2a985f96000c26528)

E:\Ausschnitt4.lnk - Malware > Deleted. (16.05.15. 09.41 Ausschnitt4.lnk.413169; MD5: b1539874c68f2527eb53dd18378e371c)

E:\Ausschnitt 5.lnk - Malware > Deleted. (16.05.15. 09.41 Ausschnitt 5.lnk.281899; MD5: fcf9fe229e760a556177e33a9ebc4c24)

E:\Ausschnitt6.lnk - Malware > Deleted. (16.05.15. 09.41 Ausschnitt6.lnk.746067; MD5: 7df3e238b30e7de7b79cc7017a5b1626)

E:\Ausschnitt7.lnk - Malware > Deleted. (16.05.15. 09.41 Ausschnitt7.lnk.358445; MD5: 0fc1322bdf2463b320d0c03d155cb096)

E:\VID-20152415-WA011.MP4.js - Malware > Deleted. (16.05.15. 09.41 VID-20152415-WA011.MP4.js.255732; MD5: e687f7ba6edaeefd06125e460c54d90f)

=> Malicious files : 13/13 deleted.
=> Hidden files : 12/12 unhidden.

::::: Scan duration: 2sec ::::::::::::::::::

It may take some hours before Essexboy is online

Hi I am the colleague from Rob.

I have the same virus and another from us as well.

Keep MCShield installed

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-1960408961-343818398-682003330-292584\...\Run: [VID-20152415-WA011] => wscript.exe //B "C:\Users\Z0028VKJ\AppData\Local\Temp\VID-20152415-WA011.MP4.js" <===== ATTENTION Startup: C:\Users\Z0028VKJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID-20152415-WA011.MP4.js [2015-10-08] () Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Hi essexboy and pondus

thank you very much for your help.

please find attached the log.

now with file

Any further problems ?

Hi,

no more problems the shortcuts are gone.

Thank you very much again.