Ciao a tutti,
ho un grosso problema. La scansione di avast ha individuato questo virus: il suo nome è: 84182bbbv.vbs.

Patologia:
Le porte del mio pc-acer aspire sono state infettate da una pen-drive. Tutti i file caricati sulla pen-drive usb diventano collegamenti. In realtà i file sulla pennetta ci sono, ma sono nascosti!!! Nelle cartelle invece i file riescono a funzionare e a partire normalmente.
Se provo a copiarli sul desktop, invece il collegamento non parte.

Ho formattato molte volte la pennetta, ma niente! Ogni volta che copio i file da pc a pen drive(usb) i file diventano collegamenti.
Ho provato ad eliminare i file pero senza successo! Come per magia si RICREANO.

Ho usato vari antivirus, avast però è riuscito almento a individuarlo. Però non sono riuscito a toglierlo definitivamente. Il mio sistema operativo è Win7 64 bit.

Vi prego di aiutarmi!

Hi,
Do you speek (or understand) English?
If you can follow my instructions on English, then run these diagnostic tool:

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

----- next -----

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer );

Attach here Gmer logreports.

Hi,

thank you for your answer.

After Avast scaning, I did what you advised.

I’m waiting for you reply. Thanks

[list]Hi gmicco,

Do not be alarm for Gmer “rootkit activity” detections. These files are avast related and as Gmer is RootKit scanner and all kernel drivers are rootkits ( rootkit itself may be legit or malware ), these detectins are legit. But your system is infected with a malware worm that spread via USB devices.

=> Do NOT attach USB devices. We shall use MCShield tool to clean USB devices from this malware.

Multiple Antivirus Programs

You are running more than 1 Antivirus program!

AV: AVG AntiVirus Free Edition 2013 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}

Running - more than one - antivirus program is not recommended because:
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I strongly suggest you uninstall one of them. Which one, is your decision.

THEN…

Then go here to download tool to remove posible AV leftovers:
http://www.avast.com/en-us/faq.php?article=AVKB11

------ next ------

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

START
HKCU\...\Run: [84182bbbv] - wscript.exe //B "C:\Users\SALENTUM\AppData\Local\Temp\84182bbbv.vbs" <===== ATTENTION
C:\Users\SALENTUM\AppData\Local\Temp\84182bbbv.vbs
MountPoints2: {0b8feeef-acff-11e2-8bf3-1c7508e7c1df} - E:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {0dc58187-fdaa-11e1-83a0-1c7508e7c1df} - E:\LaunchU3.exe -a
MountPoints2: {8850abb2-f13c-11e1-b848-ec55f98b5a45} - E:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {8850abbc-f13c-11e1-b848-ec55f98b5a45} - E:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {af9c2c31-7f48-11e2-840b-1c7508e7c1df} - E:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {b7231fac-767a-11e2-997b-1c7508e7c1df} - E:\setup_vmc_lite.exe /checkApplicationPresence
MountPoints2: {f27f0489-fb93-11e1-9ac5-1c7508e7c1df} - E:\setup_vmc_lite.exe /checkApplicationPresence
Startup: C:\Users\SALENTUM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imollo.lnk
Startup: C:\Users\SALENTUM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\My 190.lnk
C:\Program Files (x86)\imollo
C:\Program Files (x86)\My 190
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO-x32: No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKLM-x32 -  No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKCU -  No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
2013-10-19 19:46 - 2013-10-19 20:01 - 00000000 ____D C:\Program Files (x86)\MyPC Backup
2013-10-19 19:45 - 2013-10-20 10:29 - 00003108 _____ C:\Windows\System32\Tasks\RegClean Pro
2013-10-19 19:45 - 2013-10-20 10:10 - 00000290 _____ C:\Windows\Tasks\RegClean Pro_UPDATES.job
2013-10-19 19:45 - 2013-10-20 10:10 - 00000282 _____ C:\Windows\Tasks\RegClean Pro_DEFAULT.job
2013-10-19 19:45 - 2013-10-19 19:45 - 00003044 _____ C:\Windows\System32\Tasks\RegClean Pro_UPDATES
2013-10-19 19:45 - 2013-10-19 19:45 - 00002888 _____ C:\Windows\System32\Tasks\RegClean Pro_DEFAULT
2013-10-19 19:45 - 2013-10-19 19:45 - 00001058 _____ C:\Users\Public\Desktop\RegClean Pro.lnk
2013-10-19 19:45 - 2013-10-19 19:45 - 00000000 ____D C:\Program Files (x86)\RegClean Pro
Folder: C:\Users\SALENTUM\AppData\Roaming\Systweak
2013-10-19 15:20 - 2013-10-19 19:33 - 00000000 ____D C:\Program Files (x86)\IminentToolbar
2013-10-20 10:29 - 2013-10-19 19:45 - 00003108 _____ C:\Windows\System32\Tasks\RegClean Pro
Folder: C:\Program Files (x86)\PoP1-Total Pack
C:\Users\SALENTUM\AppData\Local\Temp
AlternateDataStreams: C:\ProgramData\Temp:0B9176C0
AlternateDataStreams: C:\ProgramData\Temp:1A60DE96
AlternateDataStreams: C:\ProgramData\Temp:5D7E5A8F
AlternateDataStreams: C:\ProgramData\Temp:798A3728
AlternateDataStreams: C:\ProgramData\Temp:93EB7685
AlternateDataStreams: C:\ProgramData\Temp:CDFF58FE
AlternateDataStreams: C:\ProgramData\Temp:E36F5B57
AlternateDataStreams: C:\ProgramData\Temp:E3C56885
CMD: ipconfig /flushdns
END

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

------ next ------

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

------ next ------

Re-run FRST, just press Scan button and attach here fresh created FRST.txt logreport.

Thank you very much! ;D
I naturally uninstalled AVG and I solved all my problems.
All my pen drive now are ok and also my pc.
If you want to come in Italy (Puglia) I will give willingly hospitality to you.

Bye bye

gmicco

Here FRST. I am non be able to put fixlog. Too large (?)

I am non be able to put fixlog. Too large (?)

Posted FRST log looks clean. No more malware.
Anyway, we shall run one more FRSTScript to remove some leftovers (including some AVG lefted fields).

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

START
HKCU\...\Run: [AVG-Secure-Search-Update_0913b] - C:\Users\SALENTUM\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid e07827ba27aa47d19726cd3c4e03282c-65a03fbcb6f11534fb04a8d214f965965f3daffb --CMPID 0913b
C:\Users\SALENTUM\AppData\Roaming\AVG 0913b Campaign
BHO: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File
BHO-x32: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File
CHR Plugin: (AVG Internet Security) - C:\Users\SALENTUM\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll No File
C:\Users\SALENTUM\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
S2 WajamUpdaterV2; "C:\Program Files (x86)\Wajam\Updater\WajamUpdaterV2.exe" [x]
C:\Program Files (x86)\Wajam
END

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

------ next -------

Let’s clean temporaly files, temporaly internet files and cache files via TFC tool. As a additional result of this, your PC will run faster.

Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

===============================

How’s your computer running now? 8)

Grazie. Thank you for this new operation.
I think without your suggest I wouldn’t have removed some leftovers more.
I hope my pc enjoys good health now.

All looks good. I shall remove used tools.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

------ next -------

I recommended to use and MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

OK!

Hi! i have the same virus 84182bbbv.vbs, i installed gmer and frst and run them! have i to post the files “frst” “addition” “gmer”?

Hi,
Post here FRST.txt, Addition.txt (created by FRST) and ARK.txt (created by GMER)

i can’t post them, because they are too many long (most than 10000 characters). What can i do? (split is a bad solution for me)

Don’t copy-paste. Attach them to your post:

http://www.mcshield.net/personal/magna86/Images/avast%20attach%20post.png

ops XD thanks

Ola,

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

HKCU\...\Run: [cacaoweb] - C:\Users\Federico\AppData\Roaming\cacaoweb\cacaoweb.exe [452608 2013-10-12] ()
HKCU\...\Run: [84182bbbv] - C:\Users\Federico\AppData\Local\Temp\84182bbbv.vbs [74189 2013-09-22] () <===== ATTENTION
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [CMD] - cmd.exe /k if %date:~6,4%%date:~3,2%%date:~0,2% LEQ 20130909 (exit) else (start http://alt-rutor.org && exit)
Startup: C:\Users\Federico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84182bbbv.vbs ()
C:\Users\Federico\AppData\Roaming\cacaoweb
C:\Users\Federico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84182bbbv.vbs
Toolbar: HKCU - No Name - {41564952-412D-5637-00A7-7A786E7484D7} -  No File
CHR HKLM-x32\...\Chrome\Extension: [mmiopbgcekanlhpjkonogoljpfmhpkhf] - C:\Program Files (x86)\LyricsPal\125.crx
C:\Program Files (x86)\LyricsPal
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2013-09-26 18:35 - 2013-09-27 00:35 - 98009570 _____ C:\Windows\SysWOW64\鐂鯌ᵌ‡
Folder: C:\Program Files (x86)\39CI
C:\Users\Federico\AppData\Local\Temp
AlternateDataStreams: C:\ProgramData\TEMP:A1EDB939

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

------- next -------

Scan with Combofix:

[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

Just do it!
PS: i remember you that my usb pen is infected too, so, after my pc, what i have to do for it?

[list]Hi,

You didn’t run FRST Script properly. You have been create fixlist.txt normally, but the contents of fixlist has been empty.

First…

Multiple Antivirus Programs

You are running more than 1 Antivirus program!

AV: avast! Antivirus Disabled/Updated {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AV: McAfee Antivirus e antispyware Disabled/Updated {ADA629C7-7F48-5689-624A-3B76997E0892}

Running - more than one - antivirus program is not recommended because:
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I strongly suggest you uninstall one of them. Which one, is your decision.

THEN…

Then go here to download tool to remove posible AV leftovers:
http://www.avast.com/en-us/faq.php?article=AVKB11

-------- Next --------

Open notepad and copy/paste the text present inside the code box below:

File::
c:\users\Federico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84182bbbv.vbs

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"84182bbbv"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CMD"=-

Folder::
c:\users\Federico\AppData\Local\ESET

DirLook::
C:\Stinger_Quarantine
c:\program files (x86)\39CI

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

------ Next ------

Re-run FRST, just press [ Scan ] button and post me fresh FRST.txt logreprot.

meanwhile i unistalled mcafee and did a complet scan with avast: the result is showed in file “immagine”.
To note that the file 84182bbbv.vbs is present 2 times and one of this is impossible to find.

here there are the files!