I have already ran the removal tools mentioned in the forum (Malware bites Anti-Malware, and Mc Shield). Bothe detected and placed in quarentine some malware, but when i run a cleaned pendrive, it still shows the existing files as shortcuts. This means that either the pendrive or the laptop (or both) are still infected.
I also ran the Farbar Recovery Scan tool. Please inform what info you need in order to help.
Look forward to get assistance.
Mwajnberg
I also ran the Farbar Recovery Scan tool. Please inform what info you need in order to help.attach all logs as instructions say ... MCShield log must be copy and paste
We need the log files as instructed here > https://forum.avast.com/index.php?topic=53253.0
Attach them to your next post.
Monitoring.
MCShield AllScans.txt <<<
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2015.12.6.1 / Windows 7 <<<
21/02/2016 12:08:16 > Drive C: - scan started (no label ~596 GB, NTFS HDD )…
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<
21/02/2016 17:16:59 > Drive C: - scan started (no label ~596 GB, NTFS HDD )…
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<
21/02/2016 17:18:05 > Drive E: - scan started (no label ~15259 MB, FAT32 flash drive )…
—> Executing generic S&D routine… Searching for files hidden by malware…
—> Items to process: 1
—> E:\Compras.docx > unhidden.
E:\Compras.lnk - Malware > Deleted. (16.02.21. 17.18 Compras.lnk.625973; MD5: a7671e971a8101c4b9d086e9fd9963ee)
E:\BACKUP.lnk - Malware > Deleted. (16.02.21. 17.18 BACKUP.lnk.605430; MD5: 2719509ce92b43470660e8c50b142ace)
E:\Banco,etc.lnk - Malware > Deleted. (16.02.21. 17.18 Banco,etc.lnk.11266; MD5: eeb39aa170979f31689056fdae879584)
E:\FOUND.000.lnk - Malware > Deleted. (16.02.21. 17.18 FOUND.000.lnk.468792; MD5: 472c27f43bf4a65a0f33d5e254da952a)
E:\POA.lnk - Malware > Deleted. (16.02.21. 17.18 POA.lnk.345481; MD5: 1983f552f154c0698bc4f3b90034e196)
E:\SanDiskSecureAccess.lnk - Malware > Deleted. (16.02.21. 17.18 SanDiskSecureAccess.lnk.794042; MD5: 04b6173dc0e486fde302ad2d7f9c709f)
E:\System Volume Information.lnk - Malware > Deleted. (16.02.21. 17.18 System Volume Information.lnk.123393; MD5: 09cbc7ff104823d444c71127e314ece1)
E:\T-MST5IBRC.lnk - Malware > Deleted. (16.02.21. 17.18 T-MST5IBRC.lnk.384610; MD5: 2ef6e38d0df4351282235dfdec0299d1)
E:\Viagem 2014. Miami.lnk - Malware > Deleted. (16.02.21. 17.18 Viagem 2014. Miami.lnk.679587; MD5: abbd8abbbd102bec5c334bf239b550dc)
E:\Microsoft Excel.WsF - Suspicious > Renamed. (MD5: fc243f0bd74fe434d12c7ccfd0c63aac)
Resetting attributes: E:\BACKUP < Successful.
Resetting attributes: E:\Banco,etc < Successful.
Resetting attributes: E:\FOUND.000 < Successful.
Resetting attributes: E:\POA < Successful.
Resetting attributes: E:\SanDiskSecureAccess < Successful.
Resetting attributes: E:\System Volume Information < Successful.
Resetting attributes: E:\T-MST5IBRC < Successful.
Resetting attributes: E:\Viagem 2014. Miami < Successful.
=> Malicious files : 9/9 deleted.
=> Suspicious files : 1/1 renamed.
=> Hidden folders : 8/8 unhidden.
=> Hidden files : 1/1 unhidden.
::::: Scan duration: 8sec ::::::::::::::::::
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<
21/02/2016 18:03:47 > Drive E: - scan started (KINGSTON ~7731 MB, FAT32 flash drive )…
=> The drive is clean.
[*]Step #1 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad –
Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
AlternateDataStreams: C:\Windows\System32:EF602D12_Sfr.gbp
AlternateDataStreams: C:\Windows\System32:EF602D12_Uni.gbp
AlternateDataStreams: C:\Windows\system32\Drivers\wsddfac.sys:X5ZN8aGXs4
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1043159823-2073269042-1128089975-1000\...\Run: [Microsoft Excel] => wscript.exe //D "C:\Users\TOSHIBA\AppData\Roaming\Microsoft Office\\Microsoft Excel.WsF"
C:\Users\TOSHIBA\AppData\Roaming\Microsoft Office\\Microsoft Excel.WsF
2015-06-07 15:50 - 2015-06-07 15:50 - 0000057 _____ () C:\ProgramData\Ament.ini
C:\Users\TOSHIBA\AppData\Local\Temp\ose00000.exe
CMD: bitsadmin /reset /allusers
End
[*]Click on File > Save as…
[list][*]Inside the File Name box type fixlist.txt
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Re-run FRST.exe and click Fix;
[*]Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.[]After the completion, a log will be produced;
[]Attach the log in your next reply.[/list]
Perform the MCShield step from here. Post a fresh FRST scan log.
[*]Required Log(s):
[*]FRST Fix Log
Regards,
Valinorum
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<
22/02/2016 06:29:09 > Drive C: - scan started (no label ~596 GB, NTFS HDD )…
=> The drive is clean.
Re-read my post. Perform the Step 1 and then do the MCShield step.
Sorry,
I hope that this is now correct:
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<
22/02/2016 10:02:31 > Drive C: - scan started (no label ~596 GB, NTFS HDD )…
=> The drive is clean.
In case you are curious, this is what MCShield found
https://www.virustotal.com/en/file/92035c308f786c21cfa2edc4bf73b86959aa508976ade1fd6ba39055747dc848/analysis/
Is my laptop really clean? In that case, how do I clean the infected pendrives?
Did you perform the FRST fix? In that case where is the Fixlog.txt that I asked?
And to answer your question, no, your system is not clean. The malware is still present.
How do I get rid of this thing?
Should I perform FRST Fix in all pendrives?
I have MC Clean real time installed in the system. I sticked the pendrives in the laptop, and after the MC Clean finished scanning each of them, I did not see the shorcut icons, and the files in the pendrives seemed OK.
The malware is in your PC not in your pendrive which is why it makes a re-entry even after MCShield cleans it. Read what I stated in Step one. You are to make the custom script and put both Fixlist.txt and FRST64.exe in your Desktop. Then you are to run FRST64.exe and click on fix.
After that you are to clean the pendrives one more time with MCShield to ensure that no malware is present.
Sorry,but I am afraid tha I am getting lost.
How do I make the custom script? Is it the same as the one you sent earlier today? Should I copy and paste it into the the note pad?
go here >> https://forum.avast.com/index.php?topic=183374.msg1294556#msg1294556
you see where it say Code: [Select] click on the word select
evrything inside the box should now be blue … right click inside the box and select copy, then paste it in to notepad and save it with the name fixlist.txt
fixlist.txt and FRST64.exe must be saved at the same place when run
run FRST64.exe and click the fix button … it will now find the fixlist and perform the instructions in it
when done there will be a log FRST Fix Log that Valinorum need
Here I have made the script for you. Download the attachment and put in the same folder with FRST64.exe. Then run FRST64.exe and click on Fix. A new log named Fixlog.txt will open. Attach the log.
Please find the both logs. I hope that this is what you needed.
Thanks.
Post a fresh FRST scan log please.