Today my cousin came with his USB pen drive and infected my PC after clicking on a picture file that looked like a shortcut. I right clicked it to see the properties and found out that it redirects to a CMD executing “Cool.vbs”. Now I’m freaking out! Can someone please help me?
we need some logs from you http://forum.avast.com/index.php?topic=53253.0
attach (not copy and paste) Malwarebytes / OTL / aswMBR
removal experts will be online later today…
Monitoring…
Here are the logs. I didn’t run aswMBR.exe because it’s win8 incompatible.
Here’s an MCshield log that I ran using an infected USB drive with one file in it.
Hi,
Please download aswMBR and save it to your desktop.
Double click aswMBR.exe to start the tool.
[*]Select Yes if prompted to download the Avast database.
[*]Click Scan
[*]Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
Note: do NOT attempt any Fix yet.
Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
The aswMBR scan took incredibly little time to finish, is that normal?
Hello, sorry for delay
Please go to: VirusTotal
[*] Click the Choose File button.
[*] Please copy/paste the following text into the ‘File name:’ box:
C:\Program Files\Hear\Hear.exe
[*] Click Open then click the Scan it! button just below.
[*] This will scan the file. Please be patient.
[*] If you get a message saying File already analyzed: click Reanalyse
[*] Once scanned, copy and paste the URL from your browser address bar in your next reply.
Then…
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
HKCU\...\Run: [COOL] - C:\Users\Carlos\AppData\Roaming\COOL.vbs [102953 2013-10-25] ()
C:\Users\Carlos\AppData\Roaming\COOL.vbs
MountPoints2: {02c6418e-acbc-11e2-bea2-bc5ff4650048} - "G:\setup.exe"
MountPoints2: {0ef38694-be91-11e2-bec1-bc5ff4650048} - "C:\Windows\system32\RunDLL32.EXE" Shell32.DLL,ShellExec_RunDLL G:\Setup.exe
MountPoints2: {4a107a2e-ea8e-11e2-bf02-bc5ff4650048} - "G:\MotorolaDeviceManagerSetup.exe" -a
MountPoints2: {ce2d033e-c585-11e2-becb-bc5ff4650048} - "I:\Setup.exe"
Startup: C:\Users\Carlos\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs ()
CHR RestoreOnStartup: "hxxp://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=3855FAB0870E7C62CA52A9502816DC04&tbp=homepage"
cmd: ipconfig /flushdns
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
How are the things now?
The virus is still here, according to what I read in the fixlog
Ok, re-run FRST and attach fresh report…
Here you go
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Unlock: C:\Users\Carlos\AppData\Roaming\COOL.vbs
HKCU\...\Run: [COOL] - C:\Users\Carlos\AppData\Roaming\COOL.vbs [102953 2013-10-25] ()
C:\Users\Carlos\AppData\Roaming\COOL.vbs
Startup: C:\Users\Carlos\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs ()
cmd: ipconfig /flushdns
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Then…
Download TDSSKiller and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.
[*]Under Additional options check the boxes next to:
- Verify Driver Digital Signature;
- Detect TDLFS file system
- Use KSN to scan objects
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
Here
- Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
- Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.
Instructions how to disable avast:
[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.
- Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
- When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Here’s the log
Open notepad and copy/paste the text present inside the code box below:
File::
c:\users\Carlos\AppData\Roaming\COOL.vbs
c:\users\Carlos\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COOL"=-
ClearJavaCache::
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
.
This is some very stubborn malware…
[*] Please download BlitzBlank by emsisoft and save it to your desktop.
[*] Open Blitzblank.exe by double click on it.
[*] Click OK at the warning (and take note of it, this is a VERY powerful tool!).
[*] Click the Script tab and copy/paste the following text there:
DeleteRegValue:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COOL
DeleteFile:
c:\users\Carlos\AppData\Roaming\COOL.vbs
c:\users\Carlos\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs
[*] Click Execute Now. Your computer will need to reboot in order to replace the files.
[*] When done, post me the report created by Blitzblank. you can find it at the root of the drive C:\
It’s done! The script didn’t quite work because my Windows version is set to spanish, and your folder directories specified were in english. I tried to write the correct folder names but somehow the scrip wouldn’t run. So with the help of a friend and TeamViewer, the registry key and both files were deleted under Safe Mode. I restarted and now the threat is gone!
P.S.: I did the same in my cousin’s PC and it also worked! Just entered via Safe Mode, went to regedit, deleted the registry key that COOL.vbs created and also went to AppData\Roaming and the other directory and deleted both instances of COOL.vbs. That b!tch is gone for good!
Thanks a lot for your kind help!
Maybe that was a problem all the time, we executed some of the very powerfull tools, and they failed ???
Please download DelFix by “Xplode” to your Desktop.
Run the tool and check the following boxes below;
[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore
Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
I don’t need DelFix log report.