COOL.vbs | System Volume Information | Files become shortcuts (.lnk)

Viruses and worms
1

So the other day I plugged in my USB to my friend’s laptop, and upon opening it in my own laptop, all my files inside the USB turned into shortcuts! When I click on the shortcuts it still reveals my original file but I just can’t put up with what it’s done since I like my files very organized and this worm or whatever messed it up and makes some of the files hidden. What’s worse is that not only is my USB infected but also my laptop as well, since I tried testing whether another USB would do the job for me and as soon as I plugged it in, the files inside the new USB were gone and replaced with shortcuts, a COOL.vbs file, as well as a System Volume Information folder shortcut. I tried deleting the files and formatting my USB but it was to no avail. So I’m guessing it also infected my laptop but for some reason it only affects drives plugged in through the USB port.

The worm/virus doesn’t show up when I run a scan, and I also tried using Windows Security Essential to see whether it would recognize it, but it still didn’t. What I did by myself in the meantime is make a copy of the COOL.vbs file to try to make something out of it and changed the extension to .txt, where there is just an extremely long string of code which I simply can’t understand. I can post it here if anybody’s willing to help out. Thank you!!! :<

2

while waiting for the removal experts to arrive…

follow instructions and attach logs (not copy and paste) http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done, removal experts will be notified and help you
when finish, all tools used will be removed

3

Hi there prior to running the other scans download and install this programme first

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

4

So I downloaded all the programs and ran the scans, and here were the logs. Thank you! :slight_smile:

5

Here are the three other logs

6

There is a problem within Firefox and it is constructed in such a way that my tools will be unable to remove it. The only way to get rid of it is to totally uninstall Firefox and reinstall a fresh copy

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE:64bit: - HKLM\..\SearchScopes\{F4ED0519-C584-4DDA-BE93-FA0B93D040F6}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEyC0DyDyBtByCtCyB0B0DtD0E0C0BtN0D0Tzu0StCzyyCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1850546951
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://websearch.homesearchapp.info/?unqvl=17
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {F4ED0519-C584-4DDA-BE93-FA0B93D040F6}
IE - HKLM\..\SearchScopes,DefaultScope = {F4ED0519-C584-4DDA-BE93-FA0B93D040F6}
IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.homesearchapp.info/?unqvl=17&l=1&q={searchTerms}
IE - HKLM\..\SearchScopes\{F4ED0519-C584-4DDA-BE93-FA0B93D040F6}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEyC0DyDyBtByCtCyB0B0DtD0E0C0BtN0D0Tzu0StCzyyCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1850546951
IE - HKU\S-1-5-21-3530418284-3065954295-2564789147-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://websearch.homesearchapp.info/?unqvl=17
IE - HKU\S-1-5-21-3530418284-3065954295-2564789147-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={A2CC914A-F1FA-4E1C-8644-9B9588D02CCF}&mid=&lang=&ds=&pr=&d=&v=&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-3530418284-3065954295-2564789147-1000\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.homesearchapp.info/?unqvl=17&l=1&q={searchTerms}
IE - HKU\S-1-5-21-3530418284-3065954295-2564789147-1000\..\SearchScopes\{F4ED0519-C584-4DDA-BE93-FA0B93D040F6}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuyEyEyC0DyDyBtByCtCyB0B0DtD0E0C0BtN0D0Tzu0StCzyyCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1850546951
IE - HKU\S-1-5-21-3530418284-3065954295-2564789147-1000\..\SearchScopes\{F8F5E35A-CB1B-4FAA-BABE-9D6DC9A21B03}: "URL" = http://blekko.com/ws/?source=5f97ddbe&tbp=rbox&u=5ea30ecb000000000000aabbccddeeff&q={searchTerms}&r=602
[2013/02/23 22:49:38 | 000,000,000 | ---D | M] (continuetosave) -- C:\Users\Dann\AppData\Roaming\Mozilla\Firefox\Profiles\honov11a.default\extensions\5128ce384d9bc@5128ce384d9f5.com
[2013/08/16 22:32:25 | 000,824,302 | ---- | M] () (No name found) -- C:\Users\Dann\AppData\Roaming\Mozilla\Firefox\Profiles\honov11a.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2013/05/25 01:51:02 | 000,007,781 | ---- | M] () -- C:\Users\Dann\AppData\Roaming\Mozilla\Firefox\Profiles\honov11a.default\searchplugins\WebSearch.xml
O4 - HKU\S-1-5-21-3530418284-3065954295-2564789147-1000..\Run: [COOL] wscript.exe //B "C:\Users\Dann\AppData\Roaming\COOL.vbs" File not found
O4 - Startup: C:\Users\Dann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs ()
O20 - AppInit_DLLs: (c:\progra~2\simple~1\sprote~1.dll) - c:\Program Files (x86)\SimpleSpeedy\sprotector.dll ()
[2013/09/24 00:36:20 | 000,098,222 | -HS- | M] () -- C:\Users\Dann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs
[2013/09/24 00:36:20 | 000,098,222 | -HS- | M] () -- C:\Users\Dann\AppData\Roaming\COOL.vbs

:Files
c:\Program Files (x86)\SimpleSpeedy

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

7

Here it is :slight_smile:

8

How is the computer behaving now ?

9

Wow it worked!!! I plugged in another USB and no shortcuts this time! But I’m kinda iffy about plugging in the original USB that got infected (I haven’t plugged it since). Will it still infect my computer if I do plug it? Thanks a bunch!!! :smiley:

10

If you have McShield running it will cure anything it finds, was this the original USB ?

10/12/2013 8:03:02 PM > Drive F: - scan started (09178580534 ~1968 MB, NTFS flash drive )...

—> Executing generic S&D routine… Searching for files hidden by malware…

—> Items to process: 1

—> F:\COOL - Copy.txt > unhidden.

F:\COOL - Copy.lnk - Malware > Deleted. (13.10.12. 20.03 COOL - Copy.lnk.43240; MD5: c81169b545b9e21376a01b64b0ab544c)

F:\COOL.vbs - Malware > Deleted. (13.10.12. 20.03 COOL.vbs.632484; MD5: c9c4d00a62ff4fc4597b74f4bdd41cf9)

F:\System Volume Information.lnk - Malware > Deleted. (13.10.12. 20.03 System Volume Information.lnk.458227; MD5: b52b5e1c9b603a79dc6706b4b658d5b8)

Resetting attributes: F:\System Volume Information < Unsuccessful

=> Malicious files : 3/3 deleted.
=> Hidden folders : 0/1 unhidden.
=> Hidden files : 1/1 unhidden.

::::: Scan duration: 1sec ::::::::::::::::::

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

11

Oh okay. Yup, that’s the original USB. :smiley: Thanks again!!

12

Any further problems ?