Start > ControlPanel > Add or Remove Programs:
Uninstall / Remove Smadsoft or Smadav software. As I remove it via OTLFix aswell.
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
PRC - [2013/10/17 13:20:36 | 001,556,480 | ---- | M] (Smadsoft) -- C:\Program Files\Smadav\SMΔRTP.exe
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
O4 - HKLM..\Run: [COOL] wscript.exe //B "C:\Documents and Settings\Sav Infant\Application Data\COOL.vbs" File not found
:FILES
C:\Program Files\Smadav
C:\Documents and Settings\Sav Infant\Start Menu\Programs\Startup\COOL.vbs
C:\Documents and Settings\All Users\Desktop\SMADΔV.lnk
C:\Documents and Settings\All Users\Desktop\SMAD?V.lnk
C:\Documents and Settings\All Users\Desktop\SMADΔV.lnk
:COMMANDS
[CREATERESTOREPOINT]
[EMPTYTEMP]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn’t appear, it can be found here:
----------- next ---------------
Please download ComboFix by sUBsfrom here and save it to your Desktop. If you are unsure how ComboFix works please read this guide carefully. note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program. If you are unsure how to do this please read this or this Instruction.
Instructions how to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]=> Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
I have done the OTL runfix and now have downloaded Combofix, I disabled Malwarebytes and McShield. Doubled clicked on Combofix and agreed to install it and have it run. I got a message saying that Combofix has identified AVG Internet Security 2011 real time scanner is active and I should close it before clicking “OK”. If you remember at the start of this thread I said that I was having difficulty removing AVG and I eventually removed it using the AVG remover, how can combofix still see AVG 2011 being active if I uninstalled it? I still have the avg remover tool.exe original download files on the desktop, could Combofix see this and assume that it is AVG 2011 and its active?
Please advise, I closed the window that Combofix opened to tell me that it found AVG 2011 and then another window came up saying that Warning!! AVG Internet Security 2011, the above real time scanner are active but combofix shall continue to run. Kindly note that this is at your own risk. What should I do?
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
The computer is running okay now, I never had any major operating issues, the main issue was that the whenever I insert a flash drive into the computer it keep changing the files to shortcuts. I just put in a flash drive and I did not see any of the files turn in shortcuts, that is a very good thing, that tells me that the virus is no more ;D, thanks very much magna86. However there are 4 removable disk drives icons in “My Computer” even when there is no flash drives connected. What could cause this and how do I fix it?
Since the virus is gone now what do I do with the programs I downloaded to do the fix, can I go ahead and uninstall them?
Thanks very much for help, I can’t stop saying it.
...the main issue was that the whenever I insert a flash drive into the computer it keep changing the files to shortcuts.
This malware spreads thru USB devices and in addition it presented & install/load itself to the host computer.
All USB devaces has been cleaned by MCShield tool. And I recommended to you to keep MCShield.
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD.
However there are 4 removable disk drives icons in "My Computer" even when there is no flash drives connected.
Can't tell from here... Right click > Eject ..?
Since the virus is gone now what do I do with the programs I downloaded to do the fix, can I go ahead and uninstall them?
On Windows7 or Vista you may use Start Search field if Run is not available.
[*] In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
[*] then click OK (or press Enter ).
Wait for the uninstall process is complete.
Re-run AdwCleaner and click on [Uninstall] button.
Re-run OTL and click on CleanUp! button.
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone. Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.
Thanks very much magna86, don’t know how else to thank you for all that you have done for me. I have other computers that are infected also so I will be looking for you help again. I will definitely recommend Avast forum to all my friends. You helpers are the best, thanks alot. I give you another star my friend.
This .vbs malware works like this.
credits goes to dr_Bora
Spreading in the order:
For each removable drive:
Copies the malicious vbs file (whose opening is provided in the next step)
For each removable drive:
For each file USB:\file.ext preform the S+H and creates USB:\file.lnk (which starts cmd.exe, which starts on malware)
For each folder USB:\folder do the S+H and creates USB:\folder.lnk (which starts cmd.exe, which starts on malware)
PS: ( ;D) malware connects to hxxp://xkiller.no-ip.info where he received varius command for example: execute file, send data, upgrade it, go to sleep …
MCShield covers .lnk files and the malicious VBS, as well as recovery of original files is covered in the two MCS’s Anti-Replicator routines (one for lnk file and the vbs and the recovery of legitimate files this, one for folders).
Without proper testing (I don’t have time for it) can’t tell but avast 2014 owns new “DeepScreen” technic for malware detections. This should be enough for avast to prevend spreading on host mashine.
Someone else from avast team perhaps would be more appropriate to answer this.
theres a easy way…enter with SAFE MOOD (run<msconfig<boot< mark safe boot) … open ccleaner<tools<start up then delete fofo or cool or something like this…then run with normal mood.
