Flash Drive and Cellphone Affected by shortcut virus.

This is my second time running into this problem and coming here haha. But yeah the first time around I got rid of the virus and installed MCshield, I hadn’t plugged my phone or a flash drive I had into my computer for a while so I didn’t realize they were infected. MCshield of course caught this and removed the virus but it keeps returning. I’ve scanned my other drives with MCshield and nothing has come up so I assume they are fine (they were cleaned last time). So I’m going to ask where to proceed from here before I reinsert the infected devices into my PC to run any scans.

MCshield of course caught this and removed the virus but it keeps returning.
copy and paste MCShield log here

I will, but since I scanned my drives after I can’t use last scan, so I will reinsert the drives one by one and post both logs. I have auto run disabled so I should be ok to do this as long as I don’t access the drives right?

Yes, but could you also run an FRST scan so that I can check the main system

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Alrite, here are both logs.

Here are the logs on the cellphone and USB.

MCShield logs are not readable when you attach (some forum issue) that is why i said copy and paste

Oh sorry, I didn’t even notice you said that.

This first one is for the flash drive.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2015.3.23.1 / Windows 7 <<<

4/6/2015 12:44:09 PM > Drive F: - scan started (no label ~7640 MB, NTFS flash drive )…

F:\eaeysuyahc…vbs - Malware > Deleted. (15.04.06. 12.44 eaeysuyahc…vbs.774700; MD5: cf8c7f3ef72c12e8f6b93f4f0acdf42f)

=> Malicious files : 1/1 deleted.


::::: Scan duration: 5sec ::::::::::::::::::


The second one is for the cellphone…

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2015.3.23.1 / Windows 7 <<<

4/6/2015 12:45:44 PM > Drive F: - scan started (no label ~1348 MB, FAT32 flash drive )…

—> Executing generic S&D routine… Searching for files hidden by malware…

—> Items to process: 2

—> F:.adups > unhidden.

—> F:.avg > unhidden.

F:.lnk - Malware > Deleted. (15.04.06. 12.46 .lnk.372250; MD5: 8491418880fcd6b2a2b8eea85bcce2ab)

F:\eaeysuyahc…vbs - Malware > Deleted. (15.04.06. 12.46 eaeysuyahc…vbs.679603; MD5: cf8c7f3ef72c12e8f6b93f4f0acdf42f)

F:\logs.lnk - Malware > Deleted. (15.04.06. 12.46 logs.lnk.413335; MD5: 71d36ff6be70844847ba13e16acb1fa9)

F:\LOST.DIR.lnk - Malware > Deleted. (15.04.06. 12.46 LOST.DIR.lnk.339703; MD5: 44159b8a388b37730b6c1d3ea913f7db)

F:.android_secure.lnk - Malware > Deleted. (15.04.06. 12.46 .android_secure.lnk.311332; MD5: 766c21846ccefdf9e71d5b2620cffc9f)

F:\Music.lnk - Malware > Deleted. (15.04.06. 12.46 Music.lnk.930532; MD5: d174c243e6a046380576fad30c9999fa)

F:\Podcasts.lnk - Malware > Deleted. (15.04.06. 12.46 Podcasts.lnk.728724; MD5: 5ada1f655e76b232e04d3c104b897f66)

F:\Ringtones.lnk - Malware > Deleted. (15.04.06. 12.46 Ringtones.lnk.350461; MD5: c68140e457654e8f309e796122403eca)

F:\Alarms.lnk - Malware > Deleted. (15.04.06. 12.46 Alarms.lnk.816077; MD5: 6455e54d00ee309472494e5744dd2fe4)

F:\Notifications.lnk - Malware > Deleted. (15.04.06. 12.46 Notifications.lnk.606178; MD5: 67ade31229bed2ea229d70bf640b768a)

F:\Pictures.lnk - Malware > Deleted. (15.04.06. 12.46 Pictures.lnk.157245; MD5: c6a550ead5a910eb0e8c3c76f4e02241)

F:\Movies.lnk - Malware > Deleted. (15.04.06. 12.46 Movies.lnk.45655; MD5: b0d32a2b314bda940c8532170f37abf0)

F:\Download.lnk - Malware > Deleted. (15.04.06. 12.46 Download.lnk.365778; MD5: 2822fd6672deb2dbcb4a22049fa383d9)

F:\DCIM.lnk - Malware > Deleted. (15.04.06. 12.46 DCIM.lnk.592360; MD5: 96c66fc304f5735ec16083e2c9527e2d)

F:\Android.lnk - Malware > Deleted. (15.04.06. 12.46 Android.lnk.725663; MD5: bd3ce60b8e14b8b16718b27d895605a8)

F:\wallpapers.lnk - Malware > Deleted. (15.04.06. 12.46 wallpapers.lnk.797524; MD5: efaae4f55c9fbcfad73cc94f6befe5da)

F:\WhatsApp.lnk - Malware > Deleted. (15.04.06. 12.46 WhatsApp.lnk.598252; MD5: a0bd283df3486089fd5be515731669d1)

F:.mmsyscache.lnk - Malware > Deleted. (15.04.06. 12.46 .mmsyscache.lnk.730157; MD5: f3f4c1d33cccfbeb41fc1cb8ffc2d9b9)

F:\UnityAdsVideoCache.lnk - Malware > Deleted. (15.04.06. 12.46 UnityAdsVideoCache.lnk.521395; MD5: 784c54c4b6f255bee0f963bf72d4378d)

F:\Recording.lnk - Malware > Deleted. (15.04.06. 12.46 Recording.lnk.396947; MD5: 07cf6c2e0408ae79f70f3ca8ca3134d1)

F:.EveryplayCache.lnk - Malware > Deleted. (15.04.06. 12.46 .EveryplayCache.lnk.317761; MD5: ac871f180e9704dd9522b4aa197755cb)

Resetting attributes: F:\logs < Successful.

Resetting attributes: F:\LOST.DIR < Successful.

Resetting attributes: F:.android_secure < Successful.

Resetting attributes: F:\Music < Successful.

Resetting attributes: F:\Podcasts < Successful.

Resetting attributes: F:\Ringtones < Successful.

Resetting attributes: F:\Alarms < Successful.

Resetting attributes: F:\Notifications < Successful.

Resetting attributes: F:\Pictures < Successful.

Resetting attributes: F:\Movies < Successful.

Resetting attributes: F:\Download < Successful.

Resetting attributes: F:\DCIM < Successful.

Resetting attributes: F:\Android < Successful.

Resetting attributes: F:\wallpapers < Successful.

Resetting attributes: F:\WhatsApp < Successful.

Resetting attributes: F:.mmsyscache < Successful.

Resetting attributes: F:\UnityAdsVideoCache < Successful.

Resetting attributes: F:\Recording < Successful.

Resetting attributes: F:.EveryplayCache < Successful.

=> Malicious files : 21/21 deleted.
=> Hidden folders : 19/19 unhidden.
=> Hidden files : 2/2 unhidden.


::::: Scan duration: 19sec :::::::::::::::::


CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-3572464334-3272878166-3701872473-1000\...\Run: [eaeysuyahc] => wscript.exe //B "C:\Users\Nicholas\AppData\Local\Temp\eaeysuyahc..vbs" <===== ATTENTION C:\Users\Nicholas\AppData\Local\Temp\eaeysuyahc..vbs Startup: C:\Users\Nicholas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eaeysuyahc..vbs () HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-3572464334-3272878166-3701872473-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll No File BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll No File BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> E:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL No File Toolbar: HKU\S-1-5-21-3572464334-3272878166-3701872473-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download Anti VBS/VBE to your desktop

[*]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[*]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report

Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run

just for info … this is/was the one on your flash drive
https://www.virustotal.com/nb/file/b00ff385a07d26f87e55bd74eefe9b41bea37f9c8acce74f19d728a27ae48c14/analysis/

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Nicholas at 2015-04-06 13:04:39 Run:1
Running from C:\Users\Nicholas\Desktop\fixing stuff
Loaded Profiles: Nicholas (Available profiles: Nicholas)
Boot Mode: Normal

Content of fixlist:


CreateRestorePoint:
HKU\S-1-5-21-3572464334-3272878166-3701872473-1000.…\Run: [eaeysuyahc] => wscript.exe //B “C:\Users\Nicholas\AppData\Local\Temp\eaeysuyahc…vbs” <===== ATTENTION
C:\Users\Nicholas\AppData\Local\Temp\eaeysuyahc…vbs
Startup: C:\Users\Nicholas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eaeysuyahc…vbs ()
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3572464334-3272878166-3701872473-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO: Java™ Plug-In SSV Helper → {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} → C:\Program Files\Java\jre7\bin\ssv.dll No File
BHO: Java™ Plug-In 2 SSV Helper → {DBC80044-A445-435b-BC74-9C25C1C588A9} → C:\Program Files\Java\jre7\bin\jp2ssv.dll No File
BHO-x32: Groove GFS Browser Helper → {72853161-30C5-4D22-B7F9-0BBC1D38A37E} → E:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL No File
Toolbar: HKU\S-1-5-21-3572464334-3272878166-3701872473-1000 → No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers


Restore point was successfully created.
HKU\S-1-5-21-3572464334-3272878166-3701872473-1000\Software\Microsoft\Windows\CurrentVersion\Run\eaeysuyahc => value deleted successfully.
Could not move “C:\Users\Nicholas\AppData\Local\Temp\eaeysuyahc…vbs” => Scheduled to move on reboot.
C:\Users\Nicholas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eaeysuyahc…vbs => Moved successfully.
“HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer” => Key deleted successfully.
“HKU\S-1-5-21-3572464334-3272878166-3701872473-1000\SOFTWARE\Policies\Microsoft\Internet Explorer” => Key deleted successfully.
“HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}” => Key deleted successfully.
“HKCR\CLSID{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}” => Key deleted successfully.
“HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{DBC80044-A445-435b-BC74-9C25C1C588A9}” => Key deleted successfully.
“HKCR\CLSID{DBC80044-A445-435b-BC74-9C25C1C588A9}” => Key deleted successfully.
“HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{72853161-30C5-4D22-B7F9-0BBC1D38A37E}” => Key deleted successfully.
“HKCR\Wow6432Node\CLSID{72853161-30C5-4D22-B7F9-0BBC1D38A37E}” => Key deleted successfully.
HKU\S-1-5-21-3572464334-3272878166-3701872473-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
HKCR\CLSID{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= RemoveProxy: =========

HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value deleted successfully.
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value deleted successfully.
HKU\S-1-5-21-3572464334-3272878166-3701872473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value deleted successfully.
HKU\S-1-5-21-3572464334-3272878166-3701872473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value deleted successfully.

========= End of RemoveProxy: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => Removed 1.5 GB temporary data.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-04-06 13:08:22)<=

C:\Users\Nicholas\AppData\Local\Temp\eaeysuyahc…vbs => Is moved successfully.

==== End of Fixlog 13:08:22 ====


Running fix at 4/6/2015 1:11:16 PM

Found: C:\Users\Nicholas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eaeysuyahc…vbs - deleted.

Found: c:\users\nicholas\appdata\local\temp\eaeysuyahc…vbs - deleted.

Found: HKU\Nicholas\Software\Microsoft\Windows\CurrentVersion\Run\eaeysuyahc - deleted.

Fix finished at 4/6/2015 1:11:18 PM

Anti-VBS/VBE, build 11
http://www.mcshield.net/download/tools/Anti-VBSVBE/

Thank you for the information. I should note that I removed both devices after I did the McShield scans, I just realized this and I was wondering if it is a problem at this stage?

Re-insert the devices now and let me know if MCShield gives the all clear

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2015.3.23.1 / Windows 7 <<<

4/6/2015 1:51:29 PM > Drive F: - scan started (no label ~7640 MB, NTFS flash drive )…

F:\eaeysuyahc…vbs - Malware > Deleted. (15.04.06. 13.51 eaeysuyahc…vbs.280071; MD5: cf8c7f3ef72c12e8f6b93f4f0acdf42f)

=> Malicious files : 1/1 deleted.


::::: Scan duration: 8sec ::::::::::::::::::


MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2015.3.23.1 / Windows 7 <<<

4/6/2015 1:52:19 PM > Drive F: - scan started (no label ~1348 MB, FAT32 flash drive )…

—> Executing generic S&D routine… Searching for files hidden by malware…

—> Items to process: 2

—> F:.adups > unhidden.

—> F:.avg > unhidden.

F:.lnk - Malware > Deleted. (15.04.06. 13.52 .lnk.355038; MD5: 8491418880fcd6b2a2b8eea85bcce2ab)

F:\eaeysuyahc…vbs - Malware > Deleted. (15.04.06. 13.52 eaeysuyahc…vbs.927971; MD5: cf8c7f3ef72c12e8f6b93f4f0acdf42f)

F:\logs.lnk - Malware > Deleted. (15.04.06. 13.52 logs.lnk.566762; MD5: 71d36ff6be70844847ba13e16acb1fa9)

F:\LOST.DIR.lnk - Malware > Deleted. (15.04.06. 13.52 LOST.DIR.lnk.24288; MD5: 44159b8a388b37730b6c1d3ea913f7db)

F:.android_secure.lnk - Malware > Deleted. (15.04.06. 13.52 .android_secure.lnk.906837; MD5: 766c21846ccefdf9e71d5b2620cffc9f)

F:\Music.lnk - Malware > Deleted. (15.04.06. 13.52 Music.lnk.791616; MD5: d174c243e6a046380576fad30c9999fa)

F:\Podcasts.lnk - Malware > Deleted. (15.04.06. 13.52 Podcasts.lnk.120966; MD5: 5ada1f655e76b232e04d3c104b897f66)

F:\Ringtones.lnk - Malware > Deleted. (15.04.06. 13.52 Ringtones.lnk.116604; MD5: c68140e457654e8f309e796122403eca)

F:\Alarms.lnk - Malware > Deleted. (15.04.06. 13.52 Alarms.lnk.113379; MD5: 6455e54d00ee309472494e5744dd2fe4)

F:\Notifications.lnk - Malware > Deleted. (15.04.06. 13.52 Notifications.lnk.903481; MD5: 67ade31229bed2ea229d70bf640b768a)

F:\Pictures.lnk - Malware > Deleted. (15.04.06. 13.52 Pictures.lnk.720127; MD5: c6a550ead5a910eb0e8c3c76f4e02241)

F:\Movies.lnk - Malware > Deleted. (15.04.06. 13.52 Movies.lnk.785035; MD5: b0d32a2b314bda940c8532170f37abf0)

F:\Download.lnk - Malware > Deleted. (15.04.06. 13.52 Download.lnk.105158; MD5: 2822fd6672deb2dbcb4a22049fa383d9)

F:\DCIM.lnk - Malware > Deleted. (15.04.06. 13.52 DCIM.lnk.597319; MD5: 96c66fc304f5735ec16083e2c9527e2d)

F:\Android.lnk - Malware > Deleted. (15.04.06. 13.52 Android.lnk.901261; MD5: bd3ce60b8e14b8b16718b27d895605a8)

F:\wallpapers.lnk - Malware > Deleted. (15.04.06. 13.52 wallpapers.lnk.238702; MD5: efaae4f55c9fbcfad73cc94f6befe5da)

F:\WhatsApp.lnk - Malware > Deleted. (15.04.06. 13.52 WhatsApp.lnk.944490; MD5: a0bd283df3486089fd5be515731669d1)

F:.mmsyscache.lnk - Malware > Deleted. (15.04.06. 13.52 .mmsyscache.lnk.341973; MD5: f3f4c1d33cccfbeb41fc1cb8ffc2d9b9)

F:\UnityAdsVideoCache.lnk - Malware > Deleted. (15.04.06. 13.52 UnityAdsVideoCache.lnk.133211; MD5: 784c54c4b6f255bee0f963bf72d4378d)

F:\Recording.lnk - Malware > Deleted. (15.04.06. 13.52 Recording.lnk.274343; MD5: 07cf6c2e0408ae79f70f3ca8ca3134d1)

F:.EveryplayCache.lnk - Malware > Deleted. (15.04.06. 13.52 .EveryplayCache.lnk.852215; MD5: ac871f180e9704dd9522b4aa197755cb)

Resetting attributes: F:\logs < Successful.

Resetting attributes: F:\LOST.DIR < Successful.

Resetting attributes: F:.android_secure < Successful.

Resetting attributes: F:\Music < Successful.

Resetting attributes: F:\Podcasts < Successful.

Resetting attributes: F:\Ringtones < Successful.

Resetting attributes: F:\Alarms < Successful.

Resetting attributes: F:\Notifications < Successful.

Resetting attributes: F:\Pictures < Successful.

Resetting attributes: F:\Movies < Successful.

Resetting attributes: F:\Download < Successful.

Resetting attributes: F:\DCIM < Successful.

Resetting attributes: F:\Android < Successful.

Resetting attributes: F:\wallpapers < Successful.

Resetting attributes: F:\WhatsApp < Successful.

Resetting attributes: F:.mmsyscache < Successful.

Resetting attributes: F:\UnityAdsVideoCache < Successful.

Resetting attributes: F:\Recording < Successful.

Resetting attributes: F:.EveryplayCache < Successful.

=> Malicious files : 21/21 deleted.
=> Hidden folders : 19/19 unhidden.
=> Hidden files : 2/2 unhidden.


::::: Scan duration: 23sec :::::::::::::::::


After scanning again nothing is coming up, I’ll remove and reinsert both drives to see if the problem is gone. Was that business on my C drive causing the virus to replicate itself?

Removed and reinserted, still getting an all clear.

OK one final run with the anti-vbs programme… To confirm that is all clear.

Yes it was being transferred from your system to the removables. Did AVG not alert you to the VBS file ?

Nope… and I have it updated to.


Running fix at 4/6/2015 2:44:50 PM

Fix finished at 4/6/2015 2:44:52 PM

Anti-VBS/VBE, build 11
http://www.mcshield.net/download/tools/Anti-VBSVBE/