Folder shortcut virus (located in cmd system32)

system · 2015-04-19T05:37:05.000Z

Hello. My flash drive is infected with a virus that keeps on creating folder shortcuts and it cannot be detected by my anti-virus. I did the instructions of TwinHeadedEagle

https://forum.avast.com/index.php?topic=138715.0

Here are my logs.

Thank you!

Pondus · 2015-04-19T07:05:38.000Z

see instructions here https://forum.avast.com/index.php?topic=53253.0
scroll down to SPECIFIC INFECTIONS LOGS follow instructions for MCShield

this log you must copy and paste here, not attach

system · 2015-04-19T07:23:10.000Z

Here is the log from the MCShield.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2015.4.7.1 / Windows 7 <<<

4/19/2015 3:22:11 PM > Drive G: - scan started (TOURO ~932 GB, NTFS HDD )…

=> The drive is clean. :o

essexboy · 2015-04-19T10:48:14.000Z

Now that you have MCShield installed you must insert the flash drive to disinfect it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-4049212416-144645580-1607383010-1000\...\Run: [krqvsfjxld] => wscript.exe //B "C:\Users\JALIL\AppData\Local\Temp\krqvsfjxld.vbs" <===== ATTENTION HKU\S-1-5-21-4049212416-144645580-1607383010-1000\...\Run: [AntiWormUpdate] => C:\Google\AutoIt3.exe [750320 2012-01-29] (AutoIt Team) HKU\S-1-5-21-4049212416-144645580-1607383010-1000\...\Run: [AntiUsbWorm] => C:\Windows\system32\cmd.exe /c start C:\Google\AutoIt3.exe /AutoIt3ExecuteScript C:\Google\googleupdate.a3x & exit HKU\S-1-5-21-4049212416-144645580-1607383010-1000\...\MountPoints2: {214f1094-7049-11e3-ad03-bc5ff4965571} - F:\Startme.exe Startup: C:\Users\JALIL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krqvsfjxld.vbs () U3 pxddqpow; \??\C:\Users\JALIL\AppData\Local\Temp\pxddqpow.sys [X] C:\Users\JALIL\AppData\Local\Temp\krqvsfjxld.vbs C:\Users\JALIL\AppData\Local\Temp\pxddqpow.sys C:\Google\AutoIt3.exe Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download Anti VBS/VBE to your desktop

[]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report

Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run

system · 2015-04-19T11:41:15.000Z

Hello

Here is the log of the AntiVBS/VBE scan

---------------------------------- Running fix at 4/19/2015 7:36:53 PM > Found: C:\Users\JALIL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krqvsfjxld.vbs - deleted. > Found: c:\users\jalil\appdata\local\temp\krqvsfjxld.vbs - deleted. HKEY_USERS\S-1-5-21-4049212416-144645580-1607383010-1000\Software\Microsoft\Windows\CurrentVersion\Run\krqvsfjxld

This was the result of the Farbar Fix

Also, this window popped up at startup. I’m guessing that this was the virus… :o

http://i.imgur.com/UD2dxxQ.png

system · 2015-04-19T12:00:11.000Z

Thank you so much for the help! ;D

Although There are still folder shortcuts in my hard drive and in my Adwcleaner folder in C. Is it safe to delete them now?

essexboy · 2015-04-19T12:05:08.000Z

Are you still getting the autoit popup ? If so could you run a fresh FRST scan please

Also did MCShield clear the flash drive

system · 2015-04-19T13:21:30.000Z

Hello.

Looks like MCShield did its thing.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/ >>> v 3.0.5.28 / DB: 2015.4.7.1 / Windows 7 < Drive G: - scan started (TOURO ~932 GB, NTFS HDD )...=
=> The drive is clean.

Here is the attachment of the recent FRST scan

EDIT: The AutoIt popup still comes out (same as the photo I posted). Also, MCShield says my drive is clean several hours ago before I did the recovery process. Weird.

essexboy · 2015-04-19T13:57:28.000Z

OK looks like the reg entries regenerated before antivbs zapped the files. After this let me know of any other problems before I tidy up

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-4049212416-144645580-1607383010-1000\...\Run: [AntiWormUpdate] => C:\Google\AutoIt3.exe /AutoIt3ExecuteScript C:\Google\googleupdate.a3x HKU\S-1-5-21-4049212416-144645580-1607383010-1000\...\Run: [AntiUsbWorm] => C:\Windows\system32\cmd.exe /c start C:\Google\AutoIt3.exe /AutoIt3ExecuteScript C:\Google\googleupdate.a3x & exit Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · 2015-04-19T14:14:19.000Z

The Autoit popup didn’t appear anymore. Thank you very much!

I checked out my external HD and deleted all the remaining folder shortcuts. Also, I disabled the “hide protected OS files” in my folder options just to check out my HD. It seems that the Autoit.exe and its files (which are all contained in a folder named Skypee which is also present in my C drive) is there. Help please :-\

EDIT: Here’s the FRST log

essexboy · 2015-04-19T14:41:30.000Z

How did I miss that one as it is a known associate

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

2015-04-18 18:20 - 2015-04-18 18:20 - 00000000 _RSHD () C:\Skypee

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · 2015-04-19T14:56:18.000Z

I commenced another Fix because i forgot to check a few boxes. Thank you!

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-04-2015 Ran by JALIL at 2015-04-19 22:55:23 Run:4 Running from C:\Users\JALIL\Desktop Loaded Profiles: JALIL (Available profiles: JALIL) Boot Mode: Normal ==============================================
Content of fixlist:

2015-04-18 18:20 - 2015-04-18 18:20 - 00000000 _RSHD () C:\Skypee

“C:\Skypee” => File/Directory not found.

==== End of Fixlog 22:55:23 ====

EDIT: The Skypee is removed from C, but it’s still in my external HD

essexboy · 2015-04-19T15:00:58.000Z

OK remove that manually please. How is the computer now ?

system · 2015-04-19T15:18:22.000Z

Hello. The computer seems to be back to its normal, healthy state! The popup doesn’t show anymore, the Skypee folders are permanently removed, and there are no more annoying folder shortcuts.

THANK YOU SO MUCH FOR ALL THE TIME AND HELP REGARDING MY PROBLEM!! ;D

essexboy · 2015-04-19T15:49:36.000Z

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

system · 2015-04-20T04:30:50.000Z

Hello! I have reviewed and checked my PC today and I can confirm that the virus has been purged from both my hard drive and PC. Thank you so much! ;D I have also downloaded the recommended programs.

Thank you so much for all the help! ;D

essexboy · 2015-04-20T13:49:05.000Z

Could you delete the logs from your first post as Avast does not like some of the content

Announcements