Help: COOL.vbs infected flash drive

Hello,

I’ve been infected by this COOL.vbs virus when I gave a friend my flash drive to copy a file. Right after I got it back I noticed all my files were suddenly shortcuts! I tried to make them reappear by un-hiding them like I read somewhere, and although they appeared for a few seconds, that was clearly not the issue. I know this thing copies itself to my user files (I can see it when I look at the files through the command prompt but not Explorer), but I can’t delete it, so I’d be very grateful if someone could help me kill it once and for all, because I’m clearly in over my head here. I checked the other threads to see if there was a tool or something that would take care of it but nothing has worked. I’ve tried Malwarebytes Anti-Malware (full scan, didn’t find anything) and AVG (nothing). So I installed MCShield, and formatted my flash drive. Here are the logs from FRST. Please let me know if you need anything else.

Thanks in advance! :slight_smile:

if you installed MCShield, then it was no need to wipe your usb stick as mcshield would have cleared it

ok time to check your machine…
attach OTL diagnostic log. http://forum.avast.com/index.php?topic=53253.0

Monitoring

Oh, well… I guess I was just angry at it for causing me so many problems! :frowning: Thankfully, there wasn’t anything too important in there.

Ok, here it is.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


HKCU\...\Run: [COOL] - C:\Users\Julia\AppData\Roaming\COOL.vbs [150749 2013-11-14] ()
C:\Users\Julia\AppData\Roaming\COOL.vbs
Startup: C:\Users\Julia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs ()
2013-12-11 19:45 - 2013-11-14 21:51 - 00150749 ___SH C:\Users\Julia\AppData\Roaming\COOL.vbs
2013-11-14 21:51 - 2013-12-11 19:45 - 00150749 ___SH C:\Users\Julia\AppData\Roaming\COOL.vbs
C:\Users\Julia\AppData\Local\Temp\.gbas.dll
C:\Users\Julia\AppData\Local\Temp\arh5gdfr.dll
C:\Users\Julia\AppData\Local\Temp\COIOSHelper.dll
C:\Users\Julia\AppData\Local\Temp\Execute2App.exe
C:\Users\Julia\AppData\Local\Temp\hdsaujkb.dll
C:\Users\Julia\AppData\Local\Temp\i4jdel0.exe
C:\Users\Julia\AppData\Local\Temp\jijjnrzs.dll
C:\Users\Julia\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Julia\AppData\Local\Temp\lowproc.exe
C:\Users\Julia\AppData\Local\Temp\msvcp90.dll
C:\Users\Julia\AppData\Local\Temp\msvcr90.dll
C:\Users\Julia\AppData\Local\Temp\SAV2RemoveAll.exe
C:\Users\Julia\AppData\Local\Temp\ShellLink.dll
C:\Users\Julia\AppData\Local\Temp\stubhelper.dll
C:\Users\Julia\AppData\Local\Temp\utt2E8.tmp.exe
C:\Users\Julia\AppData\Local\Temp\vyub4t5e.dll


2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Ok, here’s the log. And I haven’t used any other usb sticks other than the one I formatted :slight_smile:

This might be a stupid question, but there’s a file with no extension with some Chinese characters in the same directory as FRST… is that normal?

is that normal?

isn’t :slight_smile:

whether this set?


http://fotkica.com/thumbs3/1_tmb_106679501_2013-12-12_083114.jpg

Run again FRST.

Edit.

Attach here → AllScans.txt (MCShield).

Allright, I’m a little confused now, but lets see…

I opened a new txt file to check that ANSI was selected there, and it was. Was that what you meant?

Then I ran FRST again, here are the two logs. The file with the chinese characters is still there, should I delete it?

Then I decided to stick the flash drive in just in case, and surprise surprise, that stupid COOL.vbs was there, visible. Then MCShield worked and it was gone… but when I put it back in, COOL.vbs was still on it (or maybe it got on it again?). Here’s the AllScans log as well.

Thanks for you patience, btw

fixlist must be on your desktop, start FRST and click the Fix

I’m on the forum for two hours, but I think everything will be OK.

Ok, here’s the Fixlog. It still says it couldn’t delete one thing…

done wrong i’m, no problem ;D

Scan with Combofix:

[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

Here goes!

Open notepad and copy/paste the text present inside the code box below:



Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COOL"=-

File::
c:\users\Julia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs 


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

When ComboFix finished running, it opened “log.txt” which I attached, plus ComboFix.txt, Just in case they aren’t the same thing!

I think it might have worked this time! Is there a way to check if my computer is finally COOL.vbs-free?

Open notepad and copy/paste the text present inside the code box below:



File::
c:\users\Julia\AppData\Roaming\COOL.vbs
c:\users\Julia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs
c:\users\Julia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
COOL.vbs 


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

So what do you say, is it over? :smiley:

I see no present or active malware.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.