Help me please! Trying to get rid of VBS:Downloader-AVJ

Hello,

I got infected by a trojan - VBS:Downloader-AVJ , probably via a usb-stick. It was quarantined by my antivirusprogram and I followed the lead here on this topic on how to remove it completely (hopefully) by running malwarebytes, farbar and mcshield. Logs are attached, I would be so glad if someone could help me further along!

Thanks in advance,
Ruth

MCShield logs must be Copy/Paste or a forum issue make it look Chinese

Have done it for you using Android :wink:

>>> MCShield AllScans.txt <<<


MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

20-1-2018 22:38:44 > Drive C: - scan started (TI31252400A ~687 GB, NTFS HDD )…

=> The drive is clean.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

20-1-2018 22:39:38 > Drive E: - scan started (RUTH2 ~7784 MB, FAT32 flash drive )…

—> Executing generic S&D routine… Searching for files hidden by malware…

—> Items to process: 30

—> E:\ntmplugin.ntm > unhidden.

—> E:._WILLEM JACOB 20-12-2010.pdf > unhidden.

—> E:._Watch Schedule Trip B 1.pdf > unhidden.

—> E:\modelovereenkomst Ruth Tsjerk.docx > unhidden.

—> E:\LOA Ruth Giesen St. Martin.doc > unhidden.

—> E:._LETTER OF AUTHORITY begeleiding reis C.pdf > unhidden.

—> E:._Itinerary for for travel date 03JAN2017.pdf > unhidden.

—> E:._.TemporaryItems > unhidden.

—> E:._Itinerary for for travel date 03JAN2017-2.pdf > unhidden.

—> E:\Port information Charlotteville (jan 2017).docx > unhidden.

—> E:\Boordkas januari 2018.xlsm > unhidden.

—> E:~$traineelijst C1.xlsx > unhidden.

—> E:\traineelijjst c1 2018.xls > unhidden.

—> E:~WRL2306.tmp > unhidden.

—> E:._Pressure.mp4 > unhidden.

—> E:\Itinerary for Mrs Ruth Giesen for travel date 14JAN2018.pdf > unhidden.

—> E:._atlantic-index.pdf > unhidden.

—> E:._manitoba-index.pdf > unhidden.

—> E:._eNP_Permits.enp > unhidden.

—> E:._.Trashes > unhidden.

—> E:.Trashes > unhidden.

—> E:.Spotlight-V100 > unhidden.

—> E:\transavia-boardingpass-Nadine-Spigt-TO3016-19-01-2018.pdf > unhidden.

—> E:._contract Chris Schwan valid 14-10-2017.pdf > unhidden.

—> E:._Jonathan agreement valid 10-06-2016-10-06-2017.pdf > unhidden.

—> E:._fax@centromedicoblanco.es_20170523_115341.pdf > unhidden.

—> E:\Untitled.pdf > unhidden.

—> E:._ApplicationforYachtCharter.pdf > unhidden.

—> E:._Word Work File D_1.tmp > unhidden.

—> E:\credit card jan2018 3.pdf > unhidden.

E:._Watch Schedule Trip B 1.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 ._Watch Schedule Trip B 1.pdf.lnk.608319; MD5: 69971bf749d8582ae21423b89b756c1d)

E:\modelovereenkomst Ruth Tsjerk.docx.lnk - Malware > Deleted. (18.01.20. 22.39 modelovereenkomst Ruth Tsjerk.docx.lnk.338508; MD5: 3fa322260913fe39c740230ebfd2bfab)

E:\LOA Ruth Giesen St. Martin.doc.lnk - Malware > Deleted. (18.01.20. 22.39 LOA Ruth Giesen St. Martin.doc.lnk.725103; MD5: 1aaf234390f2c1d3ba935aaadbd11233)

E:._LETTER OF AUTHORITY begeleiding reis C.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 ._LETTER OF AUTHORITY begeleiding reis C.pdf.lnk.261257; MD5: ccb770f134c34d43fe4029a3534cadc4)

E:._Itinerary for for travel date 03JAN2017.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 ._Itinerary for for travel date 03JAN2017.pdf.lnk.950996; MD5: 5a8a8173fc86ea51cfa6b09a2c9e06fa)

E:..TemporaryItems.lnk - Malware > Deleted. (18.01.20. 22.39 ..TemporaryItems.lnk.179983; MD5: ef6ab1dfeac4a6eeb2fc5898fac2b635)

E:._Itinerary for for travel date 03JAN2017-2.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 ._Itinerary for for travel date 03JAN2017-2.pdf.lnk.862330; MD5: 434313a893df3a3efd63e57f0266841d)

E:\Port information Charlotteville (jan 2017).docx.lnk - Malware > Deleted. (18.01.20. 22.39 Port information Charlotteville (jan 2017).docx.lnk.936596; MD5: cd59091c95c8c1200dbfb7b3afc470e8)

E:\Boordkas januari 2018.xlsm.lnk - Malware > Deleted. (18.01.20. 22.39 Boordkas januari 2018.xlsm.lnk.949683; MD5: 8fdbc778d4f40c154317ba7ee3cbbf68)

E:~$traineelijst C1.xlsx.lnk - Malware > Deleted. (18.01.20. 22.39 ~$traineelijst C1.xlsx.lnk.818413; MD5: 91e00929bd77cc91da2a53ee175e3d1f)

E:\traineelijjst c1 2018.xls.lnk - Malware > Deleted. (18.01.20. 22.39 traineelijjst c1 2018.xls.lnk.445179; MD5: 4e7f97fc3d80a5b1e0bd165409f4d36c)

E:~WRL2306.tmp.lnk - Malware > Deleted. (18.01.20. 22.39 ~WRL2306.tmp.lnk.588715; MD5: ec3892882e3dc8f883bc9e5b6890b26c)

E:._Pressure.mp4.lnk - Malware > Deleted. (18.01.20. 22.39 ._Pressure.mp4.lnk.987467; MD5: f4a638322396627ed5e4ff245ead3e27)

E:\Itinerary for Mrs Ruth Giesen for travel date 14JAN2018.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 Itinerary for Mrs Ruth Giesen for travel date 14JAN2018.pdf.lnk.292677; MD5: bbeb9f0b73573cc8a3a0655e1550cd34)

E:._atlantic-index.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 ._atlantic-index.pdf.lnk.406739; MD5: c12681cd7778404227d0b5bd5cc413e8)

E:._manitoba-index.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 ._manitoba-index.pdf.lnk.557229; MD5: 08ae5c8e412eb95b5f5a90792572b11d)

E:._eNP_Permits.enp.lnk - Malware > Deleted. (18.01.20. 22.39 ._eNP_Permits.enp.lnk.544908; MD5: 88e1a8b2fec7da598977814aa73b005c)

E:..Trashes.lnk - Malware > Deleted. (18.01.20. 22.39 ..Trashes.lnk.224282; MD5: 726e97a063eadbfab1a8e95e8f8eb126)

E:.Trashes.lnk - Malware > Deleted. (18.01.20. 22.39 .Trashes.lnk.825640; MD5: 2f8ca2884a475ed304872fa9fd87de12)

E:.Spotlight-V100.lnk - Malware > Deleted. (18.01.20. 22.39 .Spotlight-V100.lnk.248662; MD5: 860e65a218ecbf55e0af89b745720e4f)

E:\transavia-boardingpass-Nadine-Spigt-TO3016-19-01-2018.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 transavia-boardingpass-Nadine-Spigt-TO3016-19-01-2018.pdf.lnk.622006; MD5: 8f0745f2a4615009dad5514108bdedf7)

E:._contract Chris Schwan valid 14-10-2017.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 ._contract Chris Schwan valid 14-10-2017.pdf.lnk.277808; MD5: f03fb396ad4aeefd1f0a3e2f762c8c08)

E:._Jonathan agreement valid 10-06-2016-10-06-2017.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 ._Jonathan agreement valid 10-06-2016-10-06-2017.pdf.lnk.103813; MD5: 1220dfdc2949a83ae114f71f29bd11b9)

E:._fax@centromedicoblanco.es_20170523_115341.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 ._fax@centromedicoblanco.es_20170523_115341.pdf.lnk.330526; MD5: bb95e09af41ba85540728266fd599cf8)

E:\Untitled.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 Untitled.pdf.lnk.27218; MD5: 75cef59adaa3152f24df49bb8591ec0f)

E:._ApplicationforYachtCharter.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 ._ApplicationforYachtCharter.pdf.lnk.842202; MD5: e241e977e468f6729fb49b522ac573b7)

E:._Word Work File D_1.tmp.lnk - Malware > Deleted. (18.01.20. 22.39 ._Word Work File D_1.tmp.lnk.624345; MD5: d9988543cda4b363393c237e9765945a)

E:\credit card jan2018 3.pdf.lnk - Malware > Deleted. (18.01.20. 22.39 credit card jan2018 3.pdf.lnk.920328; MD5: 8709d5490d5d2f5224809369c1e6d217)

E:.fseventsd.lnk - Malware > Deleted. (18.01.20. 22.39 .fseventsd.lnk.734176; MD5: cdfcc42f5b694bdf8bdd58dcb928d831)

E:\WS.lnk - Malware > Deleted. (18.01.20. 22.39 WS.lnk.191833; MD5: eba00ca04ce652c2b88dea4d94f98a4c)

E:\Plannen van aanpak.lnk - Malware > Deleted. (18.01.20. 22.39 Plannen van aanpak.lnk.992430; MD5: 477547ac824a674e113fb0a6ef939c83)

E:.TemporaryItems.lnk - Malware > Deleted. (18.01.20. 22.39 .TemporaryItems.lnk.560946; MD5: 945cd341e370baa7a4605ffe0e3789d9)

E:\New folder (2).lnk - Malware > Deleted. (18.01.20. 22.39 New folder (2).lnk.963721; MD5: a5d9b77b11f30bfb2154ba37a391efd1)

E:\Nieuwe certificaten Ruth.lnk - Malware > Deleted. (18.01.20. 22.39 Nieuwe certificaten Ruth.lnk.123438; MD5: 6e9cb210c8e5f668818862fc33ed5080)

E:\TEKENINGEN VAN MARIJKE Van WS.lnk - Malware > Deleted. (18.01.20. 22.39 TEKENINGEN VAN MARIJKE Van WS.lnk.880172; MD5: 7ecba4d7469776f4963dce7f2978b5e1)

E:\Beurtveer.lnk - Malware > Deleted. (18.01.20. 22.39 Beurtveer.lnk.261168; MD5: 9841d1c01055b16e6516853ee953ba3f)

E:\Vaartijd.lnk - Malware > Deleted. (18.01.20. 22.39 Vaartijd.lnk.318117; MD5: d6e0cf2ebe5bea33b9fb2312acbb91c1)

E:\Rottumreis 2017.lnk - Malware > Deleted. (18.01.20. 22.39 Rottumreis 2017.lnk.320839; MD5: a2f19db6a7c94c8249ef918bcf1839fb)

E:\Reglementencie Strontrace 2017.lnk - Malware > Deleted. (18.01.20. 22.39 Reglementencie Strontrace 2017.lnk.561940; MD5: ddb90758b55ffe8ed2e3a88f7dec19b9)

E:\Las Palmas Bermuda Wylde Swan.lnk - Malware > Deleted. (18.01.20. 22.39 Las Palmas Bermuda Wylde Swan.lnk.3417; MD5: b77a288fc4662235b5ff25ba7aca7a5f)

E:..Trashes - Malware > Deleted. (18.01.20. 22.39 ..Trashes.649293; MD5: 055a2a7342c0528969e1b6e32aadeee3)

Resetting attributes: E:.fseventsd < Successful.

Resetting attributes: E:\WS < Successful.

Resetting attributes: E:\Plannen van aanpak < Successful.

Resetting attributes: E:.TemporaryItems < Successful.

Resetting attributes: E:\New folder (2) < Successful.

Resetting attributes: E:\Nieuwe certificaten Ruth < Successful.

Resetting attributes: E:\TEKENINGEN VAN MARIJKE Van WS < Successful.

Resetting attributes: E:\Beurtveer < Successful.

Resetting attributes: E:\Vaartijd < Successful.

Resetting attributes: E:\Rottumreis 2017 < Successful.

Resetting attributes: E:\Reglementencie Strontrace 2017 < Successful.

Resetting attributes: E:\Las Palmas Bermuda Wylde Swan < Successful.

=> Malicious files : 41/41 deleted.
=> Hidden folders : 12/12 unhidden.
=> Hidden files : 30/30 unhidden.


::::: Scan duration: 14sec :::::::::::::::::


MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

20-1-2018 22:40:34 > Drive E: - scan started (RUTH2 ~7784 MB, FAT32 flash drive )…

=> The drive is clean.

Malware experts are notified

Thank you!

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
HKU\S-1-5-21-3793736257-2935503960-2024026286-1002\...\MountPoints2: {374d8793-014c-11e4-826a-2025643db84c} - "E:\AutoRun.exe" 
HKU\S-1-5-21-3793736257-2935503960-2024026286-1002\...\MountPoints2: {374d8812-014c-11e4-826a-2025643db84c} - "E:\AutoRun.exe" 
HKU\S-1-5-21-3793736257-2935503960-2024026286-1002\...\MountPoints2: {5002066e-2643-11e4-826e-2025643db84c} - "E:\AutoRun.exe" 
HKU\S-1-5-21-3793736257-2935503960-2024026286-1002\...\MountPoints2: {50020724-2643-11e4-826e-2025643db84c} - "E:\AutoRun.exe" 
HKU\S-1-5-21-3793736257-2935503960-2024026286-1002\...\MountPoints2: {50020e35-2643-11e4-826e-2025643db84c} - "E:\AutoRun.exe" 
HKU\S-1-5-21-3793736257-2935503960-2024026286-1002\...\MountPoints2: {72521006-de30-11e5-82a8-28e34788d569} - "E:\AutoRun.exe" 
HKU\S-1-5-21-3793736257-2935503960-2024026286-1002\...\MountPoints2: {7252109e-de30-11e5-82a8-28e34788d569} - "E:\AutoRun.exe" 
HKU\S-1-5-21-3793736257-2935503960-2024026286-1002\...\MountPoints2: {7bd8ee3b-f529-11e5-82b0-28e34788d569} - "E:\Password.exe" 
HKU\S-1-5-21-3793736257-2935503960-2024026286-1002\...\MountPoints2: {a66abb77-35c1-11e4-8272-2025643db84c} - "E:\AutoRun.exe" 
GroupPolicy: Restriction <==== ATTENTION
Task: {394AA583-3B3B-4D91-B71B-DFD6D885D3ED} - System32\Tasks\RGMachinizedMaidenlyV2 => rundll32.exe IndubitableAggressing.dll,main 7 1 <==== ATTENTION
ShortcutWithArgument: C:\Users\RG\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.InternetExplorer.Default\20229535050.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> -contentTile -formatVersion 0x00000003 -pinnedTimeLow 0xde19199c -pinnedTimeHigh 0x01d0f628 -securityFlags 0x00000000 -tileType 0x00000002 -url 0x00000075 hxxps://www.vacatures-overheid-online.nl/vacatures/116106-ns-rotterdam-zoekt-per-direct-naar-een-logisti

  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Here’s the fixlog attached…

What is system status now?

Hello Sass Drake,

Please tell me if I need to be more specific because I am a user and nothing more.

System status seems to be fine now but before my problems weren’t too obvious. Folders on said usb-stick were represented as shortcuts and a little while later I couldn’t upload files from the stick to the comp anymore without Avast antivirusprogram interfering and stopping it.

Both problems gone now. I uploaded some files on the stick but nothing happened.

…Would that mean I am fine again?

Yup.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Thank you!!

Hello!

I was helped in getting rid of this trojan really well - thanks again - but my colleague’s laptop also turns out to be infected. i have his logs here as well… Could you be of help once again?

(The MBAM-scan wasn’t properly finished the first time, hence logs mbam1 and mbam2)

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<

1/21/2018 6:47:33 PM > Drive D: - scan started (ROLANDUSBI ~7341 MB, FAT32 flash drive )…

D:\System Volume Information.lnk - Malware > Deleted. (18.01.21. 18.55 System Volume Information.lnk.823712; MD5: ae754f27f4421d1f033133e974d857b6)

D:\LOST.DIR.lnk - Malware > Deleted. (18.01.21. 18.55 LOST.DIR.lnk.52436; MD5: c7af16c113a5a476d3b3629299dcc3af)

D:\Documenten.lnk - Malware > Deleted. (18.01.21. 18.55 Documenten.lnk.487966; MD5: 9857680cf0a2e7efa7afef2bff2e63dd)

D:\Science.lnk - Malware > Deleted. (18.01.21. 18.55 Science.lnk.945492; MD5: 173e55075f5dad5cdc59ee51ab8e733d)

D:\DNA labs.lnk - Malware > Deleted. (18.01.21. 18.55 DNA labs.lnk.540290; MD5: 0486a5408036428b88023cc63c61d02e)

D:\Muziek.lnk - Malware > Deleted. (18.01.21. 18.55 Muziek.lnk.425070; MD5: d316cf6e2065044e3d98958bea65867b)

D:\Pubquiz.lnk - Malware > Deleted. (18.01.21. 18.55 Pubquiz.lnk.827906; MD5: ee4e86516bd827833f982c3d70032805)

D:\MSWS.lnk - Malware > Deleted. (18.01.21. 18.55 MSWS.lnk.495648; MD5: 2a3b72d7a4fc69bb72600ad02739595b)

D:\2017-11-30 Berlage.lnk - Malware > Deleted. (18.01.21. 18.55 2017-11-30 Berlage.lnk.69586; MD5: dc17553f04f542f4d52f3af0c050399e)

D:\module 9 Over maat en hoeveelheid.lnk - Malware > Deleted. (18.01.21. 18.55 module 9 Over maat en hoeveelheid.lnk.187584; MD5: b314813a56ca5c3c630302f57db0d7fe)

D:.TemporaryItems.lnk - Malware > Deleted. (18.01.21. 18.55 .TemporaryItems.lnk.66547; MD5: bfc44627a0287d6a5a77249eeee3466b)

D:.Trashes.lnk - Malware > Deleted. (18.01.21. 18.55 .Trashes.lnk.928193; MD5: 48598bca71a6206cd2c0ff8b514756c0)

D:.Spotlight-V100.lnk - Malware > Deleted. (18.01.21. 18.55 .Spotlight-V100.lnk.576212; MD5: 8cf5cb2a145b9d3b1c9b657d496936b5)

Resetting attributes: D:\System Volume Information < Successful.

Resetting attributes: D:\LOST.DIR < Successful.

Resetting attributes: D:\Documenten < Successful.

Resetting attributes: D:\Science < Successful.

Resetting attributes: D:\DNA labs < Successful.

Resetting attributes: D:\Muziek < Successful.

Resetting attributes: D:\Pubquiz < Successful.

Resetting attributes: D:\MSWS < Successful.

Resetting attributes: D:\2017-11-30 Berlage < Successful.

Resetting attributes: D:\module 9 Over maat en hoeveelheid < Successful.

Resetting attributes: D:.TemporaryItems < Successful.

Resetting attributes: D:.Trashes < Successful.

Resetting attributes: D:.Spotlight-V100 < Successful.

=> Malicious files : 13/13 deleted.
=> Hidden folders : 13/13 unhidden.


::::: Scan duration: 8min 14sec ::::::::::::


Open new topic and post FRST logs as well as those two you already attached.