Help! virus changed my folders to shortcuts :'(

Help ! I somehow got a virus and it’s causing me the following problems:

  • All the folders in The drivers are now shortcuts and I can’t open them anymore.
    -The drivers’ icons are now folders?
    -In all the drivers there are some additional folders named “secret, pictures, movies, documents, porn?..” which aren’t shortcuts but they don’t open anyway…
    -when i turn my computer, several windows appear “i attached some of them bellow” so i just press “ignore” until they’re gone
    -I also noticed that a link has been sending itself to my friends on facebook when i logged in from that pc
    I don’t usually use that computer so i didn’t have an untivirus installed on it, but when this happened i tried installing avast trial version but when i launch the setup i get a message that says :
    "The installer is unable to initialize early avast! self-defense with error 0x0000001 f! Aborting! "
    Please help me ! and thank you !

Follow the instructions on help to remove malware in the top of this forum.

done ! ;D took me long enough i know :-[

This may need a few runs to kill properly

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\...\Run: [ApnUpdater] => C:\Program Files\Ask.com\Updater\Updater.exe [1573584 2012-08-23] (Ask) Startup: C:\Documents and Settings\MY COMPUTER\Start Menu\Programs\Startup\auditusr.lnk [2015-06-18] ShortcutTarget: auditusr.lnk -> C:\Documents and Settings\MY COMPUTER\Application Data\Microsoft\Windows\IEUpdate\auditusr.exe (No File) Startup: C:\Documents and Settings\MY COMPUTER\Start Menu\Programs\Startup\cacls.lnk [2015-06-17] ShortcutTarget: cacls.lnk -> C:\Documents and Settings\MY COMPUTER\Application Data\Microsoft\Windows\IEUpdate\cacls.exe (No File) Startup: C:\Documents and Settings\MY COMPUTER\Start Menu\Programs\Startup\charmap.lnk [2015-06-17] ShortcutTarget: charmap.lnk -> C:\Documents and Settings\MY COMPUTER\Application Data\Microsoft\Windows\IEUpdate\charmap.exe (No File) Startup: C:\Documents and Settings\MY COMPUTER\Start Menu\Programs\Startup\ddeshare.lnk [2015-06-18] ShortcutTarget: ddeshare.lnk -> C:\Documents and Settings\MY COMPUTER\Application Data\Microsoft\Windows\IEUpdate\ddeshare.exe (No File) Startup: C:\Documents and Settings\MY COMPUTER\Start Menu\Programs\Startup\dmadmin.lnk [2015-06-19] ShortcutTarget: dmadmin.lnk -> C:\Documents and Settings\MY COMPUTER\Application Data\Microsoft\Windows\IEUpdate\dmadmin.exe (No File) Startup: C:\Documents and Settings\MY COMPUTER\Start Menu\Programs\Startup\doskey.lnk [2015-06-17] ShortcutTarget: doskey.lnk -> C:\Documents and Settings\MY COMPUTER\Application Data\Microsoft\Windows\IEUpdate\doskey.exe (No File) Startup: C:\Documents and Settings\MY COMPUTER\Start Menu\Programs\Startup\ipconfig.lnk [2015-06-19] ShortcutTarget: ipconfig.lnk -> C:\Documents and Settings\MY COMPUTER\Application Data\Microsoft\Windows\IEUpdate\ipconfig.exe (No File) Startup: C:\Documents and Settings\MY COMPUTER\Start Menu\Programs\Startup\mshta.lnk [2015-06-27] ShortcutTarget: mshta.lnk -> C:\Documents and Settings\MY COMPUTER\Application Data\Microsoft\Windows\IEUpdate\mshta.exe (No File) Startup: C:\Documents and Settings\MY COMPUTER\Start Menu\Programs\Startup\osuninst.lnk [2015-06-19] ShortcutTarget: osuninst.lnk -> C:\Documents and Settings\MY COMPUTER\Application Data\Microsoft\Windows\IEUpdate\osuninst.exe (No File) Startup: C:\Documents and Settings\MY COMPUTER\Start Menu\Programs\Startup\pintool.lnk [2015-06-18] ShortcutTarget: pintool.lnk -> C:\Documents and Settings\MY COMPUTER\Application Data\Microsoft\Windows\IEUpdate\pintool.exe (No File) HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-1645522239-113007714-1177238915-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION BHO: Ask Toolbar -> {D4027C7F-154A-4066-A1AD-4243D8127440} -> C:\Program Files\Ask.com\GenericAskToolbar.dll [2012-08-23] (Ask) U5 13f9915b6e5a5a40; C:\Windows\System32\Drivers\13f9915b6e5a5a40.sys [85376 2015-05-14] () <===== ATTENTION Necurs Rootkit? 2015-07-13 23:49 - 2015-07-13 23:49 - 00000000 _RSHD C:\WINDOWS\M-505045256088009087080 2015-07-13 17:39 - 2015-07-13 17:39 - 00422760 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\uqolakcs.sys 2015-07-13 11:25 - 2015-07-13 11:25 - 00000000 _RSHD C:\WINDOWS\M-505025040068479870696960805245050 2015-07-12 17:12 - 2015-07-12 17:12 - 00000000 _RSHD C:\WINDOWS\M-505025040068479870608507020 2015-07-10 22:33 - 2015-07-14 18:54 - 00000000 _RSHD C:\WINDOWS\M-50504528343485849294856957580535350 2015-07-09 02:57 - 2015-07-09 02:57 - 00000000 _RSHD C:\WINDOWS\M-5050452834348584929485695758050 2015-07-09 02:54 - 2015-07-09 02:54 - 00000000 _RSHD C:\WINDOWS\M-50504528348584929485695758050 2015-07-08 19:41 - 2015-07-08 19:41 - 00000000 _RSHD C:\WINDOWS\M-50504025676203520540405025 2015-07-08 01:25 - 2015-07-08 01:25 - 00000000 _RSHD C:\WINDOWS\M-5050402567620352053 2015-07-07 15:00 - 2015-07-07 15:00 - 00000000 _RSHD C:\WINDOWS\M-5050402562050603850256869070 2015-07-06 19:47 - 2015-07-14 18:54 - 00000000 _RSHD C:\WINDOWS\M-505045868329386402955020 2015-07-06 19:47 - 2015-07-14 18:54 - 00000000 _RSHD C:\WINDOWS\M-5050324589790225392040235 2015-07-06 19:47 - 2015-07-14 18:54 - 00000000 ____D C:\Documents and Settings\MY COMPUTER\Application Data\4C049C714431636637967565D6D45C3D 2015-07-06 19:47 - 2015-07-06 19:47 - 00000000 _RSHD C:\WINDOWS\M-505075043257069507952408040 2015-07-06 19:47 - 2015-07-06 19:47 - 00000000 _RSHD C:\WINDOWS\M-5050402562050603850 2015-07-06 19:47 - 2015-07-06 19:47 - 00000000 _RSHD C:\WINDOWS\M-505032564627205040205068235 2015-07-06 19:47 - 2015-07-06 19:47 - 00000000 _RSHD C:\WINDOWS\M-50502876660282987798694020 2015-07-06 19:47 - 2015-07-06 19:47 - 00000000 _RSHD C:\WINDOWS\M-505024068329588766028298798694020 2015-07-06 19:47 - 2015-07-06 19:47 - 00000000 _RSHD C:\WINDOWS\M-5050240436832957086028294020 2015-07-06 19:47 - 2015-07-06 19:47 - 00000000 ____D C:\Documents and Settings\MY COMPUTER\Application Data\miniupnpc 2015-07-06 19:46 - 2015-07-06 19:46 - 00000000 _RSHD C:\WINDOWS\M-5050324627205040205068235 2015-07-06 19:46 - 2015-07-06 19:46 - 00000000 _RSHD C:\WINDOWS\M-505024068329588766028298694020 2015-07-06 19:46 - 2015-07-06 19:46 - 00000000 _RSHD C:\WINDOWS\M-50502406832957086028294020 2015-07-06 19:45 - 2015-07-06 19:45 - 00000000 _RSHD C:\WINDOWS\M-505032462720504020505 2015-07-06 19:41 - 2015-07-06 19:41 - 00000000 _RSHD C:\WINDOWS\M-505032462720504020 2015-07-06 19:41 - 2015-07-06 19:41 - 00000000 _RSHD C:\WINDOWS\M-505024068329586028294020 2015-07-04 13:21 - 2015-07-04 13:21 - 00000257 _____ C:\cc206c82871e8690209e51d7ef.lnk 2015-07-03 01:50 - 2015-07-03 01:50 - 00010391 _____ C:\Documents and Settings\MY COMPUTER\Application Data\E0B611F6913C08308BDED482396CFCAA 2015-07-02 22:08 - 2015-07-14 17:59 - 00000462 _____ C:\Documents and Settings\MY COMPUTER\Application Data\iZs8L5TzhjX7d2la4dk 2015-07-15 00:20 - 2014-05-06 02:30 - 00000250 _____ C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job 2015-07-14 18:51 - 2015-05-02 17:09 - 00000000 _RSHD C:\WINDOWS\M-505034039586930203940876 2015-07-03 01:50 - 2015-07-03 01:50 - 0010391 _____ () C:\Documents and Settings\MY COMPUTER\Application Data\E0B611F6913C08308BDED482396CFCAA 2015-07-02 22:08 - 2015-07-14 17:59 - 0000462 _____ () C:\Documents and Settings\MY COMPUTER\Application Data\iZs8L5TzhjX7d2la4dk CustomCLSID: HKU\S-1-5-21-1645522239-113007714-1177238915-1003_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> "C:\Documents and Settings\MY COMPUTER\Local Settings\Application Data\Google\Chrome\Application\43. (the data entry has 40 more characters). CustomCLSID: HKU\S-1-5-21-1645522239-113007714-1177238915-1003_Classes\CLSID\{38216570-5DB1-45F8-A344-B0C4E252B14B}\InprocServer32 -> C:\Documents and Settings\MY COMPUTER\Local Settings\Application Data\Google\Update\1.3.26.7\psuser. (the data entry has 11 more characters). Task: C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job => C:\Program Files\Ask.com\UpdateTask.exe AlternateDataStreams: C:\WINDOWS\system32\Drivers\etc\hosts:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\Temp:2652902F Locked "13f9915b6e5a5a40" service could not be unlocked. <===== ATTENTION C:\Documents and Settings\MY COMPUTER\Application Data\Microsoft\Windows\IEUpdate Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

I couldn’t copy the report because “The message exceeds the maximum allowed length (20000 characters).” So I attached it, is it okay ? :-\

Attach is good … Was the delete option available for necurs ?

21:33:08.0812 0x0354 Actual detected object count: 4 21:34:38.0937 0x0354 13f9915b6e5a5a40 ( Rootkit.Win32.Necurs.gen ) - skipped by user 21:34:38.0937 0x0354 13f9915b6e5a5a40 ( Rootkit.Win32.Necurs.gen ) - User select action: Skip 21:34:38.0937 0x0354 lirsgt ( UnsignedFile.Multi.Generic ) - skipped by user 21:34:38.0937 0x0354 lirsgt ( UnsignedFile.Multi.Generic ) - User select action: Skip 21:34:38.0937 0x0354 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user 21:34:38.0937 0x0354 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip 21:34:38.0953 0x0354 IDMan ( UnsignedFile.Multi.Generic ) - skipped by user 21:34:38.0953 0x0354 IDMan ( UnsignedFile.Multi.Generic ) - User select action: Skip
If so re-run TDSSKiller and select delete

Done ! :smiley:

Could I have a fresh FRST scan now please and how is the computer behaving ?

I scanned it yesterday after i deleted necrus and it didn’t detect any threats but today it detected 4,
the windows don’t appear anymore when i turn on the computer but the folders in the drivers are still shortcuts and the weird folder-like stuff (secret, pictures, movies, documents, porn?) are still there :confused:
Also, I cannot play videos on media player classic(home cinema), jetaudio, and windows media player but vlc media player works fine :-\

here what it says when i try to play a video on jetaudio

and home cinema media player

OK lets see what else there is

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Sorry it took me so long I had exams…
I tried to run ComboFix and got this message (in the attachment below). It used to work just fine before the device got infected so I’m pretty sure it’s installed. I cannot access anything in the drivers so maybe this has something to do with it ?
ComboFix is still running, I haven’t closed it. I’ll be waiting for your instructions :frowning:

Install the recovery console

I installed it and while it was running the scan (it reached stage 3) i had a sudden blackout and the computer shut down. You said earlier that i shouldn’t re-run ComboFix so what should i do? :frowning:

OK first reboot the computer and then if all is well run combofix again

It’s done! and I can access all my folders now ;D thank you very much !

Any further problems evident ?

Nope :slight_smile: everything is alright.

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove Combofix

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: