On Friday I woke up to my PC being infected with this virus, or at least to the virus being activated, since it seems I’ve been infected for a while now.
For the last couple of days I’ve been seeing direct accesses being created on any USB drive I plug in on my laptop, since they seemed harmless I didn’t do a thing, until Friday when my Avast antivirus started notifying me about a lot of .lnk files being infected and deleting them, only for them to be created once again.
I tried different methods found online, from deleting registry entries referencing googleupdate.lnk, windowsupdate.lnk, googleupdate.a3x and autoit3.exe, deleting those files from the hidden folders the virus created and running multiple analisis since Friday using various tools (Avast antivirus, Microsoft Windows Malicious Software Removal Tool and Microsoft Safety Scanner, etc.), they’ve found threats, but not the source, since all they do is remove the .lnk files created by the virus.
I’m desperate right now and don’t own a copy of Windows to do a full formatting, is there any other way to solve this?
I ran a Malwarebytes analysis last night, I assume, since I didn’t do any changed, this log will work, also, when trying to use aswMBR.exe it stops responding, so I can’t get a log of that.
Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
Run FRST and press Fix
On completion a log will be generated please post that
FINALLY
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
Still got the same error when I reinstalled MCShild, as for the drive, I formatted it on Safe Mode and assume it’s clean now.
Problems I’m still experiencing:
Avast still reacting to .lnk files being created every time I use explorer.
Some random .temp files (first found out about this while running one of the tools suggested, they were removed, but continue to be created).
A problem I forgot to mention is that I can’t currently open League of Legends, the initial logo starts but nothing happens, I assume some other programs might have the same problem if I try to open them.
I cannot see the trigger for this so lets look deeper
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
I encountered the following errors while ComboFix was working, in all cases I pressed “Yes”.
http://imgur.com/a/PP56A
The problems are still present. Though I am not getting as many lnk files popping up, right after the reboot Avast found two new infections, both in the same directory.
It came from C:\AdwCleaner but could be anything, the files seem to be created in whatever directory I’m in, lately (or at least that I remember) it’s been creating only “My Music” folders
Once that has execute then
select “File” > “Standards scripts”
Place a tick in :
3. Advanced System Analysis with malware removal mode enabled
When finished look in the folder AVZ4 on your desktop
Open the LOG folder
Upload the zip file virusinfo_syscure to a file sharing site for me to collect
The folder was empty, the .lnk files were created in different folders in the C directory and that just happened to be the one I captured on screenshot.