How to remove LNK.Jenxcus-p worm virus?

On Friday I woke up to my PC being infected with this virus, or at least to the virus being activated, since it seems I’ve been infected for a while now.

For the last couple of days I’ve been seeing direct accesses being created on any USB drive I plug in on my laptop, since they seemed harmless I didn’t do a thing, until Friday when my Avast antivirus started notifying me about a lot of .lnk files being infected and deleting them, only for them to be created once again.

I tried different methods found online, from deleting registry entries referencing googleupdate.lnk, windowsupdate.lnk, googleupdate.a3x and autoit3.exe, deleting those files from the hidden folders the virus created and running multiple analisis since Friday using various tools (Avast antivirus, Microsoft Windows Malicious Software Removal Tool and Microsoft Safety Scanner, etc.), they’ve found threats, but not the source, since all they do is remove the .lnk files created by the virus.

I’m desperate right now and don’t own a copy of Windows to do a full formatting, is there any other way to solve this?

https://forum.avast.com/index.php?topic=53253.0

I ran a Malwarebytes analysis last night, I assume, since I didn’t do any changed, this log will work, also, when trying to use aswMBR.exe it stops responding, so I can’t get a log of that.

Also scoll down to SPECIFIC INFECTIONS LOGS and follow MCShield instructions

This log you copy and paste here

Let me know what problems remain after this

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

THEN

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-2004302637-3256299647-2055079738-1000\...\Policies\Explorer: [] 308e06dc51278fb8bf25de40b8339f7a HKU\S-1-5-21-2004302637-3256299647-2055079738-1000\...\MountPoints2: {ef3bf8f1-7d2f-11e2-b2c4-685d436fb7fa} - F:\AutoRun.exe HKU\S-1-5-21-2004302637-3256299647-2055079738-1000\...\MountPoints2: {ef3bf900-7d2f-11e2-b2c4-685d436fb7fa} - F:\AutoRun.exe HKU\S-1-5-21-2004302637-3256299647-2055079738-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Policies\Explorer: [] 308e06dc51278fb8bf25de40b8339f7a HKU\S-1-5-21-2004302637-3256299647-2055079738-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {ef3bf8f1-7d2f-11e2-b2c4-685d436fb7fa} - F:\AutoRun.exe HKU\S-1-5-21-2004302637-3256299647-2055079738-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {ef3bf900-7d2f-11e2-b2c4-685d436fb7fa} - F:\AutoRun.exe CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKU\S-1-5-21-2004302637-3256299647-2055079738-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKU\S-1-5-21-2004302637-3256299647-2055079738-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION BHO: ChheapMe -> {1D1784E2-A199-8ABF-0910-1798C1E576E5} -> C:\ProgramData\ChheapMe\4E_esbtX.x64.dll No File BHO: No Name -> {5D296D4A-AB83-E471-A331-9D81C929868C} -> No File CHR HKU\S-1-5-21-2004302637-3256299647-2055079738-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ifdhgolccnkcbgpclpngdpjfahlnalig] - C:\Program Files (x86)\Viderio\viderio.crx [Not Found] CHR HKU\S-1-5-21-2004302637-3256299647-2055079738-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jddfbanchahcmceflmmjecaodnbfglcf] - C:\Program Files (x86)\LinkProtection\links2-2.crx [Not Found] CHR HKU\S-1-5-21-2004302637-3256299647-2055079738-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ifdhgolccnkcbgpclpngdpjfahlnalig] - C:\Program Files (x86)\Viderio\viderio.crx [Not Found] CHR HKU\S-1-5-21-2004302637-3256299647-2055079738-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jddfbanchahcmceflmmjecaodnbfglcf] - C:\Program Files (x86)\LinkProtection\links2-2.crx [Not Found] 2015-07-10 12:50 - 2015-07-10 12:50 - 00000000 ____D C:\ProgramData\boost_interprocess 2015-06-14 15:23 - 2015-06-14 15:23 - 00000000 ____H C:\Users\Daniel\AppData\Local\BIT19A7.tmp 2015-06-14 15:23 - 2015-06-14 15:23 - 00000000 _____ C:\Users\Daniel\AppData\Local\{5E23792B-6FA7-443C-85B2-60D11B2510C6} RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

FINALLY

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

I get this error with MC, both with the initial scan and when plugging in a drive
http://i.imgur.com/kxmhTAz.png

The logs are attached.

Ok, essexboy will be back online tomorrow

Could you install a fresh copy of MCShield please in case it was corrupted

Also may I have a fresh FRST scan with a list of problems you are still experiencing

Still got the same error when I reinstalled MCShild, as for the drive, I formatted it on Safe Mode and assume it’s clean now.

Problems I’m still experiencing:

Avast still reacting to .lnk files being created every time I use explorer.
Some random .temp files (first found out about this while running one of the tools suggested, they were removed, but continue to be created).
A problem I forgot to mention is that I can’t currently open League of Legends, the initial logo starts but nothing happens, I assume some other programs might have the same problem if I try to open them.

I cannot see the trigger for this so lets look deeper

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I encountered the following errors while ComboFix was working, in all cases I pressed “Yes”.

http://imgur.com/a/PP56A
The problems are still present. Though I am not getting as many lnk files popping up, right after the reboot Avast found two new infections, both in the same directory.

What directory was this ?

It came from C:\AdwCleaner but could be anything, the files seem to be created in whatever directory I’m in, lately (or at least that I remember) it’s been creating only “My Music” folders

OK lets clear the tools in case it is trying to run from quarantine
Once done reboot and let me know if Avast alerts again

Remove Combofix

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

http://i.imgur.com/5aDUPyG.png

It’s still there.

I think I should also mention that MalwareBytes and MCShield were not uninstalled by Delfix.

Attached is the log Delfix generated.

No those two will stay

Download AVZ tool from here to your desktop
Unzip all files to a folder on your desktop
Open the folder and double click the AVZ icon
https://dl.dropboxusercontent.com/u/73555776/avz.JPG

When the tool opens select “File” > “Standards scripts”

https://dl.dropboxusercontent.com/u/73555776/avz1.jpg

Place a tick in :


5. Update signature database

Then press “Execute selected scripts”

https://dl.dropboxusercontent.com/u/73555776/avz2.JPG

Once that has execute then
select “File” > “Standards scripts”
Place a tick in :

3. Advanced System Analysis with malware removal mode enabled

When finished look in the folder AVZ4 on your desktop
Open the LOG folder
Upload the zip file virusinfo_syscure to a file sharing site for me to collect

https://dl.dropboxusercontent.com/u/73555776/vz3.JPG

http://i.imgur.com/t4oDu6k.png

It stops responding, I tried downloading it again but get same results.

Is there anything important in this folder :

C:\Joymax

If not then run this fix

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-07-11 18:16 - 2014-03-18 11:15 - 00000000 ____D C:\Joymax EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

The folder was empty, the .lnk files were created in different folders in the C directory and that just happened to be the one I captured on screenshot.

Are you still receiving the alerts ?