Infected pc & usb (shortcut virus)

system · May 5, 2014, 5:51pm

Hi there

I’ve encountered the same problem as a thread earlier: http://forum.avast.com/index.php?topic=138715.0
Would like to seek for your help.

Thanks in advance.

avastuser3796 · May 5, 2014, 6:25pm

http://forum.avast.com/index.php?topic=53253.0

Run/download in ordered list.

Malwarebytes.
OTL
aswMBR (Windows 7 only)

system · May 5, 2014, 6:28pm

Monitoring.

system · May 6, 2014, 8:30am

Attached with log file(s).

system · May 6, 2014, 8:37am

Hi,

Please download Anti-VBSVBEx86.exe on your Desktop

[*]Double click to run the tool and wait until it finishes.
[*]It will make a log named Anti-VBSVBE.txt. Please attach it to your reply.

.

— > Next

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

system · May 6, 2014, 8:52am

Do you have 32-bit version of it?

system · May 6, 2014, 8:54am

Sorry

http://www.mcshield.net/download/tools/Anti-VBSVBE/

Disconnect the USB sticks

system · May 6, 2014, 9:01am

Not a problem. Attached with file(s).

system · May 6, 2014, 9:04am

Addition.txt log?

system · May 6, 2014, 9:10am

This isn’t my first time running the tool. But the previous Addition.txt log is still with me. Is there a need to generate a new one?

system · May 6, 2014, 9:15am

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKLM\...\Run: [8f30a0c97b6149e94b3727865ac4f7bb] => C:\Users\User\AppData\Roaming\upgrades.exe [237056 2014-05-06] ()
C:\Users\User\AppData\Roaming\upgrades.exe
HKU\S-1-5-21-1934668050-777971954-414511435-1000\...\Run: [8f30a0c97b6149e94b3727865ac4f7bb] => C:\Users\User\AppData\Roaming\upgrades.exe [237056 2014-05-06] ()
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8f30a0c97b6149e94b3727865ac4f7bb.exe ()
C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8f30a0c97b6149e94b3727865ac4f7bb.exe
SearchScopes: HKCU - {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=ppsbaibu_oem_dg&ch=33
BHO: No Name - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} -  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
C:\Users\User\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpn1jvoo.dll
C:\Users\User\AppData\Local\Temp\masflag_runxx.dl.dll
C:\Users\User\AppData\Local\Temp\Quarantine.exe
C:\Users\User\AppData\Local\Temp\QYAgent_runxx.dl.dll
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.

— > Next

Please download MCShield from one of the following links:

MCShield -Official download link

[*]Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install … per installation click on Run! button.
[]Wait a few seconds to MCShield finish initial HDD scan…
[]Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
[*]When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

system · May 6, 2014, 9:31am

Files attached.

system · May 6, 2014, 9:34am

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type user32.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

system · May 6, 2014, 9:38am

Here is it

system · May 6, 2014, 9:40am

OK, how is the situation now?

system · May 6, 2014, 9:45am

everything seems perfectly fine now

system · May 6, 2014, 9:48am

Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

.

— > Next

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

system · May 6, 2014, 9:56am

thank you so much for your help really appreciate it.

system · May 6, 2014, 9:58am

I recommend you keep MCShield.
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Greeting.

system · May 6, 2014, 9:59am

Will do.

Thank you once again

Infected pc & usb (shortcut virus)

Announcements