infectioned autorun.inf wscript32.exe

Dear all,

I think I got this virus through my external hard disk. Now both my laptop is infected as well. The scan of the hard disk shows an infection autorun.inf on my harddisk. But the file keeps coming back once avast deletes the virus. So avast just keeps finding the virus and deleting the virus in an infinite loop. On starting my computer everytime I get a notification from AVAST that something was blocked from c:/windows/system32/wscript.exe. The blocks are of type htxp://etpsoprc.ru/a/, htxp://copertps.com/a/ and htxps://specrtop.org/a/.

Other issues:
Regedit opens and closes immediately
File and folder options are disabled
On opening control panel, windows explorer restarts
All the folders in my hard disk have been made shortcuts. on using the command " attrib -h -r -s /s /d L:*.* ", the folders and autorun.inf which were hidden files become visible. On deleting the virus manually it reappears almost instantaneously.

On ending the wscript process manually using the task manager, autorun.inf does not keep reappearing and avast stops detecting the virus.

Also, my computer does not reboot properly (I have had this problem for a while). It never finishes detecting a network and does not work properly till it does. I might need to reboot about 10 times by switching it off with the power off button for it to boot up once. Hence I have been putting the comp to hibernate mode for a while and never shutting it down.
Because of this problem I am anxious about installing the program for generating logs as I need to restart my computer. If absolutely necessary I can risk installing the program.

@legolagon
Welcome to avast. :wink:

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.


Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

* When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

Thankyou for offering to help me Magna86, I shall do as you say. :slight_smile:

The program is taking quite a long time to create the logs. Should I do something differently?

Whait for DDS to test and exam your system. Be patient. :wink:

Here are the logs.
Sorry for the earlier message :slight_smile:

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:


{30F9B915-B755-4826-820B-08FBA6BD249D};c
C:\Program Files (x86)\ConduitEngine;fs
emptyclsid;
{5C255C8A-E604-49b4-9D64-90988571CECB};c
resethosts;
{30F9B915-B755-4826-820B-08FBA6BD249D};c
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run];r
"d29b]"=-;r
C:\Users\Ashish\AppData\Roaming\c48dc;f
resetIEproxy;
ipconfig /flushdns >> %temp%\log.txt;b
C:\Windows\Temp;vs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run];r
"SearchSettings"=-;r
netsh int ip reset >> %temp%\log.txt;b
filesrcm;
C:\Program Files (x86)\Common Files\Spigot;fs
startupall;
Application Updater;s
C:\Program Files (x86)\Application Updater;fs
C:\Users\Ashish\AppData\Roaming\c48dc;f
chromelook;
C:\Program Files\db8;f
firefoxlook;
C:\c5f;f


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

========= Next =========

Please download USBNoRisk by bobby to your Desktop.
http://amf.mycity.rs/personal/bobby/USBNoRisk/usbnorisk.exe

  • Wait a few seconds while the program performs an initial scan.
  • Inserts the USB memory device into the USB slot row and keep in each slot by 10 - 15 seconds.
  • If you have several devices for scanning, then please note order of inseritng USB’s drives becouse we will need this information later
  • When you’re done with all devices, click the right mouse button in the middle of the program window and select Save scrambled log .
    -It will automatically open the log in Notepad. Save content of that notepad (USBnoRisk log) to your Desktop

Attach here USBNoRisk logreport.

Here’s the results from zoek

I have 2 external hard drives, 1 2 GB pendrive and 1 phone.

However, I have only connected one external hard drive to the computer after the infection (the one that actually infected my computer in the first place. I have been very careful about not connecting anything else. Should I connect them as well when usbnorisk asks me to?

Yes attach external hard drive to.

Also, do you know where you have been download this malware? What did you do with your PC / browsers before problems hase been started.
I’m trying to catch the source of this malware, thats why I ask. You can send me that info on PM, if you will.

I didnt really understand what I am supposed to do with the usbnorisk.

I let the program do the initial scan, once it said initial scan finished, I connected my external hard drive to one port.
After that, should I remove the same external hard drive (without doing safely remove and connect it to another port and yet again to the third and final port?)

Yes attach external hard drive to.

Im sorry. I didnt understand this exactly . Am I supposed to connect the other hard drive, Pen drive and phone ?

Also, do you know where you have been download this malware? What did you do with your PC / browsers before problems hase been started. I'm trying to catch the source of this malware, thats why I ask. You can send me that info on PM, if you will.

I am very sorry, I got this when I plugged my hard disk into 2 computers belonging to 2 of my friends. I’m not sure which friend gave me the virus.
Both of their computers don’t display all the symptoms. (One friend has a shortcut issue on external storage devices but not the control panel issue)

He got the shortcut virus when he transferred files using a pen drive from a public computer in his department in college.

Here is the log generated when I plugged in just 1 hard drive to all three ports in turn. (the hard drive that infected my computer)

Please let me know if I am supposed to do it for all my storage devices.

USBNoRisk is dijagnostic tool that will scans your USB storage devices for malware. When you plug your USB devices , USBNoRisk will scan them and generate log.

Here is the log generated when I plugged in just 1 hard drive to all three ports in turn.
You don't need to plug your hard into all ports. It is enough to Windows see it. Everything else is on automatic mode.

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Step#1

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



autoclean;
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run];r
"d29b"=-;r
C:\Users\Ashish\L;vs
FFdefaults;
chrdefaults;
Conduit Engine;ff
filesrcm;
Veoh Web Player Community Toolbar;ff
bejbohlohkkgompgecdcbbglkpjfjgdj;chr
C:\Users\Ashish\AppData\Local\Temp\crx4C8F.tmp;f
emptyalltemp;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log


Step#2

Re-plug that “1 hard drive” info USB.
Re-run USBNoRisk ;
Wait a few seconds while the program performs an initial scan.

Switch to the Script tab and then copy-paste the following text:

{6034694c-c69e-11e2-99e0-0024be808b9f}
no_sh:
folder_list: %DRIVE%

Click the Run Script button, and whait to USBNoRisk finish his work.
On the Monitor tab, click the right mouse button in the middle of the window and choose the Save log.

Save log on your Desktop and attach report here.

here’s the new zoek results

and here is the scrambled log file for usbnorisk

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

===========NEXT =================

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Thanks, :). MBAR is scanning currently but I had a clarification,

> Check USB storage devices / removable drives

How am I supposed to check my USB devices?
Using MBAR, Mc shield or manually for symptoms?

The system never rebooted after MBAR. Should I restart my computer?

here are the mbar log file