LNK:Cantix-A [Trj]

Viruses and worms
1

Hello~
My concern is regarding a threat that has been blocked by Avast File System Shield. It keeps on showing though it says that there is no further action required. I already followed the instructions on the other topic.

Infection: LNK:Cantix-A [Trj]

I am not aware of the source of this infection. It keeps on creating shortcuts in my files. I hope you could help me. Thank you!

2

Have you used a USB stick?

in the guide, scroll down to SPECIFIC INFECTIONS LOGS and follow instructions for MCShield

this log you copy and paste here (not attach)

3

Here it is:

4

Aw, sorry. Here is the copy-paste information of the USB.

MCShield AllScans.txt <<<

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<

9/19/2016 5:12:20 PM > Drive C: - scan started (no label ~152 GB, NTFS HDD )…

=> The drive is clean.

9/19/2016 5:12:21 PM > Drive D: - scan started (no label ~146 GB, NTFS HDD )…

D:$RECYCLE.BIN.lnk - Malware > Deleted. (16.09.19. 17.12 $RECYCLE.BIN.lnk.341519; MD5: 5ac9192fe4ae56e2a0e5b1105f1eddb6)

D:\dekstop.ini - Malware > Deleted. (16.09.19. 17.12 dekstop.ini.993080; MD5: 02f638045780a73aeb90f4b04bc4de05)

D:\music.lnk - Suspicious > Renamed. (MD5: 73f644ce2fae267adcf5f127d5d03980)

=> Malicious files : 2/2 deleted.
=> Suspicious files : 1/1 renamed.

::::: Scan duration: 1sec ::::::::::::::::::

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<

9/19/2016 5:13:52 PM > Drive E: - scan started (NADINE ~15284 MB, FAT32 flash drive )…

E:\desktop.ini - Malware > Deleted. (16.09.19. 17.13 desktop.ini.89352; MD5: 4cb1708b5caa7e7b30e6e52617f60bd9)

E:\RECYCLER
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\MMoXfdjV.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\fTJLghvg.cpl (MD5: cb725469c7151dd24be5b2713c9a199a)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\lmwFTXtU.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\DYAyCBsc.cpl (MD5: 9227985fb995332b246fb77b0e8fa86f)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\hJpofQne.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\ZrOHOppV.cpl (MD5: 5b0797b6da2159f0c03261fa2a441fc6)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\QGVnXfDp.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\xpynSZhN.cpl (MD5: 24bd49a7c7e0468a23d2dbe088762b0f)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\TQsvKKfx.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\ImkBIYqO.cpl (MD5: c31c57a908795b1d1e34b03cc8c54e3c)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\QWCYXOmk.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\GLYaHMFk.cpl (MD5: 30c4e5d3a70be59088d797fc31fe55b4)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\JhsyRwDF.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\mWMBbBsT.cpl (MD5: 3ab610cc6082c12fa1d1e63d829a3aa3)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\JAkqHZZd.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\SXJHCExe.cpl (MD5: 456d69673c1dc8fe6e122df27ace8e47)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\vxweqpsi.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\DAxhcdBc.cpl (MD5: 736a40b7a2998714d1241fa9a3742d77)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\nLdiFumg.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\IBaSOyyi.cpl (MD5: 02e5dc2bef40566ab56bbaf691b96dde)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\WWWscPqw.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\gNpfZWKF.cpl (MD5: 66539f50f746d76c23f4a0a22ae1995d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\BNFyoFnK.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\KaAidwqg.cpl (MD5: efbd1c89c82b54be8a9c943674698152)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\qIQwhNqG.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\gEOsMZnJ.cpl (MD5: 776b5e90799af3b874f6236b5d5477a6)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\HcWclplb.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\LgEbLNxJ.cpl (MD5: 5e0ff188ac93c7246d0872b47b1c341b)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\RBeMpEZl.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\jlQGBVsI.cpl (MD5: 78316227bb9317158a0e8ded63e32e76)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\vJttUNuT.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\KuDeUdwG.cpl (MD5: 46f019da0daa37ad64788be8591e2dc2)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\JVCwNFbW.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\Akhkwxsc.cpl (MD5: d352faae34a1dc9e94e6eacfcc4a72ab)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\apALOnlc.cpl (MD5: 4a5f51ebbe1290c76b37de0433ff80f0)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\mwatXLel.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\IDhgabAZ.cpl (MD5: 2da07a200b5ce05bcf25340c10d5d626)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\amnpmYXD.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\gDdgmwOy.cpl (MD5: 683663e23a8d92f1164e1e6b4034fdbb)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\QiSpyDnl.exe (MD5: 704a01bd5e3a41a755606bf27d1e7d8d)
E:\RECYCLER\S-0-5-26-4768714816-2302203265-206771032-4444\GgwcmoYf.cpl (MD5: f4d845f23b07e5823449bd7f228338c6)

E:\Recycler - Malware (folder) > Deleted. ()

E:\NADINE (15GB).lnk - Suspicious > Renamed. (MD5: dafbe29fd762367989b6f9f1b034cde2)

Resetting attributes: E:\ < Successful.

=> Malicious files : 42/42 deleted.
=> Malicious folders : 2/2 deleted.
=> Suspicious files : 1/1 renamed.
=> Hidden folders : 1/1 unhidden.

::::: Scan duration: 6sec ::::::::::::::::::

5

This was found by MCShield
https://www.virustotal.com/en/file/7ef7746f5d692e0ae637cd90880241d604970d4158e0696368ae11e9ec960f03/analysis/
https://www.virustotal.com/en/file/67f5aaeb0d8f9a7d5e5dfdd29fecd881c96c1d6cace47b712d4d35cfaefe097c/analysis/

Malware expert is notified, he is located in Canada so it may be several hours before he is online

6

Here is another USB that we were using in my laptop. I already scanned it.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<

9/19/2016 5:42:53 PM > Drive E: - scan started (Sony_4GR ~3860 MB, FAT32 flash drive )…

E:\System Volume Information.lnk - Malware > Deleted. (16.09.19. 17.42 System Volume Information.lnk.572704; MD5: 7e1eeb936ec68a28b5aa945b898dca5b)

E:\ .lnk - Malware > Deleted. (16.09.19. 17.42 .lnk.630790; MD5: 148b9187c3c3b7c738c4e422805c83e0)

E:\dekstop.ini - Malware > Deleted. (16.09.19. 17.42 dekstop.ini.285894; MD5: 02f638045780a73aeb90f4b04bc4de05)

Resetting attributes: E:\System Volume Information < Successful.

Resetting attributes: E:\ < Successful.

=> Malicious files : 3/3 deleted.
=> Hidden folders : 2/2 unhidden.

::::: Scan duration: 2sec ::::::::::::::::::

7

Okay. Thank you!

8

I’m on it …

9

Thank you! :slight_smile:

10

Hello,
If you will keep using MCShield, there is no need for anather sofware like USB Disk Security. Just an FYI.
Also, avast! should be reinstalled as it would seems that some of his services doesn’t load successful.

You can uninstall SpyHunter as well, it is an old Anti Malware software that can’t keep up with modern infections and standards. You now have Malwarebytes.

Now, it is very important to keep MCShield active during malware removal proces. We shall target active worm on PC first so it can’t replicate to USB memory flesh drives. Infection on USB shall continue to live as longs as malware on PC lives.

=> Unplug all your USB memory devices and don’t plug them until I tell you so. Keep MCShield active and installed.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system




Start
CreateRestorePoint:
(Microsoft Corporation) C:\Windows\System32\wscript.exe

CloseProcesses:
HKU\S-1-5-21-2067916174-430647689-3879748510-1000\...\Run: [Df5serv] => Wscript.exe //e:VBScript "C:\Users\Windows 7\Documents\df5srvc.bfe"
HKU\S-1-5-21-2067916174-430647689-3879748510-1000\...\Run: [Explorer] => Wscript.exe //e:VBScript "C:\Users\Windows 7\AppData\Local\Microsoft\CD Burning\dekstop.ini"
HKU\S-1-5-21-2067916174-430647689-3879748510-1000\...\MountPoints2: {26476990-5377-11e5-9bd0-4ceb4201d77c} - E:\Setup.exe /s
HKU\S-1-5-21-2067916174-430647689-3879748510-1000\...\MountPoints2: {264769c2-5377-11e5-9bd0-24b6fd09e8b1} - E:\Setup.exe /s
HKU\S-1-5-21-2067916174-430647689-3879748510-1000\...\MountPoints2: {af6ca6f4-e571-11e4-809d-24b6fd09e8b1} - E:\AutoRun.exe

RemoveProxy:
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.linkzb.com
HKU\S-1-5-21-2067916174-430647689-3879748510-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bendot.co.nr
HKU\S-1-5-21-2067916174-430647689-3879748510-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.yahoo.com/
SearchScopes: HKU\S-1-5-21-2067916174-430647689-3879748510-1000 -> DefaultScope {933E245F-656D-4662-8D46-C988C73A76AC} URL = 
CHR HomePage: Default -> hxxps://ph.search.yahoo.com/?type=779227&fr=yo-yhp-ch
CHR StartupUrls: Default -> "hxxps://ph.search.yahoo.com/?type=779227&fr=yo-yhp-ch"
CHR Extension: (Chrome Media Router) - C:\Users\Windows 7\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-19]
CHR HKLM\...\Chrome\Extension: [lkemddiljapcmhicklfpcbpfffahfbja] - C:\Users\Windows 7\AppData\Local\Google\Chrome\User Data\Default\extensions\WebNavigation.crx [2012-08-07]

Hosts:
C:\Users\Windows 7\Documents\df5srvc.bfe
C:\Users\Windows 7\AppData\Local\Microsoft\CD Burning\dekstop.ini
C:\Users\Windows 7\Documents\dekstop.ini
C:\Users\Windows 7\dekstop.ini
C:\Users\Public\Documents\dekstop.ini
C:\Users\Public\dekstop.ini
C:\ProgramData\dekstop.ini
C:\Users\Windows 7\Documents\df5srvc.bfe

EmptyTemp:
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

===================================

Please download Zoek tool by Smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool. Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:


QuickScan;
EmptyFoldersCheck;Delete 
EmptyCLSID;
ShortcutFix;
AutoClean;
Reboot;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

11

Hi! Attached here are the results. Thank you! I already did all the instructions.

12

Hi,

You did disconect your USB flesh drivers, right?

Pls re-run this FixList (with FRST tool) again and post me fresh FixList.txt for review;

Start
CMD: Taskkill /IM wscript.exe /F

Reboot:
C:\Users\Windows 7\AppData\Roaming\Microsoft Office\\Microsoft Excel.WsF

StartRegedit: 
[HKEY_USERS\S-1-5-21-2067916174-430647689-3879748510-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Excel"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Excel"=-
C:\Users\Default\AppData\Local\Google\Chrome\User Data\Default\Preferences
"homepage": "",
C:\Users\Default User\AppData\Local\Google\Chrome\User Data\Default\Preferences
"homepage": "",
EndRegedit: 
End

Then, post me fres FRST.txt logreprot for reanalyists.

13

Yes, I haven’t inserted any USB in my laptop. Anyways, here are the fixlog and frst results:

14

Logs looks good. Run one more time Malwarebytes’ ThreatScan just in case to remove any possible leftovers, but malware no longer lives on your PC.

Then you may re-attach your USB flash drivers so that MCShield can process them one more time. MCShield may detect USB worms again but then infections should be gone for good.

When you done all the steps, pls tell me how is the computer running now?

15

Hello! There is no more pop-ups regarding the threat. Yey! Thank you very much!!!

Anyways, what if the malwarebytes premium free trial expired already? Will it make me less protective when I inserted the USB again?

16

Malwarebytes premium is with Real Time Monitoring on. When you back to Malwarebytes Free, you will have RMT off.

In other words, you will have to start MBAM for yourself and do system scan. Premium will run MBAM in background and do system scan on his own timeline settings. And MBAM isn’t AV nor it can protect USB drives, MCShield can.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

17

DONE! Yey! Amazing. Thank you very much! :slight_smile: