please help me with the virus

Viruses and worms
1

Hello,

I have recently found out that there had been a virus on my pen drive. It infected my computer, now i can see the wsrcipt.exe running. The virus made all the data on pen drive turn into shortcuts, now i can also see some new shortcuts on my desktop like desktop.ini. Avast, MaalwarebytesAnti-malware and WinREG Cleaner can’t help me.
I have attached OTL and MBR file. The virus attacked yesterday.

I would be grateful for any help.
Wojciech

2

help is on the way :wink:

3

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

4

Thank you for answer. There are the files.

5

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKCU\...\Run: [Pando Media Booster] - null\Pando Networks\Media Booster\PMB.exe
HKLM\...\Run: [iTunesHelper] - C:\Users\Wojciech\AppData\Local\Temp\iTunesHelper.vbe [69554284 2013-11-08] ()
HKCU\...\Run: [iTunesHelper] - C:\Users\Wojciech\AppData\Local\Temp\iTunesHelper.vbe [69554284 2013-11-08] ()
MountPoints2: G - G:\BALDUR.EXE
MountPoints2: {1fed8244-8ef9-11e2-86cd-002622cb2c88} - I:\SISetup.exe
MountPoints2: {94467153-2a1d-11e1-b361-002622cb2c88} - H:\AutoRun.exe
MountPoints2: {a478d340-ad10-11e2-a946-806e6f6e6963} - G:\_AUTORUN\AUTORUN.EXE
MountPoints2: {cc8c3f8d-c977-11de-b5ff-002622cb2c88} - F:\Autorun.exe
MountPoints2: {cc8c3f8f-c977-11de-b5ff-002622cb2c88} - G:\_AUTORUN\AUTORUN.EXE
Startup: C:\Users\Wojciech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iTunesHelper.vbe ()
URLSearchHook: HKLM - uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files\uTorrentControl2\prxtbuTor.dll (Conduit Ltd.)
SearchScopes: HKCU - {DBD56425-F65B-4F9D-9CD1-A6C3101CC8DA} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=crm&q={searchTerms}&locale=&apn_ptnrs=U3&apn_dtid=OSJ000YYPL&apn_uid=D77A7C69-981C-4DA5-8AAA-DD6A469538CF&apn_sauid=05D99497-D19E-47C0-97D1-596BE91B4417
BHO: uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files\uTorrentControl2\prxtbuTor.dll (Conduit Ltd.)
Toolbar: HKLM - uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files\uTorrentControl2\prxtbuTor.dll (Conduit Ltd.)
Toolbar: HKCU - uTorrentControl2 Toolbar - {687578B9-7132-4A7A-80E4-30EE31099E03} - C:\Program Files\uTorrentControl2\prxtbuTor.dll (Conduit Ltd.)
FF SelectedSearchEngine: Ask.com
FF SearchEngineOrder.1: Ask.com
FF Keyword.URL: user_pref("keyword.URL",  "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=");
FF SearchPlugin: C:\Users\Wojciech\AppData\Roaming\Mozilla\Firefox\Profiles\jtwd0svi.default\searchplugins\askcom.xml
FF Extension: uTorrentControl2 Community Toolbar - C:\Users\Wojciech\AppData\Roaming\Mozilla\Firefox\Profiles\jtwd0svi.default\Extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}
CHR Plugin: (Pando Web Plugin) - C:\Users\Wojciech\Downloads\null\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
S4 Ebhosapdpfcw; No ImagePath
C:\Users\Wojciech\AppData\Local\Temp\iTunesHelper.vbe
Task: {5503FB66-3A52-49ED-AC35-32B7B63D2AFB} - System32\Tasks\{D27E31CD-9EBB-4056-9F88-014870922453} => C:\Seven Kingdoms\7k.exe
Task: {602857D8-787B-404D-B45A-7257DBFD84AE} - System32\Tasks\{BE7F9232-8AC0-4371-BD9A-1FCE95D6A6B1} => C:\Seven Kingdoms\7k.exe
Task: {6B9C6566-087D-4B48-8EF4-2FE5BDA64430} - System32\Tasks\{BEC2DE1E-5BB2-4CD8-B1C6-4A2E50AECA92} => D:\Seven Kingdoms A.A. v2.12 -FULL RIP + Extra-\Seven Kingdoms\7K.EXE
Task: {0DE53948-57E1-4F7E-993C-D57595DFF56C} - System32\Tasks\{298496FC-01A8-4891-8194-0BB3F587472B} => D:\Seven Kingdoms A.A. v2.12 -FULL RIP + Extra-\Seven Kingdoms\7K.EXE
Task: {14BA59F7-108B-4DFF-8D17-AA457B1EA081} - System32\Tasks\{5493330D-F201-4EA6-B47C-B5C4CA382368} => C:\Seven Kingdoms\7k.exe
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.

**********************

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

6

here are the logs.

7

and that one missing.

8

Rerun FRST, You attached have the same log file

9

is that the right file?

10

OK.

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

11

here we go zoek result.

12

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

C:\Seven Kingdoms\7k.exe;z
C:\Seven Kingdoms\7k.exe;a
C:\windows\tasks\GoogleUpdateTaskMachineUA.job;f
C:\Program Files\Pando Networks\Media Booster;fs
autoclean;
emptyclsid;
ipconfig /flushdns >> %temp%\log.txt;b
emptyalltemp;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

13

zoek log

14

Connect the USB flash drive and attach Last scan log file.

15

looks clean. Also the script isn’t running for quite a while.

16

Sistem is clean, and also flash 8)

You are malware free. Posted logs are now appear cleans and show no signs of active infection.

Good workman always cleans up after himself.
The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

To help AntiVirus to protect your computer and speed it up, I recommend that you download, install and keep the following free programs:

  1. Keep Malwarebytes Anti-Malware, update it regularly or from time to time and run a Quick Scan weekly.
    Malwarebytes will detect and remove all traces of known malware. MBAM isn’t AntiVirus and it can NOT replace it.

  2. Keep MCShield Anti-Malware, the tool will be updated regularly and perform auto-checking for malware to each attached USB memory device.
    MCShield, has been designed as a lightweight scanner that’s smart enough to catch even new worms and work in fully automatic removal mode.

  3. It’s recommended to delete Temporary Files every once in a while. Run the tool and click on the Start button and TFC will begin to clean. Then restart the computer.
    Temp File Cleaner aka TFC by OldTimer
    TFC is small & usefull utility that shall clean up temp files from all userprofiles and system folders.

How to protect yourself?

  1. Adjust avast! to target PUP software:
    Run avast! 2014 by clicking the system tray icon in the lower right corner of the screen.
    Click on Settings, in the new window that opens, click on Active Protection, then under File System Shield click on gear wheel…
    Under Sensitivity part of option check box for Scan for potentialy unwanted programs PUP.

  2. avast! Software Updater. Run avast!, click on Tools > Software Updater.
    For security reasons, make sure you do update your browser(s), Java, Flash Player, and basically every software you use often.

  3. avast! Browser Cleanup. Run avast!, click on Tools > BrowserCleanup.
    Browser Cleanup tool is an integrated tool in avast! AV that allows you the control on browsers unwanted addons.

  4. avast! Malware Scan. Run avast!, click on Scan and preform QuickScan by clicking on Start button.
    Every once in a whilere, it’s recommended to preform virus scan with avast! 2014.

17

Thank you for your help a lot. I appreciate the time given to solve my problem. Real good job. The guidance was very clear and understandable even for the newbie like me. I would also like to ask however what was the source of the virus, if you have that information of course.

18

Flash drive, you will no longer have a problem. Mcshield be prevented any worms.