2 weeks ago , i plugged my friend’s pen drive into my laptop. I saw there is a shortcut file in his pen drive and clicked on it, nothing happen. But then after a few days, i found out that inside my d: drive all the files are having shortcut files in them. Please help me to fix it.
follow instructions https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan Tool logs
are these attachment correct?
Anyone help pls ? i alr attached those files. It has been 1 weeks
Farbar will produce two logs … One log is missing additional.txt
Have notified removal team…
Do you still require help?
i still require help T^T pls help me and i attach all the files one more time
Hi,
My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):
- Please do not create any new threads on this while we are working on your system as it wastes another volunteer’s time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
- Please do not install any new software while we are working on this system as it may hinder our process.
- Malware removal is a complicated process so don’t stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
- Please do not try to fix anything without being ask.
- Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
- Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
- Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
- If you are confused about any instruction, stop and ask. Do not keep on going.
- Do not repeat the steps if you face any problems.
- I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
- Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
- The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.
Uninstall McAfee Security Scan Plus
-
Step #1 P2P Warning
**IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.[li]µTorrentI shall provide you with a few reference links, please read them up to know the risks of having a P2P program.
- [url=http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt128.shtm][b]P2P File-Sharing: Evaluate the Risks[/b][/url] - [url=http://www.cuhk.edu.hk/itsc/about/p2p-risk.html][b]ITSC: Risks in Peer-to-peer File Sharing[/b][/url]Note: Even if you are using a “safe” P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file-sharing as a major conduit to spread their wares.
My recommendation is that you uninstall the programs listed above. If you choose not to remove them, please do not use them until this computer is clean.[/li]
- Step #2 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[li]Open Notepad.exe. Do not use any other text editor software;
- Copy and Paste the contents inside the code-box to your Notepad –
[/li]
Start
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
CloseProcesses:
() C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Google\
HKLM-x32\...\Run: [] => [X]
File:C:\Windows\system32\ctfmon.exe
HKU\S-1-5-21-3593269008-1716933379-3365349287-1001\...\Run: [AntiWormUpdate] => C:\Google\AutoIt3.exe [750320 2012-01-29] (AutoIt Team)
HKU\S-1-5-21-3593269008-1716933379-3365349287-1001\...\Run: [AntiUsbWorm] => C:\Windows\system32\cmd.exe /c start C:\Google\AutoIt3.exe /AutoIt3ExecuteScript C:\Google\googleupdate.a3x & exit
C:\Users\user\AppData\Local\Temp\2D1.exe
C:\Users\user\AppData\Local\Temp\41B8.exe
C:\Users\user\AppData\Local\Temp\9365ed7c90cf82d4836705e54fbdb12e.dll
C:\Users\user\AppData\Local\Temp\A220.exe
C:\Users\user\AppData\Local\Temp\AcDeltree.exe
C:\Users\user\AppData\Local\Temp\install_flashplayer14x32au_mssa_aaa_aih.exe
C:\Users\user\AppData\Local\Temp\lowproc.exe
C:\Users\user\AppData\Local\Temp\Quarantine.exe
C:\Users\user\AppData\Local\Temp\SGComRetrieve.exe
C:\Users\user\AppData\Local\Temp\SGWPCheckIconNum.exe
C:\Users\user\AppData\Local\Temp\SGWPCheckIconNum2.exe
C:\Users\user\AppData\Local\Temp\SkypeSetup.exe
C:\Users\user\AppData\Local\Temp\sogou_pinyin_7.2.1.3736.exe
C:\Users\user\AppData\Local\Temp\stubhelper.dll
Emptytemp:
End
-
[li]Click on [b]File[/b] > [b]Save as...[/b]
[list]
[li]Inside the File Name box type fixlist.txt;
- From the Save as type drop down list, choose All Files
[/li]
- Save the file to your Desktop;
- Re-run FRST.exe and click Fix;
Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
[/list][/li]
- After the completion, a log will be produced;
- Copy and Paste the contents of the log in your next reply.
-
Step #3 Fix with AdwCleaner
[li]Download [b]AdwCleaner[/b] by [i][b]Xplode[/b][/i] to your [i]Desktop[/i] from the following link.
[list]
[li]Download Link #1
- Download Link #2
[/li]
- Right-click on AdwCleaner.exe and choose Run as administrator;
- Click on Scan and let the program run unhindered;
- When done, click on Clean and allow the system to reboot after it is done;
- A log will be opened automatically after the restart;
- Attach the log in your reply.
[/list][/li]
-
Step #4 Fix with Junkware Removal Tool
Download Junkware Removal Tool by thisisu to your Desktop from the link below.
Download Link 1
Download Link 2[li]Disable your anti-virus to avoid potential conflicts. For more information please acknowledge yourself [url=http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/]this[/url] article; - Run the program either by double-clicking(Windows XP) or Right-clicking and choosing [i]Run as administrator[/i](Windows Vista and above); - Please be patient as the tool cleans your system; - After completion of the process a log named [b]JRT.txt[/b] will automatically open and is save to your Desktop; - Attach the log in your next reply.[/li]
-
Required Log(s):
[li]FRST Fix Log - AdwCleaner Log - Junkware Removal Tool Log[/li]
Regards,
Valinorum
hi valinorum, thx for replying me and sry for my impatient :-[
below this is my fixlog.
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-10-2014 01
Ran by user at 2014-10-05 02:42:01 Run:1
Running from C:\Users\user\Desktop
Loaded Profile: user (Available profiles: user)
Boot Mode: Normal
Content of fixlist:
Start
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
CloseProcesses:
() C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Google
HKLM-x32.…\Run: =>
File:C:\Windows\system32\ctfmon.exe
HKU\S-1-5-21-3593269008-1716933379-3365349287-1001.…\Run: [AntiWormUpdate] => C:\Google\AutoIt3.exe [750320 2012-01-29] (AutoIt Team)
HKU\S-1-5-21-3593269008-1716933379-3365349287-1001.…\Run: [AntiUsbWorm] => C:\Windows\system32\cmd.exe /c start C:\Google\AutoIt3.exe /AutoIt3ExecuteScript C:\Google\googleupdate.a3x & exit
C:\Users\user\AppData\Local\Temp\2D1.exe
C:\Users\user\AppData\Local\Temp\41B8.exe
C:\Users\user\AppData\Local\Temp\9365ed7c90cf82d4836705e54fbdb12e.dll
C:\Users\user\AppData\Local\Temp\A220.exe
C:\Users\user\AppData\Local\Temp\AcDeltree.exe
C:\Users\user\AppData\Local\Temp\install_flashplayer14x32au_mssa_aaa_aih.exe
C:\Users\user\AppData\Local\Temp\lowproc.exe
C:\Users\user\AppData\Local\Temp\Quarantine.exe
C:\Users\user\AppData\Local\Temp\SGComRetrieve.exe
C:\Users\user\AppData\Local\Temp\SGWPCheckIconNum.exe
C:\Users\user\AppData\Local\Temp\SGWPCheckIconNum2.exe
C:\Users\user\AppData\Local\Temp\SkypeSetup.exe
C:\Users\user\AppData\Local\Temp\sogou_pinyin_7.2.1.3736.exe
C:\Users\user\AppData\Local\Temp\stubhelper.dll
Emptytemp:
End
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{2A075BB4-E976-4278-BF3F-E5C6945D84C0}\SystemComponent => value deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{185F9795-9663-4F13-9EF9-307A282ADB5A}\SystemComponent => value deleted successfully.
Processes closed successfully.
C:\Windows\SysWOW64\PnkBstrA.exe => No running process found
C:\Windows\SysWOW64\PnkBstrA.exe => Moved successfully.
C:\Google => Moved successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ => value deleted successfully.
========================= File:C:\Windows\system32\ctfmon.exe ========================
MD5: 7978B91B70462045B01F114223FA5871
Creation and modification date: 2012-07-26 10:07 - 2012-07-26 11:08
Size: 0010240
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: CTFMON
Original Name: CTFMON.EXE.MUI
Product Name: Microsoft® Windows® Operating System
Description: CTF Loader
File Version: 6.2.9200.16384 (win8_rtm.120725-1247)
Product Version: 6.2.9200.16384
Copyright: © Microsoft Corporation. All rights reserved.
====== End Of File: ======
HKU\S-1-5-21-3593269008-1716933379-3365349287-1001\Software\Microsoft\Windows\CurrentVersion\Run\AntiWormUpdate => value deleted successfully.
HKU\S-1-5-21-3593269008-1716933379-3365349287-1001\Software\Microsoft\Windows\CurrentVersion\Run\AntiUsbWorm => value deleted successfully.
C:\Users\user\AppData\Local\Temp\2D1.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\41B8.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\9365ed7c90cf82d4836705e54fbdb12e.dll => Moved successfully.
C:\Users\user\AppData\Local\Temp\A220.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\AcDeltree.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\install_flashplayer14x32au_mssa_aaa_aih.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\lowproc.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\SGComRetrieve.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\SGWPCheckIconNum.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\SGWPCheckIconNum2.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\sogou_pinyin_7.2.1.3736.exe => Moved successfully.
C:\Users\user\AppData\Local\Temp\stubhelper.dll => Moved successfully.
EmptyTemp: => Removed 2.2 GB temporary data.
The system needed a reboot.
==== End of Fixlog ====
Hi,
How is your PC running?
-
Step #5 ESET Online Scanner
Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information.[li]Download [b]esetsmartinstaller_enu.exe[/b] by clicking [url=http://download.eset.com/special/eos/esetsmartinstaller_enu.exe][b]here[/b][/url]. - Right-click on the program and choose [i]Run as administrator[/i]. - Accept their terms and condition and proceed. - Install [b]Add-On/Active X[/b] if prompted. - From the [b]Computer Scan Setting[/b] --
[list]
[li]Enable detection of potentially unwanted application
[/li]
- Click on Advanced Setting–
[li]Uncheck the following box --
- [list]
[li][b]Remove Found Threats[/b]
[/li]
[/list]
- Check the following boxes --
- [list]
[li][b]Scan archives[/b];
- [b]Scan for potentially unsafe applications[/b]
- [b]Enable Anti-Stealth Technology[/b]
[/li]
[/list][/li]
- Click on [b]Start[/b] and wait for the [b]virus signature database[/b] to update.
- The online scan will begin [i]automatically[/i] and can take several hours.
[li][b]Note:[/b] Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
[/li]
- After the Scan finishes --
-
[li][b]If no threats were found:[/b]
[list]
[li]Put a checkmark in Uninstall application on close.
- Close the program and report that nothing was found
[/li]
- If threats were found:
[li]Open the file located in [b]C:\Program Files\ESET\ESET Online Scanner\log.txt[/b] (32-bit) or [b]C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt[/b] (64-bit).
- Attach the log file in your next reply.
[/li]
[/list][/li]
[/list][b]Note:[/b] Enable your security programs afterwards.[/li]
From this thread navigate to Specific Infection Log and complete the MCShield Scan process and attach the log.
-
Required Log(s):
[li]ESET Scan Log - MCShield Log[/li]
Regards,
Valinorum
these are the txt files.
Re-do ESET scan and this time check the box beside Remove Found Threats. This should clear the infected shortcuts.
wow 
it really works
thank you Valinorum.
How is your system?