Shortcut pendrive virus

system · April 11, 2018, 7:30pm

Hello. My computer is infected with the shortcut virus. 2 of my usb sticks are full of shortcuts that send to CMD, and none of the original folders. I willattach the logs requested on this link:
https://forum.avast.com/index.php?topic=194892.0

malware bytes, farbar recovery and mcshield

Any help is appreciated.

Pondus · April 11, 2018, 7:40pm

Log from MCShield must be copy / paste … a forum bug makes it unreadable when attached

system · April 11, 2018, 8:01pm

ok. once more, onto the breach:

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<

4/11/2018 10:26:19 PM > Drive G: - scan started (KINGSTON ~3815 MB, FAT32 flash drive )…

—> Executing generic S&D routine… Searching for files hidden by malware…

—> Items to process: 9

—> G:\DATE SCOALA.docx > unhidden.

—> G:\Structura an scolar -calendar.pdf > unhidden.

—> G:\rofuip_2018.pdf > unhidden.

—> G:\antet scoala 2017.docx > unhidden.

—> G:\cerere naveta prof…pdf > unhidden.

—> G:\Notificare MECS la inv tehnic si profesional.pdf > unhidden.

—> G:\TEZE___2017-2018.pdf > unhidden.

—> G:\E. LEITOIU.zip > unhidden.

—> G:\Legea_nr._1-2011.pdf > unhidden.

—> Note: paranoid mode is enabled.

G:\DATE SCOALA.lnk - Malware > Deleted. (18.04.11. 22.27 DATE SCOALA.lnk.212048; MD5: 7fc8c8efa57adc4c88c393bf17ddbaff)

G:\Structura an scolar -calendar.lnk - Malware > Deleted. (18.04.11. 22.27 Structura an scolar -calendar.lnk.473396; MD5: 8307fe180446b209d92506184290027a)

G:\rofuip_2018.lnk - Malware > Deleted. (18.04.11. 22.27 rofuip_2018.lnk.12655; MD5: 266b7bc4e4f7d6551ddd8938f28f7f39)

G:\antet scoala 2017.lnk - Malware > Deleted. (18.04.11. 22.27 antet scoala 2017.lnk.142285; MD5: 2f1527a7219bdcb6bad427a0ce5aae37)

G:\cerere naveta prof.lnk - Malware > Deleted. (18.04.11. 22.27 cerere naveta prof.lnk.832023; MD5: 5165776b3ebd3b1014e8db8cd20ec0b2)

G:\Notificare MECS la inv tehnic si profesional.lnk - Malware > Deleted. (18.04.11. 22.27 Notificare MECS la inv tehnic si profesional.lnk.733114; MD5: 2843062d98810ffa5e1e36084933e46d)

G:\TEZE___2017-2018.lnk - Malware > Deleted. (18.04.11. 22.27 TEZE___2017-2018.lnk.138163; MD5: fb6b41cf46737115b3417fec5942fb22)

G:\E.lnk - Malware > Deleted. (18.04.11. 22.27 E.lnk.540326; MD5: 03eb10e79e4375ca1c6e4ff53b7687b9)

G:\Legea_nr.lnk - Malware > Deleted. (18.04.11. 22.27 Legea_nr.lnk.818991; MD5: 76be4f877709c56d3d21481db1200766)

G:\PROIECT ROSE.lnk - Malware > Deleted. (18.04.11. 22.27 PROIECT ROSE.lnk.15617; MD5: 8bb83113ed5af1ed91648f58371389be)

G:\doc catedra.lnk - Malware > Deleted. (18.04.11. 22.27 doc catedra.lnk.910892; MD5: f37de8c8a82adb8e25245e8eea61c1e4)

G:\doc diriginte.lnk - Malware > Deleted. (18.04.11. 22.27 doc diriginte.lnk.723603; MD5: a1765cfee3635de259d3028bb859cfea)

G:\doc profesor.lnk - Malware > Deleted. (18.04.11. 22.27 doc profesor.lnk.387934; MD5: 09d16eb7b9a6961a2a7ea1e1fe13f4e9)

G:\comisia de etica si integritate.lnk - Malware > Deleted. (18.04.11. 22.27 comisia de etica si integritate.lnk.489882; MD5: ba21dd9aa1ed98b0d3060dc5cbc98913)

G:\EDUCATIE TEHNOLOGICA.lnk - Malware > Deleted. (18.04.11. 22.27 EDUCATIE TEHNOLOGICA.lnk.669190; MD5: b094c1b36ee12fb84530140f25a4ebe5)

G:\informari 2017-2018.lnk - Malware > Deleted. (18.04.11. 22.27 informari 2017-2018.lnk.678735; MD5: 19b37e54cba3def2c56c6386d0139c04)

G:\comisia CEAC.lnk - Malware > Deleted. (18.04.11. 22.27 comisia CEAC.lnk.666413; MD5: db05b6f46cb085c72f974a2995891686)

G:\EXAMENE.lnk - Malware > Deleted. (18.04.11. 22.27 EXAMENE.lnk.201913; MD5: d5558d739c1b406014619bc90437eb1d)

G:\comisia curriculum.lnk - Malware > Deleted. (18.04.11. 22.27 comisia curriculum.lnk.478304; MD5: 88a79c2164c8447886e9f4b6643b0b8a)

G:\CONCURS MESERII.lnk - Malware > Deleted. (18.04.11. 22.27 CONCURS MESERII.lnk.760381; MD5: 40d639e9aeab5ebb788199cd3b7c4098)

G:\Acrobat.lnk - Malware > Deleted. (18.04.11. 22.27 Acrobat.lnk.399304; MD5: d4a73a76f18b665cfeac261e9efd5a14)

G:\OMEN 2017-2018.lnk - Malware > Deleted. (18.04.11. 22.27 OMEN 2017-2018.lnk.55106; MD5: af7c1ee4c2385251fe556d7df15f8d13)

G:\System Volume Information.lnk - Malware > Deleted. (18.04.11. 22.27 System Volume Information.lnk.881111; MD5: 1a3a340e0128f022258d7ba9a5b598eb)

G:\Microsoft Excel.WsF - Malware > Deleted. (18.04.11. 22.27 Microsoft Excel.WsF.842245; MD5: bb70089db80ea6afb5d5a12271591df2)

Resetting attributes: G:\PROIECT ROSE < Successful.

Resetting attributes: G:\doc catedra < Successful.

Resetting attributes: G:\doc diriginte < Successful.

Resetting attributes: G:\doc profesor < Successful.

Resetting attributes: G:\comisia de etica si integritate < Successful.

Resetting attributes: G:\EDUCATIE TEHNOLOGICA < Successful.

Resetting attributes: G:\informari 2017-2018 < Successful.

Resetting attributes: G:\comisia CEAC < Successful.

Resetting attributes: G:\EXAMENE < Successful.

Resetting attributes: G:\comisia curriculum < Successful.

Resetting attributes: G:\CONCURS MESERII < Successful.

Resetting attributes: G:\Acrobat < Successful.

Resetting attributes: G:\OMEN 2017-2018 < Successful.

Resetting attributes: G:\System Volume Information < Successful.

=> Malicious files : 24/24 deleted.
=> Hidden folders : 14/14 unhidden.
=> Hidden files : 9/9 unhidden.

::::: Scan duration: 46sec :::::::::::::::::

avastuser3796 · April 12, 2018, 2:01am

I’ll pull Sass Drake or another expert to assist you

system · April 12, 2018, 6:11am

Thank you!

SassDrake · April 12, 2018, 7:16pm

Open Notepad (click Start button → type notepad.exe → press Enter)
Copy text from code block below and paste it into Notepad

HKU\S-1-5-21-3433359063-1357698818-1656963194-1000\...\Run: [Microsoft Excel] => wscript.exe //B "C:\Users\Andrei\AppData\Roaming\Microsoft Office\\Microsoft Excel.WsF"
VirusTotal: C:\Users\Andrei\AppData\Roaming\Microsoft Office\Microsoft Excel.WsF;
C:\Users\Andrei\AppData\Roaming\Microsoft Office

Go to File → Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

system · April 12, 2018, 11:58pm

Attaching fixlog.

SassDrake · April 14, 2018, 7:01pm

What is pendrive status now?

system · April 14, 2018, 11:06pm

I have inserted on of the potentially infected usb-drives. mcshield detected malware. This happened:

4/15/2018 1:52:54 AM > Drive F: - scan started (stick ~14778 MB, NTFS flash drive )…

F:\Microsoft Excel.WsF - Malware > Deleted. (18.04.15. 01.53 Microsoft Excel.WsF.46536; MD5: bb70089db80ea6afb5d5a12271591df2)

=> Malicious files : 1/1 deleted.

And no shortcuts appeared. I have repeated this with a few more usb-drives and mcshield deleted another Microsoft Excel.WsF.
It seems that my computer is clean! YAY!

But, um, could someone please explain what happened? what did excel have to do with anything?

avastuser3796 · April 15, 2018, 1:39am

Hi,

I’ll pop in to explain this one.

What did Excel have to do with this? Nothing. The name of the file was Microsoft Excel - that named can be very easily manipulated, much like you name a document when you’re saving it. *.WsF stands for Windows Script File. One of the things I asked Sass Drake to do when he removed the file was to send it to VirusTotal - one of the nice things about this website is it allows the right people to download the file, and tells me what it is. In this case, it was a VBS Script file. An extremely common way to infect via USB.

If you visit the link from your fixlog (see below) Sass Drake has actually commented on it.

How did you become infected? Something common. An internet cafe, library computer, email with an attachment, even someone visiting your place with a USB. Someone, somewhere didn’t use some form of Anti-USB protection and spread it. The only way to prevent it is something like MCShield that will stop the auto-run sequence until it’s finished scanning it.

VirusTotal: C:\Users\Andrei\AppData\Roaming\Microsoft Office\Microsoft Excel.WsF => https://www.virustotal.com/file/d98509a855d077f9012c510061f56f0a52d6dc3cb63d6501da65908f492b82c6/analysis/1521532251/

SassDrake · April 15, 2018, 9:55am

Your PC is clean now.

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

system · April 18, 2018, 7:04pm

Done, and done. Many thanks to you, kind sirs! I hope i won’t be returning with yet another similar request.

Shortcut pendrive virus

Announcements