shortcut virus. help~

hi,
my computer was infected that whenever I insert usb flash drive all the files turn into shortcuts and I noticed the location shows cmd.
I’ve already clean my computer using adwcleaner since I’ve read another topic with the same problem before. help me for next step please~tq

Hi,

Do not attach any USB memory device while cleaning is inprogress …

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

I have the same problem. My Avast Antivirus don´t find and/or fix this problem.
What I need to do ?
Following attached the FRST program log´s

Thank you

attached are my logs

FIX for joaopaulo0511 …

I didn’t tell you to check Driver MD5 & List BCD options …


FRST’s FixList


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start Folder: C:\Users\João Paulo\AppData\Local\Yunio Unlock: C:\Users\João Paulo\AppData\Roaming\99b Unlock: C:\Users\João Paulo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dee9d.js C:\Users\João Paulo\AppData\Roaming\99b C:\Users\João Paulo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dee9d.js HKCU\...\Run: [8fa] - C:\Users\João Paulo\AppData\Roaming\99b\8fa.js [46874 2014-01-31] () Startup: C:\Users\João Paulo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dee9d.js () MountPoints2: {e5b58bc5-7bc6-11e3-b5e0-005056c00008} - G:\setup.exe Task: {39081C6F-ECF2-47AA-B23C-85002E5C1AF6} - System32\Tasks\{381618FD-6262-42E8-92FA-B6A8B42FF338} => C:\Users\João Paulo\Desktop\Flash_Disinfector.exe AlternateDataStreams: C:\Windows\System32:A4A79332_Bb.gbp C:\Users\User\AppData\Local\Temp\*.vbs C:\Users\João Paulo\AppData\Local\Temp\*.dll C:\Users\João Paulo\AppData\Local\Temp\*.exe End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


ComboFix


  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

oh is it okay? or i need to scan again and check the Driver MD5 & List BCD? and your reply above is for paulo right? not for me…hope you’re not confused…

Here’s the log
I downloaded the combofix, but when I start the program he close automaticaly.
I’m sorry if i fumbled you Lyn.

@lyn007
My apologies. :frowning:
I shall look now at the logs …

@joaopaulo0511
You’re not fer, you should open your own topic for yourself. Stay sad topic now, I’ll do the bouth simultaneously…

Skip ComboFix, post me here fresh FRST.txt logreprot …

FIX for lyn007

Do not attach USB memory devices while cleaning is in progress. When we clean your host system, then we shall allow MCShield to clean USB’s …


  1. Anti-VBSVBE

Please download Anti-VBSVBE and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double click to run the tool and wait until it finishes.
[*]It will make a log named Anti-VBSVBE.txt. Please attach it to your reply.


  1. FRST’s FixList

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start (Microsoft Corporation) C:\Windows\System32\wscript.exe (Microsoft Corporation) C:\Windows\System32\wscript.exe C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134187_Desktop.vbs () C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26705857_Desktop.vbs () C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop.vbs () C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iebwmtrofk..vbs () C:\Users\User\AppData\Local\Temp\*vbs C:\Users\User\AppData\Local\Temp\*.dll C:\Users\User\AppData\Local\Temp\*.exe C:\Users\User\AppData\Local\Temp\_MEI46883 HKCU\...\Run: [Desktop] - C:\Users\User\AppData\Local\Temp\Desktop.vbs [15940 2013-06-07] () <===== ATTENTION HKCU\...\Run: [26705857_Desktop] - C:\Users\User\AppData\Local\Temp\26705857_Desktop.vbs [15940 2013-06-06] () <===== ATTENTION HKCU\...\Run: [134187_Desktop] - C:\Users\User\AppData\Local\Temp\134187_Desktop.vbs [15940 2013-06-06] () <===== ATTENTION HKCU\...\Run: [iebwmtrofk] - C:\Users\User\AppData\Local\Temp\iebwmtrofk..vbs [73388 2013-08-28] () <===== ATTENTION MountPoints2: E - E:\LGAutoRun.exe MountPoints2: {01d6793a-d8f3-11e0-9a5f-001e101f2c0e} - E:\LGAutoRun.exe MountPoints2: {338c07fe-d83b-11e0-aeba-60eb699cb747} - E:\AutoRun.exe MountPoints2: {7c7e3dd3-2b11-11e1-9499-60eb699cb747} - E:\InstVerif.exe MountPoints2: {c41c2075-d55c-11e0-a3ef-60eb699cb747} - E:\AutoRun.exe MountPoints2: {c41c2085-d55c-11e0-a3ef-60eb699cb747} - E:\AutoRun.exe MountPoints2: {e3519a01-4ebf-11e2-a355-ad3b0b848883} - E:\AutoRun.exe Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134187_Desktop.vbs () Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26705857_Desktop.vbs () Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop.vbs () Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iebwmtrofk..vbs () HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sayclub.com BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


  1. MCShield’s scan

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[] Wait a few seconds to MCShield finish initial scan.
[
] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Click on Logs tab and under AllScans.txt tab click Save button. AllScans.txt logreport should be on your Desktop.

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

thanks magna
here are the attached files

Hi lyn007,

Host mashine and USB’s meme-devices should be clean now. How are the things running now?

yes, everything’s back to normal! yay thanks for helping :slight_smile:

but i also got another problem on my external hard disk long ago but never fix it. it has folder contains subfolders using numbera as it name.and it’s locked.so i cannot delete it…do i need to open another topic about this? or you can help me fix it here?

@ lyn007

MCShield has been scaned one HDD. Is that the one?

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/ >>> v 3.0.3.26 / DB: 2014.1.25.2 / Windows 7 <<<

31/1/2014 9:41:44 PM > Drive C: - scan started (S3A8721D009 ~453 GB, NTFS HDD )…
=> The drive is clean.

MCShield sad the drive is clean.
Have you been try to reformat that external HDD?

@joaopaulo0511

>> Skip ComboFix, post me here fresh FRST.txt logreprot ...

What’s your progress?

Initially the program (ComboFix and other like MCShield) closed alone, but I restarted the computer and used the combofix in Windows secure mode.
after that I restarted the computer and combofix worked fine in normal Windows and generated this log. (I can´t find the first log).
So Here is my second combofix Log.

Now I can run any program in my computer, MCShield cleaned all false shortcuts of my external HDD and don’t are creating these shortcuts (tested in one new pendrive).

My computer is clean now?

Thank you so much for the help!
I’m sorry for my poor english.

yeah. that’s the one. i’m also surprised that it was clean cause i thought it has virus or something…i never create that folder. it need admin permission from system32 for any action on that folder. i’m not the admin. strange…

oh n i haven’t tried format the disk cause it has a lot of files and i don’t have other disk for backup…

Ok, I can recheck your HDD with diagnostic tool. But this folder should not be malware related as MCShield has been confirmed that.

Please download UsbFix and save it on the desktop.
http://www.usbfix.net/telecharger/usbfix/
[ click on Download button ]

  1. Run the program and click the Research … on the dialog box, select Ok
    After the scan, logfile shall open (UsbFix.txt) => post the log in your reply.

  2. Re-run RunFix, then click the Listing button
    After the scan, tool shall open a new logfile (UsbFix.txt) => post the log in your reply.

ok. done. attached logs

I see no problem here. I see a couple of folders created by the system, except that all seem just fine. Try to temporaly backup files and format external HDD but even though I do not see what the problem is, this is perhaps the overload advice if you will.

I shall remove used tools.
The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

@ joaopaulo0511 . . .

Can you post me AllScans.txt from MCShield? You shall find that under the Logs tab.

Open notepad and copy/paste the text present inside the code box below:



ClearJavaCache::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8fa"=-

KillAll::

Folder::
"c:\users\João Paulo\AppData\Roaming\99b



Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )