Shortcut virus - location: cmd (C:\Windows\System32) ????

Hello,

today my USB drive picked up a virus from an Internet cafe. It was infected and now every time that I’ve inserted an USB in the laptop my files turned into shortcuts.
I right-clicked one of the shortcuts, and looked at where its target location is, and it’s somewhere in System32. When I open its target location, it takes me to System32, and the file in System32 that it highlights is cmd.exe

I read about the solution of the problem in an older post and I am doing the whole procedure. I would like to ask, if I could send the .txt files to someone, so that I can go on.

Thanks in advance

First, disconnect any USB-drives…!!

Then:
Please attach your logs. (MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

Monitoring

Hi,
I 've done the whole procedure with adwcleaner, farbar and gmer.
If it’s not sufficient, I will the whole procedure with mbab and so on.
The logs from adwcleaner, Farbar and gmer are attached

Hi,

Asyn has been point to the official thread for attaching the logfile for analysis.

Does not matter, I will look at your logs later. Can’t do it now … :frowning:

Hi,
I 've done also a scan with mbam, otl, aswMBR and roguekiller
The logs are attached

Hi, here is the thing:

FRST logs shows the traces of active worms. As additional, GMER shows some possible suspicious activity. This in principle means that we besides FRST Fix need to deploy some equally powerfull AntiRootKit tool as an alternative to GMER.

Important notice: Your USB devices are infected as well. Do NOT use/attach USB memory devices until so I tell you so. We shall clean USB’s when the host system is clean. :wink:


FRST’s FixList


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start (Microsoft Corporation) C:\Windows\System32\wscript.exe C:\Users\Christine\AppData\Local\Temp\*.vbs C:\Users\Christine\AppData\Local\Temp\*.sys C:\Users\Christine\AppData\Local\Temp\*.exe C:\Users\Christine\AppData\Local\Temp\*.dll C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11111.vbs HKLM-x32\...\Run: [] - [X] HKU\S-1-5-21-4049588947-1142049457-3320450371-1001\...\Run: [11111] - wscript.exe //B "C:\Users\CHRIST~1\AppData\Local\Temp\11111.vbs" <===== ATTENTION HKU\S-1-5-21-4049588947-1142049457-3320450371-1001\...\MountPoints2: {d2038de5-8483-11e1-a1f6-806e6f6e6963} - D:\Start.exe Startup: C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11111.vbs () SearchScopes: HKCU - {C61E1C84-8698-43CB-847A-DB4DEF267E34} URL = http://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10261&src=kw&q={searchTerms}&locale=&apn_ptnrs=^AGS&apn_dtid=^YYYYYY^YY^DE&apn_uid=181339a5-dbc4-4c0b-87b3-e912eaeeeb5b&apn_sauid=16EE819A-288F-4745-8FC5-B71ABCC6A83D U3 kglcyuod; \??\C:\Users\CHRIST~1\AppData\Local\Temp\kglcyuod.sys [X] CMD: RD /S /Q %TEMP% Reboot: End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


MB’s AntiRootKit


Please download Malwarebytes Anti-RootKit(MBAR) from here and save it to your desktop.
https://www.malwarebytes.org/antirootkit/

Doubleclick on the MBAR file and allow it to run.
•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

mbar.exe will launch automatically. Please be patient and wait for the program to open…
•Click ‘Next’ …
•On the Update Database screen, click on the ‘Update’ button.
•Once you see ‘Success: Database was successfully updated’ click on 'Next’, then click the Scan button.

Small notices: with some infections, you may see two messages boxes:
-‘Could not load protection driver’. Click ‘OK’.
-‘Could not load DDA driver’. Click ‘Yes’ to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. MBAR Shall restart your mashine and after the restart finish the cleaning process.

You’ll find the log in that mbar folder as MBAR-log-***.txt .
Please post MBAR’s log in your next reply.

Hi,
the fixlog and mbar log are attached.

Hi,

I have the two good news. FRST has been remove malware and MBAR did not detect the RootKit activity …

Now I would like to post me the fresh FRST.txt to confirm that there is no loaded malware on your system. But before you run a FRST Scan I would like to clean your USB devices as they are infected. If we do not clean them, re-infections may occur. So, first MCShield scan, then re-check with FRST.


MCShield Scan


Please download MCShield from one of the following links:

MCShield -Official download link

[*]Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install … per installation click on Run! button.
[]Wait a few seconds to MCShield finish initial HDD scan…
[
]Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
[*]When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.


FRST Re-scan


Just re-run the tool (FRST), hit the Scan button and post me the fresh FRST.txt logreprot.

Hi, here are the fresh frst.txt and allscans.txt

I think, the virus is gone!
Thank you very, very much, for the fast responds and help.!!!

check back later and Magna will remove the tools used if all is ok :wink:

Hi durstigestier,

As you can see from MCShield’s logs, your USB devices has been infected but they all are now disinfect. Posted FRST logs shows as clean. No more malware. 8)
However, FRST shows some leftovers of previus installed adware. We shall use FixList one more time to remove that as well + to re-clean &Temp files.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start C:\Users\Christine\Desktop\RK_Quarantine C:\Program Files (x86)\Ask.com URLSearchHook: HKCU - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll No File SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2421} URL = CMD: DEL %TEMP%\*.* /F /S /Q CMD: DEL %WINDIR%\TEMP\*.* /F /S /Q CMD: RD /S /Q %TEMP% End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Here is the fixlog.txt

That’s it. :wink:

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

I recommend you to keep and use Malwarebytes and MCShield if you will.
MyCity - Official download link

MCShield shall prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Thank you very much!!!

Hi, I am unable to startup the Window even after Startup Repair for several times. I have generated the FRST log. Can anyone help me on this?

hey eunicet87 welcome to the forum. please start a new thread and attach the frst log there, a malware expert will help you there.