Hi!
Everytime i save movies or documents in my usb and inserted/opened it on other laptop, when i opened the movie icon it doesn’t play and cmd.exe appears.
All files in my usb turns out to be shortcuts.
Your help is much needed.
Thank you.
hey and welcome to the forum. i sounds like your usb is infected. please unplug it and follow this guide
http://forum.avast.com/index.php?topic=53253.0
we need the logs from mbam,otl and aswmbr
a malware expert will help you from there.
and do not plug in the usb until the expert say its a green light to do so.
good luck.
hello
download USBFix in the first time : http://www.telecharger.sosvirus.net/download/usbfix/
run it , click on clean(Deletion) and attach the report
attached is the log file.
I didn’t ask to do “Research”
attached are log files.
Do you read what I write ?
Easy g3n,
Brey, open up USBFix again. Click “Clean/Deletion”/ Attach that reoprt. Not research.
As for the OTL logs. I will run though it quickly. g3n, he posted them because Mikael asked for them.
Hi you have a lot of adware.
When I mean a lot, that is almost breaking the record MBAM log I’ve ever seen.
Please download Unchecky to your desktop. Install it.
What it does it unchecks the boxes you seeem not to uncheck. (Aka, prevents the adware from slowing your PC). It’s fully compatible with Avast!
hello
Just wanted to say It’s useless to do the rest without eradicate this infection , He will have to do it again afterward Except Malwarebytes
and aswmbr for an USB infection , I don’t understand why without seeing if there’s a rootkit or bootkit in a diagnostic log (8 times on 10 , it’s useless, I’ve allready said that in the past )
Hi,
I’ve recieved permission from g3n to take over.
I will use different tools then him.
Please note: I don’t have a lot of training. The tools I will use will target only certain files. In your case VBS files.
Please download Anti-VBS/VBE x86 to your desktop. Run the program and attach Anti-VBSVBE.txt in your next reply
THEN
Download MCShield to your desktop. Plug in all USB devices you use into your computer. MCShield will scan them. Attach the log AllScans.txt.
THEN
Run a Quick Scan of OTL.
After, I will have g3n-h@ckm@n come back and look over the OTL log.
attached is a log for anti VBS
log file for mcshield
Hi, looks like MCShield picked up the VBS infection.
Note; MCShield is a very useful program. I’d suggest keeping it around to prevent further infection. (MCShield will auto-detect any VBS file). Can you re-run OTL on Quick Scan and attach the log? I’d like to make sure it’s gone.
By the way, this was your infection:
O4 - HKU\S-1-5-21-29226177-2797569431-4076014346-1000..\Run: [sdfsgj] wscript.exe //B "C:\Users\USER\AppData\Local\Temp\sdfsgj.vbs" File not found
And, I suggest you stop using uTorrent.
Is the root (Active part) of the infection gone?
Hi,
just an update. Now that’s I’ve had you go through with Anti-VBs/VBE. I’ve asked magna86 to come help you the rest of the way. When he arrives please listen to him. The infection does seem to be more extensive then I know how to remove.
Edit: Just going through the logs again. You’ll have remants
[2014/03/10 13:11:44 | 000,060,594 | -HS- | C] () – C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdfsgj.vbs
O4 - Startup: C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdfsgj.vbs ()
Hopefully Magna will take care of those.
Hi Breymon,
I’ll will be working on your Malware issues …
Three steps, preform one by one:
-
Detach USB devices. Do NOT use any USB device while cleaning is in progress:
-
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:Processes
wscript.exe
:Commands
[CREATERESTOREPOINT]
:OTL
IE - HKU\S-1-5-21-29226177-2797569431-4076014346-1000\..\SearchScopes\{B782F22C-BB0A-4653-BF20-AFB286FEE882}: "URL" = http://www.mysearchresults.com/search?c=3523&t=01&q={searchTerms}
FF - HKCU\Software\MozillaPlugins\@tightropeinteractive.com/Plugin: C:\Users\USER\AppData\Local\TNT2\2.0.0.1663\npTNT2.dll File not found
CHR - default_search_provider: search_url = http://search.conduit.com/Results.aspx?ctid=CT3321897&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SP4884FE15-4AFA-4B68-AC16-F10F359F4332&q={searchTerms}&SSPV=
CHR - default_search_provider: suggest_url = http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms},
O4 - HKU\S-1-5-21-29226177-2797569431-4076014346-1000..\Run: [sdfsgj] wscript.exe //B "C:\Users\USER\AppData\Local\Temp\sdfsgj.vbs" File not found
O4 - Startup: C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdfsgj.vbs ()
F3 - HKU\S-1-5-21-29226177-2797569431-4076014346-1000 WinNT: Load - (C:\Users\USER\LOCALS~1\Temp\ccavzxccu.exe) - File not found
O27 - HKLM IFEO\bpsvc.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browsersafeguard.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\protectedsearch.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\rjatydimofu.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchprotection.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\snapdo.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\stinst32.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\stinst64.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O33 - MountPoints2\{5682d94b-2cdb-11df-b6e8-000df07632fc}\Shell - "" = AutoRun
O33 - MountPoints2\{5682d94b-2cdb-11df-b6e8-000df07632fc}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{9d06cd67-14bc-11df-af15-000df07632fc}\Shell - "" = AutoRun
O33 - MountPoints2\{9d06cd67-14bc-11df-af15-000df07632fc}\Shell\AutoRun\command - "" = G:\.\ShowModem.exe
:Files
dir C:\FRST /c
C:\install.exe
C:\Users\USER\AppData\Roaming\mozilla\Firefox\Profiles\xdfua2ld.default\extensions\{21D93807-FE23-3647-D96B-51819DE2CD46}
C:\Users\USER\AppData\Roaming\mozilla\Firefox\Profiles\xdfua2ld.default\extensions\34f57b0c-8cdb-4914-818c-928df47c6c4f@3a243122-a6fc-40c9-a1e6-ba11e930da09.com
C:\Users\USER\AppData\Roaming\mozilla\firefox\profiles\xdfua2ld.default\extensions\{25d71abf-7776-46f5-a269-9951331f9030}.xpi
C:\Users\USER\AppData\Roaming\mozilla\firefox\profiles\xdfua2ld.default\extensions\{f9d03c26-0575-497e-821d-f7956d23e0ca}.xpi
C:\Users\USER\AppData\Roaming\mozilla\firefox\profiles\xdfua2ld.default\searchplugins\utorrentcontrolv6-customized-web-search.xml
C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaabcbmongicmdegkmmfgdickgnnob
C:\Users\USER\AppData\Local\Temp\*.vbs
C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs
DEL %TEMP%\*.* /F /S /Q /c
:Commands
[Reboot]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn’t appear, it can be found here:
c:_OTL\MovedFiles\mmddyyyy_hhmmss.log
- Make sure MCShield is active, re-attach all your USB devices and allow MCShield to preform the cleaning.
Thanks Magna,
breymon, from now on, listen to magna. He is much more trained then I am. No doubt about that. If you have any questions please direct the to him.
Hi ,
UsbFix Is easy to use
The infection VB here is an infection of dinihou type ( FR Info Dinihou : http://www.sosvirus.net/infection-dinihou-vous-explique-son-fonctionnement-t4852.html )
UsbFix takes care of this family of infection
Tutorial : http://www.en.usbfix.net/2014/02/usbfix-tutorial-clean-option/
Infection spreading through usb peripherals – What is it ? : http://www.en.usbfix.net/2014/03/infections-spreading-usb-peripherals/
Cordialy
El Desaparecido.
I presume you are from the SOSVirus team with g3n?
Not to “put you down”. But they’ll be many ways to fix this. Including MCShield which also picked the infection up. To prevent further infection, Magna has provided a fixlist that will remove the VBS file and any run keys on the machine.
With USBFix , no need to fixlist , the tool does all in the same time