Hello. My computer has been infected with a version of the shortcut virus, which has spread to many of my USB data storage devices. Could someone please help me remove this bugger? I will attach a few reports, based on the ones requested on this thread - https://forum.avast.com/index.php?topic=138715.75
these are the logs we need
follow instructions here https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total
also scroll down to … SPECIFIC INFECTIONS LOGS and follow MCShield instructions >> This log you must copy and paste
see below the box you write in … Attachments and other options
a malware expert will then assist you when online
Here are the logs.
MCShield AllScans.txt <<<
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2015.12.6.1 / Windows 7 <<<
1/28/2016 12:12:45 PM > Drive C: - scan started (no label ~130 GB, NTFS HDD )…
=> The drive is clean.
1/28/2016 12:12:45 PM > Drive D: - scan started (no label ~400 GB, NTFS HDD )…
=> The drive is clean.
1/28/2016 12:12:45 PM > Drive E: - scan started (no label ~401 GB, NTFS HDD )…
=> The drive is clean.
1/28/2016 12:12:45 PM > Drive G: - scan started (no label ~7384 MB, FAT32 flash drive )…
—> Executing generic S&D routine… Searching for files hidden by malware…
—> Items to process: 1
—> G:\Fratila inst. Alim. MAC.docx > unhidden.
G:\Fratila inst.lnk - Malware > Deleted. (16.01.28. 12.13 Fratila inst.lnk.359966; MD5: 05d99e5b4cebeacb0a171e232c05d081)
G:\notepad.vbe - Malware > Deleted. (16.01.28. 12.13 notepad.vbe.214790; MD5: 2ec0d21e26c19971f255e45c84c5bef8)
=> Malicious files : 2/2 deleted.
=> Hidden files : 1/1 unhidden.
::::: Scan duration: 45sec :::::::::::::::::
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2015.12.6.1 / Windows 7 <<<
1/28/2016 12:15:53 PM > Drive G: - scan started (no label ~7384 MB, FAT32 flash drive )…
—> Executing generic S&D routine… Searching for files hidden by malware…
—> Items to process: 1
—> G:\Fratila inst. Alim. MAC.docx > unhidden.
G:\Fratila inst.lnk - Malware > Deleted. (16.01.28. 12.17 Fratila inst.lnk.938793; MD5: 05d99e5b4cebeacb0a171e232c05d081)
G:\notepad.vbe - Malware > Deleted. (16.01.28. 12.17 notepad.vbe.624244; MD5: 2ec0d21e26c19971f255e45c84c5bef8)
=> Malicious files : 2/2 deleted.
=> Hidden files : 1/1 unhidden.
::::: Scan duration: (Interactive mode) ::::
If curious, this was found by MCShield
https://www.virustotal.com/nb/file/ac15e55b601cce1553cd302dbbf234c4d566bb88c026ad1781048f4938e9e7de/analysis/
Let me know how the computer is after this
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKU\S-1-5-21-968950270-2579641966-2260496801-1000\...\Run: [Support Portable Program Link] => C:\zqyldymaoal\nktmdqoaac.exe HKU\S-1-5-21-968950270-2579641966-2260496801-1000\...\Run: [Themes Tablet Reports Counter Keying] => C:\Users\Amariucai\AppData\Local\lkqcvwirowl.exe [1514496 2015-11-12] () HKU\S-1-5-21-968950270-2579641966-2260496801-1000\...\Run: [Spooler Plug Device Services Resolution Windows] => C:\vesjihtm\lynreujfq.exe [318464 2015-11-13] () HKU\S-1-5-21-968950270-2579641966-2260496801-1000\...\Run: [notepad] => wscript.exe //B "C:\Users\Amariucai\AppData\Roaming\notepad\\notepad.vbe" U3 pflyiuog; \??\C:\Users\AMARIU~1\AppData\Local\Temp\pflyiuog.sys [X] 2016-01-10 20:14 - 2015-11-12 20:46 - 00000000 ___HD C:\Windows\stmpegtpjyalw C:\Windows\kbygzjah.exe C:\Windows\lkqcvwirowl.exe C:\Users\Amariucai\AppData\Local\lkqcvwirowl.exe C:\vesjihtm C:\zqyldymaoal C:\Users\Amariucai\AppData\Roaming\notepad C:\Users\Amariucai\Desktop\ytgdwd81.exe Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Download Anti VBS/VBE to your desktop
[]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report
Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run
Thanks you for your reply. Here are the logs. I’ve peeked into the fixlog and into task manager’s processes, and the latter didn’t have the unknown random-stringed processes anymore. I haven’t plugged in any usb yet.
before you plug in the USB set MCShield up in the following way
Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG
Plug in the drive and McShield will start a scan
Then get the log which will be located under the logs tab on the main page
And post that
This is MCShield’s log.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2015.12.6.1 / Windows 7 <<<
1/29/2016 2:14:37 AM > Drive G: - scan started (no label ~7384 MB, FAT32 flash drive )…
—> Executing generic S&D routine… Searching for files hidden by malware…
—> Items to process: 1
—> G:\Fratila inst. Alim. MAC.docx > unhidden.
G:\Fratila inst.lnk - Malware > Deleted. (16.01.29. 02.15 Fratila inst.lnk.916180; MD5: 05d99e5b4cebeacb0a171e232c05d081)
G:\notepad.vbe - Malware > Deleted. (16.01.29. 02.15 notepad.vbe.715263; MD5: 2ec0d21e26c19971f255e45c84c5bef8)
=> Malicious files : 2/2 deleted.
=> Hidden files : 1/1 unhidden.
::::: Scan duration: (Interactive mode) ::::
EDIT:
I have scanned and cleaned 2 other usb drives, and the bugger seems gone. They haven’t reverted to their shortcut-filled dopplegangers. My thanks to you, dear sir
Any further problems before I tidy up