Shortcut virus on USB

Hello. My computer has been infected with a version of the shortcut virus, which has spread to many of my USB data storage devices. Could someone please help me remove this bugger? I will attach a few reports, based on the ones requested on this thread - https://forum.avast.com/index.php?topic=138715.75

these are the logs we need

follow instructions here https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

also scroll down to … SPECIFIC INFECTIONS LOGS and follow MCShield instructions >> This log you must copy and paste

see below the box you write in … Attachments and other options

a malware expert will then assist you when online

Here are the logs.

MCShield AllScans.txt <<<


MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2015.12.6.1 / Windows 7 <<<

1/28/2016 12:12:45 PM > Drive C: - scan started (no label ~130 GB, NTFS HDD )…

=> The drive is clean.

1/28/2016 12:12:45 PM > Drive D: - scan started (no label ~400 GB, NTFS HDD )…

=> The drive is clean.

1/28/2016 12:12:45 PM > Drive E: - scan started (no label ~401 GB, NTFS HDD )…

=> The drive is clean.

1/28/2016 12:12:45 PM > Drive G: - scan started (no label ~7384 MB, FAT32 flash drive )…

—> Executing generic S&D routine… Searching for files hidden by malware…

—> Items to process: 1

—> G:\Fratila inst. Alim. MAC.docx > unhidden.

G:\Fratila inst.lnk - Malware > Deleted. (16.01.28. 12.13 Fratila inst.lnk.359966; MD5: 05d99e5b4cebeacb0a171e232c05d081)

G:\notepad.vbe - Malware > Deleted. (16.01.28. 12.13 notepad.vbe.214790; MD5: 2ec0d21e26c19971f255e45c84c5bef8)

=> Malicious files : 2/2 deleted.
=> Hidden files : 1/1 unhidden.


::::: Scan duration: 45sec :::::::::::::::::


MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2015.12.6.1 / Windows 7 <<<

1/28/2016 12:15:53 PM > Drive G: - scan started (no label ~7384 MB, FAT32 flash drive )…

—> Executing generic S&D routine… Searching for files hidden by malware…

—> Items to process: 1

—> G:\Fratila inst. Alim. MAC.docx > unhidden.

G:\Fratila inst.lnk - Malware > Deleted. (16.01.28. 12.17 Fratila inst.lnk.938793; MD5: 05d99e5b4cebeacb0a171e232c05d081)

G:\notepad.vbe - Malware > Deleted. (16.01.28. 12.17 notepad.vbe.624244; MD5: 2ec0d21e26c19971f255e45c84c5bef8)

=> Malicious files : 2/2 deleted.
=> Hidden files : 1/1 unhidden.


::::: Scan duration: (Interactive mode) ::::


If curious, this was found by MCShield
https://www.virustotal.com/nb/file/ac15e55b601cce1553cd302dbbf234c4d566bb88c026ad1781048f4938e9e7de/analysis/

Let me know how the computer is after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-968950270-2579641966-2260496801-1000\...\Run: [Support Portable Program Link] => C:\zqyldymaoal\nktmdqoaac.exe HKU\S-1-5-21-968950270-2579641966-2260496801-1000\...\Run: [Themes Tablet Reports Counter Keying] => C:\Users\Amariucai\AppData\Local\lkqcvwirowl.exe [1514496 2015-11-12] () HKU\S-1-5-21-968950270-2579641966-2260496801-1000\...\Run: [Spooler Plug Device Services Resolution Windows] => C:\vesjihtm\lynreujfq.exe [318464 2015-11-13] () HKU\S-1-5-21-968950270-2579641966-2260496801-1000\...\Run: [notepad] => wscript.exe //B "C:\Users\Amariucai\AppData\Roaming\notepad\\notepad.vbe" U3 pflyiuog; \??\C:\Users\AMARIU~1\AppData\Local\Temp\pflyiuog.sys [X] 2016-01-10 20:14 - 2015-11-12 20:46 - 00000000 ___HD C:\Windows\stmpegtpjyalw C:\Windows\kbygzjah.exe C:\Windows\lkqcvwirowl.exe C:\Users\Amariucai\AppData\Local\lkqcvwirowl.exe C:\vesjihtm C:\zqyldymaoal C:\Users\Amariucai\AppData\Roaming\notepad C:\Users\Amariucai\Desktop\ytgdwd81.exe Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download Anti VBS/VBE to your desktop

[]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[
]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report

Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run

Thanks you for your reply. Here are the logs. I’ve peeked into the fixlog and into task manager’s processes, and the latter didn’t have the unknown random-stringed processes anymore. I haven’t plugged in any usb yet.

before you plug in the USB set MCShield up in the following way

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

This is MCShield’s log.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2015.12.6.1 / Windows 7 <<<

1/29/2016 2:14:37 AM > Drive G: - scan started (no label ~7384 MB, FAT32 flash drive )…

—> Executing generic S&D routine… Searching for files hidden by malware…

—> Items to process: 1

—> G:\Fratila inst. Alim. MAC.docx > unhidden.

G:\Fratila inst.lnk - Malware > Deleted. (16.01.29. 02.15 Fratila inst.lnk.916180; MD5: 05d99e5b4cebeacb0a171e232c05d081)

G:\notepad.vbe - Malware > Deleted. (16.01.29. 02.15 notepad.vbe.715263; MD5: 2ec0d21e26c19971f255e45c84c5bef8)

=> Malicious files : 2/2 deleted.
=> Hidden files : 1/1 unhidden.


::::: Scan duration: (Interactive mode) ::::


EDIT:
I have scanned and cleaned 2 other usb drives, and the bugger seems gone. They haven’t reverted to their shortcut-filled dopplegangers. My thanks to you, dear sir :slight_smile:

Any further problems before I tidy up