Shortcut virus on whole pc - location: cmd (C:\Windows\System32)

Viruses and worms
1

Some days ago I borrowed my cousin’s pendrive. After done with this pendrive, I keep seeing mirror folder for every folder on my pc. When I put my mouse on a mirror folder, It shows ‘location: cmd (C:\Windows\System32)’.

Please help :frowning:

2

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Note: Unplug your pendrive first…!!

3
Some days ago I borrowed my cousin's pendrive
That means your cousin's comp is also infected, and should come here and get it cleaned when you are done
4

Monitoring …

Malwarebytes should target some part of this worm (make sure that MBAM’s ARK [anti-rootkit] is enabled) … Also, install MCShield as instructions says.

Then, after the running scan with MBAM and MCShield, post me the FRST’s diagnostic logs so that I can target any leftover or undetected malware itself …
When you run FRST tool make shure that both, Additional.txt and Shortcut.txt box are ticked. I shall need the following reports;

  • MBAM first created logfile (do not run MBAM more that one time);
  • MCShield’s AllScans.txt logfile;
  • FRST’s FRST.txt, Additional.txt and Shortcut.txt logfiles;
5

I had trouble with first time scanning in MBAM. So had to rescan and collect 2nd created log :-[

6

The rest.

7

Hello,

I have located the malware. The following FixList shall tell the FRST tool to act aggressive and to remove the malware. As next step we shall use ComboFix simply as re-check.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start () C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\3.1.0\loggingserver.exe Hosts: HKU\S-1-5-21-247594364-2333977477-2517733694-1000\...\Run: [Windows Update] => C:\Google\Windowsupdate.lnk [754 2014-04-28] () HKU\S-1-5-21-247594364-2333977477-2517733694-1000\...\MountPoints2: {547d7261-d81b-11e2-813a-d43d7e4bd7e8} - J:\LaunchU3.exe -a GroupPolicy: Group Policy on Chrome detected <======= ATTENTION SearchScopes: HKCU - {D92E4870-4F0A-452A-A2D0-C3880838362A} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289075&CUI=UN20569348071353914&UM=1 CHR HKLM\...\Chrome\Extension: [aaaaipkbmjkakicapiinmamgjlkaeehh] - C:\ProgramData\AskPartnerNetwork\Toolbar\KMPV7\CRX\ToolbarCR.crx [2014-03-28] CHR HKCU\...\Chrome\Extension: [cflheckfmhopnialghigdlggahiomebp] - C:\Users\Shakib\AppData\Local\CRE\cflheckfmhopnialghigdlggahiomebp.crx [2013-05-23] CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION R2 vToolbarUpdater3.1.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\3.1.0\ToolbarUpdater.exe [1814040 2014-08-08] (AVG Secure Search) U3 aswMBR; \??\C:\Users\Shakib\AppData\Local\Temp\aswMBR.sys [X] U3 aswVmm; \??\C:\Users\Shakib\AppData\Local\Temp\aswVmm.sys [X] C:\Skypee C:\Google C:\ProgramData\ProgramData.lnk C:\Windows\ava37B7.tmp C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater C:\ProgramData\AskPartnerNetwork C:\Users\Shakib\AppData\Local\CRE\cflheckfmhopnialghigdlggahiomebp.crx CMD: type C:\DelFix.txt CMD: type C:\fixlist.txt CMD: type C:\Users\Shakib\Desktop\Gmer.log EmptyTemp: End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.

  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.
  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.
  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]
  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

8

Sorry for replying after a long time.
Reason: I’ve run combofix scan, dialogue box comes, scan starts. I’ve let it run for 10 hours but nothing develops and It’s just stuck at ‘however scanning times for badly infected machines may easily double’.
I run Windows 7.

9

ComboFix’ scan time should not take longer than ~half an hour.
Ok, just restart the masine by pressing the reset button on hardware. When Windows loads again, we shall re-try ComboFix.

  • Restart the system;

  • Delete old ComboFix.exe icon (drag&drop into recyclen.bin) and download a new, fresh copy of the tool from here:
    http://www.bleepingcomputer.com/download/combofix/

  • Disable security software

  • Open notepad and copy/paste the text present inside the code box below:

StepDell::
KillAll::
ClearJavaCache::
NoMBR::

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

10

Hello :slight_smile:

Combo had complete run. Here’s log reports ~

11

Ok Adnan3, here is the thing.

In past you have been used a FixList for FRST. Who has created this fix for you? It contains a legit files marked for removal…

This is the content of earlier used FixList. The bolded entries are legit origin.

Startup: C:\Users\Max\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.vbs ()
C:\Users\Max\AppData\Roaming\Microsoft.vbs
HKLM.…\Run: [IntelTBRunOnce] - C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs [4526 2010-11-29] ()
C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs
HKCU.…\Run: [Microsoft] - C:\Users\Max\AppData\Roaming\Microsoft.vbs [32768 2013-06-08] ()
C:\Users\Max\AppData\Local\Temp
cmd: ipconfig /flushdns

… … …

ComboFix has done a great job in cleaning. We will use ComboFix one more time but this time again with CFScript.

Open notepad and copy/paste the text present inside the code box below:

ClearJavaCache::

DirLook::
c:\users\Shakib\AppData\Local\MFAData

DDS::
TCP: Interfaces{BA935818-33DB-4A23-AB67-EABE757A0F65}: NameServer = 203.76.96.5,61.10.1.130
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\3.1.0\ViProtocol.dll

KillAll::

File::
c:\program files\GUT8D5C.tmp

Folder::
c:\programdata\AVG Security Toolbar
c:\programdata\AVG Secure Search

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

.

[*] Re-run FRST tool.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

12

Did exactly as you said. Dragged the file on combofix.exe. Dialogue box came, scan started. Let it run 8-9 hours over night. In the morning I saw It was stuck at ‘however, scanning time for badly infected machines may easily double’ and net connection discontinued. Net’s off till that time. Contacted net provider, they said It’s gonna take time to repair it. Replying you from friend’s com.

Please help :cry:

13

Hello,

The internet connection is temporaly shutdown by the tool. The connection shall be restored on system restart.

So, abort the ComboFix via force restart. Then as before, delete old ComboFix and download fresh one from official link above.

Disable security software, and create a new CFScript but with this script:

StepDell::

ClearJavaCache::

DirLook::
c:\users\Shakib\AppData\Local\MFAData

DDS::
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\3.1.0\ViProtocol.dll

KillAll::

File::
c:\program files\GUT8D5C.tmp

Folder::
c:\programdata\AVG Security Toolbar
c:\programdata\AVG Secure Search

NoMBR::

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

Drag CFScript.txt into ComboFix and that should start the tool. As I sad, scan time for ComboFix shouldn’t take more that ~ 30 min.

14

Hello magna :slight_smile:

Combo had finely run.
Here’s log reports~

15

Good. Just make sure that AntiVirus and MCShield are enabled and active. The posted logs looks clean.

Tell me how is the computer behavior now?

16

Ok. It seems after checking out that PC has no malware.

Thanks to you from my heart’s bottom for unselfishly helping me from A TO Z. May god bless you magna !

17

Ok ! Now It seems after checking out that MY PC has no malware.

Magna, thanks to you from my heart’s bottom for unselfishly helping me from A TO Z. God bless you.

18

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

Please post here the DelFix.txt logreprot.

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

19

Hello,

Understood.
Computer’s behavior is fine. It seems after checking out that my pc has no malware !

Thanks a lot for your huge help, magna !!