Shortcut virus/ wscript

Viruses and worms
1

I have been infected witha virus from a freinds pendrive. All pendrives i connect to my system get their files hidden as protected system file , and “*.lnk” shortcuts being created for each file hidden. There is a “MICROS~1.VBS” file in the pendrive which reappears everytime i delete it.

I have updated versions of avast , autorunexterminator, mshield2, malwarebytes anti-malware … none of which has solved the problem.

I did try two programs from cnet.com - shortcutvirus remover and another one i dont remember, after which there is a “wscript.exe” infection which is being blocked to access some website by avast constantly . This too isnt being solved by any of the programs except avast blocking it.

2

Hi,
Attach here AllScanst.txt created by MCShield and Malwarebytes log. Also …

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

THEN

Please download GMER, the AntiRootKit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ] button - save the report to the Desktop (named ARK );

Please attach here Gmer’s (ARK.txt) logreports.

3

Attached

4

Attached 2 more … the ARK file is more than the limit for attachments here… what do i do?

5

only your last post have attachments…

6

Attached

7

How do i send the ARK file

8

upload to a fileshare site and give download link here

9

ARK.log

10

this is what MCShield found on one of your drives

virustotal
https://www.virustotal.com/en/file/f47237248b6a0e40c0fa9d6eff65a9d03a32b1e1212de54c55d33d34610ad9a5/analysis/

magna86 should be back soon :wink:

11

:stuck_out_tongue: Thanks

12

Hi,

When you run Gmer, on pop-up messages (rootkit activity) you should press NO for full Gmer scan. :slight_smile:

Wait for initial scan to finish - if there is any query, click [b]No[/b];

Doesn’t matter, we shall use script for FRST64 for fixing…

=> do NOT use any USB device untill I tell you so.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKCU\...\Run: [MICROS~1] - C:\Users\maggot\AppData\Local\Temp\MICROS~1.VBS [152739 2013-09-25] () <===== ATTENTION
Startup: C:\Users\maggot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS ()
C:\Users\maggot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS
C:\Users\maggot\AppData\Local\Temp
C:\Windows\Tasks\At*.job
HKCU\...\Policies\Explorer: []
MountPoints2: {3285bd86-ead6-11e1-b62d-b74268557408} - H:\USBAutoRun.exe
MountPoints2: {46e5506c-90a1-11e2-bf15-806e6f6e6963} - G:\AutoRun.exe
MountPoints2: {90bb8748-e1e9-11e1-85bc-e97e19566818} - G:\AutoRun.exe
MountPoints2: {92c9d531-1090-11e2-8e6f-8ca98207194a} - G:\Windows/AutoRun.exe
MountPoints2: {a8020c18-256b-11e1-a291-782bcbc51943} - G:\Setup.exe /Auto
MountPoints2: {bbe27ed6-5ce5-11e0-bef1-806e6f6e6963} - E:\autoRcd.exe
MountPoints2: {c3e616ea-e553-11e1-875b-d40aa586471b} - G:\AutoRun.exe
MountPoints2: {c703d888-9dcd-11e1-a793-782bcbc51943} - "G:\WD SmartWare.exe" autoplay=true
MountPoints2: {c8d06cb7-3e23-11e2-be75-85a8df0c66af} - G:\.\ShowModem.exe
MountPoints2: {ec2e9cb2-e3cd-11e1-8265-9188ef06fe07} - G:\MyZone.exe
MountPoints2: {f52504c5-e204-11e1-8ed7-e88da3e4b00b} - G:\AutoRun.exe
MountPoints2: {fb000b20-909f-11e2-81c7-8ca98207194a} - G:\AutoRun.exe
HKLM-x32\...\Run: [FAStartup] - [x]
BootExecute:
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://websearch.searchesplace.info/?pid=946&r=2013/08/06&hid=2943278761&lg=EN&cc=IN&unqvl=30
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://websearch.searchesplace.info/?pid=946&r=2013/08/06&hid=2943278761&lg=EN&cc=IN&unqvl=30
URLSearchHook: HKCU - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
SearchScopes: HKLM-x32 - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.searchesplace.info/?l=1&q={searchTerms}&pid=946&r=2013/08/06&hid=2943278761&lg=EN&cc=IN&unqvl=30
SearchScopes: HKCU - {5CB78B2F-C1C7-460B-8555-AC277F1258FE} URL = http://www.mysearchresults.com/search?c=2402&t=15&q={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
SearchScopes: HKCU - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.searchesplace.info/?l=1&q={searchTerms}&pid=946&r=2013/08/06&hid=2943278761&lg=EN&cc=IN&unqvl=30
BHO: No Name - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -  No File
BHO-x32: No Name - {7825CFB6-490A-436B-9F26-4A7B5CFC01A9} -  No File
Toolbar: HKCU - No Name - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} -  No File
Toolbar: HKCU - No Name - {30F9B915-B755-4826-820B-08FBA6BD249D} -  No File
FF SearchEngineOrder.1: WebSearch
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "WebSearch");: user_pref("browser.search.order.1,S", "WebSearch");
FF SelectedSearchEngine: Google
FF Homepage: hxxp://websearch.searchesplace.info/?pid=946&r=2013/08/06&hid=2943278761&lg=EN&cc=IN&unqvl=30
FF Keyword.URL: hxxp://websearch.searchesplace.info/?pid=946&r=2013/08/06&hid=2943278761&lg=EN&cc=IN&unqvl=30&l=1&q=
CHR Extension: (saVeNshhaore ) - C:\Users\maggot\AppData\Local\Google\Chrome\User Data\Default\Extensions\bekklncadjfpplddpahalgnhpfepfcjf\5.10
C:\Users\maggot\AppData\Local\Google\Chrome\User Data\Default\Extensions\bekklncadjfpplddpahalgnhpfepfcjf
CHR HKLM-x32\...\Chrome\Extension: [bejbohlohkkgompgecdcbbglkpjfjgdj] - C:\Users\maggot\AppData\Local\Temp\crx61E3.tmp
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Task: {2DC9A438-C1C2-4573-8C10-50670EAF8580} - System32\Tasks\{7E3892E4-B20F-4BCD-A794-0B5858361270} => F:\ASDFASD\SETUP.EXE
Task: {40B8DA8A-BD9F-4B9C-9D68-71E73FB1E9F4} - System32\Tasks\{68BAC247-8220-42C8-B821-F10B117C548A} => F:\ASDFASD\SETUP.EXE
Task: {5D6F42BB-4585-4B11-A5FC-FC545A4B5573} - System32\Tasks\{A2EEED55-BADC-4B6B-BFBC-03336DCD4740} => F:\ASDFASD\SETUP.EXE
Task: {7560DDC4-44A0-4CF5-92C9-6B16CD6B4363} - System32\Tasks\{AD7787FC-80FE-4CEA-9405-D64873DFD1D7} => F:\ASDFASD\SETUP.EXE
Task: {A8B0345C-2A54-491E-96B8-9844921D7020} - System32\Tasks\At1 => C:\Windows\System32\shutdown.exe [2009-07-14] (Microsoft Corporation)
Task: {ACDDFE25-7B4D-4D39-BAB8-4C96E682D8CE} - System32\Tasks\{704CB586-CE6F-49DC-8D4C-FBFEFDBFDA0F} => F:\ASDFASD\SETUP.EXE
Task: {B9E733E6-3DE4-40F2-B091-1018A775C114} - System32\Tasks\{B0D266EF-9056-487F-ACC5-AA355E1626F8} => F:\ASDFASD\SETUP.EXE
Task: {C44D4584-1387-4BFB-8BA3-8BF75627FDB2} - System32\Tasks\At3 => C:\Windows\System32\shutdown.exe [2009-07-14] (Microsoft Corporation)
Task: {D9D2E7FF-123A-4A0B-8FD0-09CBDC6B6228} - System32\Tasks\At2 => C:\Windows\System32\shutdown.exe [2009-07-14] (Microsoft Corporation)
Task: {E6FBD718-AFF8-426F-833E-4938D5DCFD75} - System32\Tasks\shut down => C:\Windows\System32\shutdown.exe [2009-07-14] (Microsoft Corporation)
Task: {FDCF43D1-4CE1-435F-8FD2-65E6600D7B3A} - System32\Tasks\{654D4C6A-4348-44C7-887B-5357F156FCB6} => F:\ASDFASD\SETUP.EXE
Task: C:\Windows\Tasks\At1.job => C:\Windows\system32\Shutdown.exe
Task: C:\Windows\Tasks\At2.job => C:\Windows\system32\Shutdown.exe
Task: C:\Windows\Tasks\At3.job => C:\Windows\system32\Shutdown.exe
AlternateDataStreams: C:\ProgramData\TEMP:94A19129
AlternateDataStreams: C:\ProgramData\TEMP:9AEE100C
File: C:\Program Files (x86)\After Death\FS.exe
File: C:\Windows\System32\shutdown.exe
Hosts:
CMD: ipcofig /flushdns
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

THEN

Re-run FRST64, just hit Scan button and post me fresh created FRST.txt logreprot.

13

After the restart the “MICROS~1.VBS” txt file popped up .

14

We shall use FRSTScript one more time but this time we’re gonna give FRST a more force power.
Rule still applies. Do not use any USB memory device until I tell you so. Also, we shall run ComboFix as additional confirmation.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


START
UNLOCK: C:\Users\maggot\AppData\Local\Temp
UNLOCK: C:\Users\maggot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\maggot\AppData\Local\Temp\*.VBS
C:\Users\maggot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.VBS
HKCU\...\Run: [MICROS~1] - C:\Users\maggot\AppData\Local\Temp\MICROS~1.VBS [152739 2013-09-25] () <===== ATTENTION
Startup: C:\Users\maggot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS ()
HKLM-x32\...\Run: [FAStartup] - [x]
END

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

THEN

Scan with Combofix:

[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

15

Did everything. logs attached. thanks

16

Open notepad and copy/paste the text present inside the code box below:

SkipFix::
ClearJavaCache::

RegNull::
[HKEY_USERS\S-1-5-21-4104444742-4202356276-1653453980-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*M?y=\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-4104444742-4202356276-1653453980-1000\Software\SecuROM\License information*]
"datasecu"=hex:de,2a,cc,a6,9e,fb,fe,00,32,9c,f1,86,26,ab,ce,15,0a,6e,35,07,45,
   0a,14,6d,3d,f9,16,33,4f,6f,07,e7,64,34,1c,dd,34,7c,39,8d,72,17,82,58,64,71,\
"rkeysecu"=hex:6d,91,df,b7,17,af,6c,99,1a,ed,1e,79,ce,10,38,e6

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Tell me how’s your computer running now?

17

bump!

Are you still with me? :slight_smile:

18

yea sorry for the late reply … heres the log

19

One more script. This shall be done quickly …

Open notepad and copy/paste the text present inside the code box below:


SkipFix::

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{0055C089-8582-441B-A0BF-17B458C2A3A8}"=hex:51,66,7a,6c,4c,1d,38,12,e7,c3,46,
   04,b0,cb,75,01,df,a9,54,f4,5d,9c,e7,bc
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
   76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DA5BCE70-D057-4D63-943D-5F3927EC59F1}"=hex:51,66,7a,6c,4c,1d,38,12,1e,cd,48,
   de,65,9e,0d,08,eb,2b,1c,79,22,b2,1d,e5
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
   2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:62,c8,d5,4b,05,fd,cd,01

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f8,01,7d,6d,f2,5f,eb,48,83,59,67,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f8,01,7d,6d,f2,5f,eb,48,83,59,67,\

[HKEY_USERS\S-1-5-21-4104444742-4202356276-1653453980-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*M?y=\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-4104444742-4202356276-1653453980-1000_Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):ad,02,19,f5,20,1e,86,03,36,d8,00,87,6c,fa,a0,c9,35,14,26,0a,13,
   01,05,17,c9,77,07,a3,d8,92,0b,23,a8,43,f0,bf,74,4c,2e,72,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-4104444742-4202356276-1653453980-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):da,14,f6,f0,ca,c6,36,c9,9e,0c,8f,20,b7,3f,39,ba,f7,bf,1f,13,60,
   cb,e7,5b,9d,dc,62,43,39,6c,4d,46,05,b8,f7,8a,90,ae,c4,2f,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-4104444742-4202356276-1653453980-1000_Classes\Wow6432Node\CLSID\{9977115f-f1dd-45f8-8135-1574cbd84a0a}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000012f
"Therad"=dword:0000001a
"SpecVersion"=dword:0000010c
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
   1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

[HKEY_USERS\S-1-5-21-4104444742-4202356276-1653453980-1000_Classes\Wow6432Node\CLSID\{9d93b6ca-dcec-4bcd-9a17-b0484819faef}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:000000e8
"Therad"=dword:00000022
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,85,b1,12,f9,90,dd,23,a1,46,8f,3c,f2,5c,68,ee,21,f4,30,7c,14,af,dd,\

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

20

Done :slight_smile: