Hi,
all my folders in my flash drives are converted into shortcut icons & when right clicked & show file location is chosen, itsays “C:\WINDOWS\System32\cmd.exe”
Could you please help me with this?
Hi your flash drives are infected
Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG
Plug in the drive and McShield will start a scan
Then get the log which will be here :
Start > all programs > MCShield > logs > all scans
And post that
THEN
Download Anti VBS/VBE to your desktop
[]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report
Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run
this is first log
second log
OK now those are clean lets look at the computer
Download OTL to your Desktop
Secondary link
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif
[*]Select All Users
[]Select LOP and Purity
[]Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs
otl.txt
Extras.txt
Are you using Samdav antivirus ? Your system is badly infected, I see you have run Combofix, could you attach the log for that
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:OTL
SRV - [2014/02/13 11:20:28 | 000,080,664 | ---- | M] () [Auto | Running] -- C:\Program Files\maucampo\bin\utilmaucampo.exe -- (Util maucampo)
SRV - [2014/02/13 11:17:16 | 000,080,664 | ---- | M] () [Auto | Running] -- C:\Program Files\maucampo\updatemaucampo.exe -- (Update maucampo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\anvsnddrv.sys -- (anvsnddrv)
O2 - BHO: (maucampo) - {5d7d4fb9-aca5-4013-8879-c58dcd4df9f1} - C:\Program Files\maucampo\maucampoBHO.dll (maucampo)
O4 - HKLM..\Run: [06864143dea93515509ebd6f1b2637f2] C:\ProgramData\Avasit.exe (SAJROY8j7nVVuZX)
O4 - HKU\S-1-5-21-214351162-642781372-3813588257-1000..\Run: [06864143dea93515509ebd6f1b2637f2] C:\ProgramData\Avasit.exe (SAJROY8j7nVVuZX)
O4 - HKLM..\RunOnce: [network_smb_media1firecom] "C:\Users\NABILB~1\AppData\Local\Temp\BI_RunOnce.exe" /initurl http://dw50j5zef9twa.cloudfront.net/init/cUduMakJ/:uid:? /affid "-" /id "0" /name " " /uniqid cUduMakJ /uuid 00000000-0000-0000-0000-001FD0054F7D /diskserial 2020202057202d44435750414339363835393431 /biosserial /biosversion SECCSD - 42302e31 /csname 945GCM-S2L File not found
O4 - Startup: C:\Users\nabilbahr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\06864143dea93515509ebd6f1b2637f2.exe (SAJROY8j7nVVuZX)
[2014/02/16 13:32:13 | 000,000,000 | ---D | C] -- C:\Users\nabilbahr\AppData\Roaming\SpeedyPC Software
[2014/02/16 13:32:13 | 000,000,000 | ---D | C] -- C:\Users\nabilbahr\AppData\Roaming\DriverCure
[2014/02/16 13:31:35 | 000,000,000 | ---D | C] -- C:\ProgramData\SpeedyPC Software
[2014/02/12 23:58:28 | 000,249,344 | ---- | C] (SAJROY8j7nVVuZX) -- C:\Users\nabilbahr\AppData\Roaming\new.exe
[2014/02/10 12:24:35 | 000,249,344 | ---- | C] (SAJROY8j7nVVuZX) -- C:\Windows\new.exe
[2014/02/10 12:24:27 | 000,249,344 | ---- | C] (SAJROY8j7nVVuZX) -- C:\Users\nabilbahr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\06864143dea93515509ebd6f1b2637f2.exe
[2014/02/10 12:24:20 | 000,249,344 | ---- | C] (SAJROY8j7nVVuZX) -- C:\ProgramData\Avasit.exe
[2014/02/10 12:24:12 | 000,249,344 | ---- | C] (SAJROY8j7nVVuZX) -- C:\Windows\System32\new.exe
[2014/02/10 12:00:34 | 000,000,000 | ---D | C] -- C:\Program Files\maucampo
[2014/02/12 23:58:28 | 000,249,344 | ---- | M] (SAJROY8j7nVVuZX) -- C:\Users\nabilbahr\AppData\Roaming\new.exe
[2014/02/16 13:32:13 | 000,000,000 | ---D | M] -- C:\Users\nabilbahr\AppData\Roaming\SpeedyPC Software
:Files
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
the log
How is the computer behaving now … What problems remain
Malwarebytes’ Anti-Malware
Please download Malwarebytes’ Anti-Malware from here
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Attach the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Virus removed , Thanks a lot
No further problems then ?
I don’t know :-\
Did malwarebytes find anything ?