Hi. I’d appreciate it if you could help me with a malware that is creating shortcuts on my usb. The shortcuts are from System32. On the internet I only found some hints how to remove the virus from the usb but I would like to get it out of my laptop too. I am running windows 7 ultimate. Please help and thank you
attach Malwarebytes and OTL logs. http://forum.avast.com/index.php?topic=53253.0
There you go.
Note: In the otl program the option “Include 64bit scans” did not appear. I followed the rest of the instructions.
malware experts are notified … it may take some time before they are online
I’m looking at posted logs …be right back …
Hi,
Do NOT use any USB memory device untill we clean host mashine.
Please download zoek by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…
[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.
[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:
uwldapow;s
taskkill /F /IM wscript.exe;b
EmptyAllTemp;
C:\Users\emi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tihlgokflt..vbs;f
StartUpAll;
[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)
[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”
Ty Pondus and magna for helping me solve this.
Here is the zoek-results
=> Please download Anti-VBSVBE and save it to your desktop.
Note: There are two versions, 32bit and 64bit. You need to run the version compatible with your system.
[*]Double click to run the tool and wait until it finishes.
[*]It will make a log named Anti-VBSVBE.txt. Please post it to your reply.
.
=> Re-run Zoek tool as you did before …
Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:
EmptyCLSID;
[HKEY_USERS\S-1-5-21-1215436295-3838858105-3426281895-1000\Software\Microsoft\Windows\CurrentVersion\Run];r
"tihlgokflt"=-;r
[HKEY_USERS\S-1-5-21-1215436295-3838858105-3426281895-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Run];r
"tihlgokflt"=-;r
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run];r
"tihlgokflt"=-;r
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\tihlgokflt];r
AutoClean;
[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)
[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”
.
=> Now we will check USB memory device on malware. MCShield shall remove all USB related malware …
Please download MCShield from one of the following links:
MCShield -Official download link
[*]Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install … per installation click on Run! button.
[]Wait a few seconds to MCShield finish initial HDD scan…
[]Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
[*]When all scanning is done, you need to post a logreport that MCShield has created.
Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.
=> Post here AllScanst.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
I am attaching here the next files:
this is one of the files found by MCShield
https://www.virustotal.com/en-gb/file/eb551bfdc64cdf7a7b7d83d3c70e89caa5e493dc43ae36b3c5ef8dba970d6068/analysis/
magna86 will be back and remove the tools used when all is ok…
Ok emilica, this looks clean. As malware is removed, would you please tell me how is the computer behavior now?
The computer seems to be running faster now that’s for sure… And when I copy documents on the usb it doesn’t appear as a shortcut anymore. Thank you very much for all the help, I appreciate it (especially since I am not really good with computers I know that your work is difficult). Which of the programs I have installed I remove and how (control panel, just delete)?
Hi and Yes, we will remove the tools using anather one named as DelFix. 
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
Just a notice before I start using the last program: when I checked the processes in Task Manager I noticed 2 rundll32.exe running each with different memory occupation. Should I be concerned with it?
i dont think that is a problem… magna will be back an tell you
MCshield program you keep, it will protect you from USB infections