Shortcut Virus!

PLEASE HELP ME. I really need to save files in my laptop but all the files turn into shortcuts. And it’s location is in windows/system32 cmd. But I can’t seem to find it

how to recive help instructions https://forum.avast.com/index.php?topic=53253.0
attach requested logs

Monitoring.

@rwenz03 that means Valinorum is waiting for those logs so he can help you :wink:

I’m so sorry that I haven’t attached the logs yet. It’s just that every time I try to connect to the internet my laptop sends a command to that auto reboot’s my modem. I tried connecting to the net all net with no success. I’m using my friends computer right now. I’m so sorry.

Can you download the tools into an USB drive and move them to your Desktop and perform the scans?

I’ll be able to download the tools but I won’t be able to update malwarebytes. It’s said in the instructions that I need to update Malwarebytes Anti - Malware.

No need. Move along with the downloaded database.

Thanks. I’ll try it later. Then All Attached the needed files.

Okay.

Thank you for trying to help me. I really I’m thankful. But I wasn’t able to attach the files because farbar won’t install in my laptop and I can’t connect to the internet. So I tried to manually delete the virus using CMD and I finally remove every last bit of it this morning. But I really thank you for trying to help me.

What files did you delete, (And where)? I highly doubt you got everything. Did you clean the USB? If no, you’ll be reinfected. How did you clean it? Did you get the Reg keys that usually accompany this infection??

I ran malwarebytes first and it deleted most of the infected files, then I found out that the Skypee and Google folder in C:\ I tried deleting it normally but the folders won’t delete, It contained AutoIt3.exe and two other files that I forgot, I used CMD to delete this to folders, then I also deleted all the shortcuts it created. I also deleted the .vbg file (can’t remember exactly what kind of file it is) that came with the virus. I also cleared the Flash Drive I used. And now I don’t seem to be facing any kind of problem. My laptop doesn’t create shortcuts anymore and when ever I plug in a Flash Drive in my laptop It doesn’t hide the files and create shortcuts anymore.

Was the folder named Skypee? Or Skype? The legit “Skype” should be located in C:\ Program Files (x86).
Google (Chrome?) should be in C:\Users\Appdata\Local\Google\

MBAM shouldn’t target any VB(x) file. (Post the log please).

An absence of symptoms doesn’t mean all clear.

Do the following Windows Logo + R > Regedit > HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run. What Keys are located there? (DO NOT delete anything)

Also do the same for HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run. (DO NOT delete anything)

NEXT

Open Folder Options by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
Click the View tab.
Under Advanced settings, click Show hidden files and folders, Show System Files (It’ll give you a warning, click yes), also show any extensions and then click OK… Plug in your USB. Any ghosted (Washed out files) with the end .exe, .vbs etc.

If so, The names? Scan anything ghosted @ www.virustotal.com and post back scan results.

It was named Skypee. I Found it in my flash drive. It contained AutoIt3.exe, GoogleUpdate.exe and one other file I forgot. I didn’t see any Ghosted file in my USB. I’ll attach the Reg keys located in HKEY_CURRENT_USER & HKEY_LOCAL_MACHINE.

Your LOCAL MACHINE is fine. CURRENT USER is NOT though.

dvlwtumlyh REG_SZ wscript.exe//B"C:\Users\ALLMAN~1\AppData\Local\Temp\dvlwtmulyh…vbs"
Windows Update REG_SZ C:\Google\Windowsupdate.lnk
AdopeFlash REG_SZ C:\Google\AutoIt3.exe/AutoIt3ExecuteScriptC:\Google\googleupdate.a3x
AdopeUpdate REG_SZ C:\Google\GoogleUpdate.lnk

^^

All Malicious. Don’t delete them though.

The dvlwtumlyh REG-SZ file is the VBS infection using wscript.exe as the hosting file. See if you can do the following. Go to the file explorer > C:\ALLMAN~1\Appdata\Local\Temp\dvlwtmulyh…vbs

Is that file still there? If yes, you are still infected. You should also scan it @ www.virustotal.com.

In the mean time, FRST logs should be attached so Valinorum can finish helping you

Can’t find dvlwtmulyh…vbs in the temp folder. And I’ll attach the FRST logs now.

Is this a laptop?

Your GT 630M doesn’t appear to be working.
Name: NVIDIA GeForce 310M
Description: NVIDIA GeForce 310M
Class Guid: {4d36e968-e325-11ce-bfc1-08002be10318}
Manufacturer: NVIDIA
Service: nvlddmkm
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

FRST identified your Reg keys as Malicious

HKU\S-1-5-21-274870729-1962583498-304518817-1000.…\Run: [dvlwtmulyh] => wscript.exe //B “C:\Users\ALLMAN~1\AppData\Local\Temp\dvlwtmulyh…vbs” <===== ATTENTION

Hang Tight, I PM’d Valinorum to come back, see what he can do. You also have MCShield I see. Can you attach Allscans.txt?

Here is the Allscans.txt

And yes this is a laptop.

I should’ve warned you… Whoops, You need to resave as encoding (ANSI)