I have scanned my laptop and the infected drives (some usb’s, also my smartphone because unfortunately, it was also a victim in usb mode) with MBAM, deleted the detected malware, restarted my laptop, then tried to open usb files. Shortcuts gradually replace everything again.

I have tried the cmd command ‘attrib -h -r -s /s /d e:*.*’ but it still reverts back to shortcuts afterwards. the only thing that seems to work as of now is ending the process of wscript.exe through the task manager and then doing the cmd command to continue transferring stuff through usb without interruption. So yeah, everytime the laptop restarts and the wscript is back up again, shortcuts take over the files in the usb drives. Any help would greatly be appreciated.

Gonna do the scans without the infected usb drives inserted. Here goes. Attached the ADW Log File.

If I have to scan everything again with MBAM, just tell me. Thanks.

we also need Malwarebytes / OTL logs. http://forum.avast.com/index.php?topic=53253.0

also attach MCShield log. http://forum.avast.com/index.php?topic=53253.msg998925#msg998925

Monitoring…

Good day, guys.

Here it is, MBAM, OTL, and the MCShield logs. MC logs attached to another reply.
No malware detected by the quick scan, though. I scanned before plugging in the usb’s.

The MC scans for the smartphone are E and I, and scans F and H are the other infected drives.

Also, should I use the clean function of Adw after the scan? Do I need to run MBAM again with the infected drives plugged in?

Thanks!

Here, MCShield scans.

TwinHeadedEagle will soon be back and help you

Hi,

About Adwcleaner, run it again, but after scanning, make sure to click on Clean button. Give me the report after it finishes cleaning.

Then…

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer );

Attach here Gmer logreports.

Then…

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

I didn’t close Adwcleaner after the first scan, so I cleaned and did a reboot. I made another scan and I’ll include the results here.

Also, I’ll post the results for gmer and farbar in another reply.

Farbar and Gmer logs.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

HKCU\...\Run: [yyncsiwkgz] - C:\Users\Acer\AppData\Local\Temp\yyncsiwkgz..vbs [373413 2013-08-09] () <===== ATTENTION
C:\Users\Acer\AppData\Local\Temp\yyncsiwkgz..vbs
MountPoints2: {0551e523-fa7b-11e1-8b10-844bf59a1357} - E:\AutoRun.exe
MountPoints2: {0551e574-fa7b-11e1-8b10-844bf59a1357} - E:\AutoRun.exe
MountPoints2: {0551e595-fa7b-11e1-8b10-001e101f50a4} - E:\AutoRun.exe
MountPoints2: {0551e5e3-fa7b-11e1-8b10-001e101f50a4} - E:\AutoRun.exe
MountPoints2: {05ed45b7-376b-11e2-9f7d-047d7be497c0} - E:\laucher.exe
MountPoints2: {10ed2c67-082f-11e2-ae2d-001e101f82a7} - E:\AutoRun.exe
MountPoints2: {9c70c2bd-fe1c-11e1-9efb-001e101fb45e} - E:\AutoRun.exe
MountPoints2: {9c70c2cb-fe1c-11e1-9efb-001e101fb45e} - E:\AutoRun.exe
MountPoints2: {c08b4f70-0392-11e2-bf53-844bf59a1357} - E:\AutoRun.exe
MountPoints2: {c08b4ffb-0392-11e2-bf53-001e101f57d0} - E:\AutoRun.exe
MountPoints2: {c2bb5d37-feff-11e1-9ac2-844bf59a1357} - F:\AutoRun.exe
MountPoints2: {db3ed91b-0e14-11e2-9a8c-844bf59a1357} - E:\AutoRun.exe
Startup: C:\Users\Acer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yyncsiwkgz..vbs ()
C:\Users\Acer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yyncsiwkgz..vbs
C:\Users\Acer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs
SearchScopes: HKCU - {4FD475B5-63A9-4974-80C5-C1AADCDA72F9} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
FF Extension: Search-NewTab - C:\Users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\i2uxe59a.default\Extensions\5115400b5f887@5115400b5f8c1.com
C:\Users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\i2uxe59a.default\Extensions\5115400b5f887@5115400b5f8c1.com
C:\Users\Acer\AppData\Local\Temp
cmd: ipconfig /flushdns

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Then…

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Fixlog and Combofix log attached.

The laptop seems normal after the final reboot, nothing fishy.

Just to be sure:
Should I turn my antivirus on now?
What other things should I do?
Regarding my smartphone and my usb’s, can I plug them in now? I hope once I plug in the drives and delete the malwares by MCShield, they stay deleted. For good.

Sorry for all the trouble I caused you, and sorry for taking up much of your time.

Hi,

Open FRST and click on Scan. Attach me the fresh log.

Should I turn my antivirus on now?

Yes, you can…

What other things should I do?

Nothing, wait until we’re done here.

Regarding my smartphone and my usb's, can I plug them in now? I hope once I plug in the drives and delete the malwares by MCShield, they stay deleted. For good.

Do not plug any USB, until I tell you.

Here it is.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Unlock: C:\Users\Acer\AppData\Local\Temp\yyncsiwkgz..vbs
HKCU\...\Run: [yyncsiwkgz] - C:\Users\Acer\AppData\Local\Temp\yyncsiwkgz..vbs [373413 2013-08-09] () <===== ATTENTION
C:\Users\Acer\AppData\Local\Temp\yyncsiwkgz..vbs
Startup: C:\Users\Acer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yyncsiwkgz..vbs ()
C:\Users\Acer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yyncsiwkgz..vbs

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Then…

Restart the computer, re-run FRST and post me the fresh log…

Here, fixlog. Sorry for the delay.

Ok, post me the fresh FRST log for final check…

FRST log incoming.

Ok, we’re done here

Virus is completely removed.

I recommended to you to keep MCShield.
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

Uninstall Adobe Reader and Java from Control Panel, and download latest versions.

[b]I recommended to you to keep MCShield.[/b] It will prevent infection by computer via USB flash drive, mobile phone or any other memory card. And not only will prevent infection, but will immediately clean Memory card or external HDD

Gonna do your orders after I get back from somewhere. I’ll report everything later. Anyway, thanks again! BRB.