Hi, a virus has enter my usb devices and all the files and folders appears as shortcuts and cant be opened. it seem that the pc a laptops has been infected too because when i try to use another usb device get infected too! I have avast in all my computers and even in the complete analisis cant see and delete the virus.
Please help!! :o
Attach your diagnostic logs. (MBAM, FRST and MCShield)
Instructions: https://forum.avast.com/index.php?topic=53253
Hi,
I have done a boot time analisis with avast and follow all the steps that you sugested but nothing works, the usb is still infected. Please help!!
You need to attach the log files of those 3 tools to your next post here as instructed.
fsaravial,
Attach the three log files as Eddy has directed you. A Malware Removal person will examine the logs and create a repair plan for your system. These need to be done by hand as each situation is unique (file names, starting type, etc.).
Malwarebytes Anti-Malware
www.malwarebytes.org
Fecha del análisis: 26/05/2016
Hora del análisis: 20:52
Archivo de registro: log.txt
Administrador: SÃ
Versión: 2.2.1.1043
Base de datos de malwares: v2016.05.26.07
Base de datos de rootkits: v2016.05.20.01
Licencia: Prueba
Protección contra el malware: Activado
Protección contra sitios web maliciosos: Activado
Autoprotección: Desactivado
SO: Windows 7 Service Pack 1
CPU: x64
Sistema de archivos: NTFS
Usuario: Admin
Tipo de análisis: Análisis de amenazas
Resultado: Completado
Objetos analizados: 297686
Tiempo transcurrido: 8 min, 31 seg
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Desactivado
HeurÃstica: Activado
PUP: Activado
PUM: Activado
Procesos: 0
(No hay elementos maliciosos detectados)
Módulos: 0
(No hay elementos maliciosos detectados)
Claves del registro: 0
(No hay elementos maliciosos detectados)
Valores del registro: 0
(No hay elementos maliciosos detectados)
Datos del registro: 0
(No hay elementos maliciosos detectados)
Carpetas: 0
(No hay elementos maliciosos detectados)
Archivos: 0
(No hay elementos maliciosos detectados)
Sectores fÃsicos: 0
(No hay elementos maliciosos detectados)
(end)
MBAM looks clean but we need the FRST, Addition and MCShield log files please.
Hi, this is the logs of my xp laptop, hope that helps.
Malwarebytes Anti-Malware
www.malwarebytes.org
Fecha del análisis: 25/05/2016
Hora del análisis: 10:45:41 a.m.
Archivo de registro: logMbytes.txt
Administrador: SÃ
Versión: 0.0.0.0000
Base de datos de malwares: v2016.05.25.05
Base de datos de rootkits: v2016.05.20.01
Licencia: Prueba
Protección contra el malware: Activado
Protección contra sitios web maliciosos: Activado
Autoprotección: Desactivado
SO: Windows XP Service Pack 3
CPU: x86
Sistema de archivos: NTFS
Usuario: Federico Saravia
Tipo de análisis: Análisis de amenazas
Resultado: Completado
Objetos analizados: 295561
Tiempo transcurrido: 45 min, 6 seg
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Desactivado
HeurÃstica: Activado
PUP: Activado
PUM: Activado
Procesos: 1
RiskWare.Tool.CK, C:\WINDOWS\KMService.exe, 876, Se eliminará al reiniciar, [00186e6c5e3bbb7b9f8280723ac745bb]
Módulos: 0
(No hay elementos maliciosos detectados)
Claves del registro: 8
PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\CLSID{F83D1872-D9FF-47F8-B5A0-49CC51E24EE8}, En cuarentena, [13055288871235019fcfb1a41de5b947],
Trojan.Agent.Trace, HKU\S-1-5-18\SOFTWARE\MICROSOFT\Handle, En cuarentena, [7e9a904aa7f2fe38dfef1794d033768a],
Trojan.FakeAlert, HKU\S-1-5-21-173226567-1310869338-1363725489-1006\SOFTWARE\2L4NOI3W05, En cuarentena, [4fc9f1e9b6e3ef47e2a9c54be51e5ea2],
PUP.Optional.InstallCore, HKU\S-1-5-21-173226567-1310869338-1363725489-1006\SOFTWARE\ICSW1.14, En cuarentena, [cc4c0fcbfe9bb5813c1bff8a46bd3cc4],
Trojan.FakeAlert, HKU\S-1-5-21-173226567-1310869338-1363725489-1006\SOFTWARE\U36VRSFLG6, En cuarentena, [fa1e35a58c0d1e18014d3fd98e758d73],
Trojan.FakeAlert, HKU\S-1-5-21-173226567-1310869338-1363725489-1006\SOFTWARE\XML, En cuarentena, [71a70bcf049542f4c3f5f91fae558977],
Trojan.Agent.Trace, HKU\S-1-5-21-173226567-1310869338-1363725489-1006\SOFTWARE\MICROSOFT\Handle, En cuarentena, [78a09e3c9504b4821bb39615748fc33d],
PUP.Optional.ProductSetup, HKU\S-1-5-21-173226567-1310869338-1363725489-1006\SOFTWARE\PRODUCTSETUP, En cuarentena, [73a5c6147a1f95a16f9ea8ebff046898],
Valores del registro: 1
PUP.Optional.ProductSetup, HKU\S-1-5-21-173226567-1310869338-1363725489-1006\SOFTWARE\PRODUCTSETUP|tb, En cuarentena, [73a5c6147a1f95a16f9ea8ebff046898],
Datos del registro: 2
PUM.Optional.DisableStartMenuLogOff, HKU\S-1-5-21-173226567-1310869338-1363725489-1006\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Bueno: (0), Malo: (1),Sustituido,[f91f6575c3d6c0762beba4af8e76ed13]
PUM.Optional.DisableStartMenuLogOff, HKU\S-1-5-21-173226567-1310869338-1363725489-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Bueno: (0), Malo: (1),Sustituido,[ad6bc01ac0d90333dc3a2132a262a060]
Carpetas: 2
PUP.Optional.ASK, C:\Documents and Settings\Federico Saravia\Local Settings\Temp\APNLogs, En cuarentena, [ec2cb228d4c50c2ade3a179c4bb7af51],
PUP.Optional.ASK.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp\APN-Stub, En cuarentena, [1cfc9b3f6f2a0a2c13fdacfc0ff38f71],
Archivos: 19
RiskWare.Tool.CK, C:\WINDOWS\KMService.exe, Se eliminará al reiniciar, [00186e6c5e3bbb7b9f8280723ac745bb],
CrackTool.Agent, C:\Program Files\Starcraft\regsetup.exe, En cuarentena, [ea2e6d6d1d7c1f1789dc102fc939e41c],
PUP.Optional.Yontoo.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp{66BB0198-15D0-4BBA-901F-7345B8AC38C9}.xpi, En cuarentena, [6cacd10937621125ec22b46927dae41c],
PUP.Optional.Yontoo.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp{6DE7CD5A-E025-4AD5-988D-B737B7BDCC36}.xpi, En cuarentena, [e632f9e1f6a3b87e31ddab72649dc43c],
PUP.Optional.Yontoo.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp{925F0B7F-2E3C-4E38-86E5-563A2E8BDE96}.xpi, En cuarentena, [2deb9545b4e59b9ba5698598827faa56],
PUP.Optional.Yontoo.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp{A7E31D80-6E3A-4DA5-AA74-E4233547CC2B}.xpi, En cuarentena, [fb1d2dad5346a591bb5375a87c85748c],
PUP.Optional.Yontoo.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp{AC81674B-46E3-4AA6-B6CA-6835BECD6EEC}.xpi, En cuarentena, [25f31dbdabee79bdb856c25b00015aa6],
PUP.Optional.Yontoo.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp{B0B79B10-F93B-4B1C-807E-6A997437E08D}.xpi, En cuarentena, [eb2d6773326757df52bc60bdaa57f010],
PUP.Optional.Yontoo.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp{C6F9A3A0-EEC3-4714-B5AB-92EF9E37D88E}.xpi, En cuarentena, [29eff7e3a6f3bc7aa46a42dbe31ef010],
PUP.Optional.Yontoo.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp{D7C8069A-1D27-4B75-B57B-3EC2449DCFB3}.xpi, En cuarentena, [0711409ac8d16fc72ee055c858a9e31d],
PUP.Optional.Yontoo.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp{E4683094-B4B4-4ED7-9DE7-1AC8B0C25B3D}.xpi, En cuarentena, [8296904a97029b9bb6584dd07b86dc24],
PUP.Optional.Yontoo.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp{EDDA16D6-BE7D-4991-8159-3B981307BF1F}.xpi, En cuarentena, [c94fa337c1d864d2d13d4ad328d98f71],
PUP.Optional.Yontoo.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp{FE4DF683-DD50-429A-8119-41A1BDA2A0D9}.xpi, En cuarentena, [6eaa5d7d8118b77fde30120be918b749],
Trojan.Agent.Drop, C:\Documents and Settings\Federico Saravia\Local Settings\Temp\5.tmp\hidcon.exe, En cuarentena, [8d8b994180192a0c1ec9111a5ca6728e],
PUP.Optional.ASK, C:\Documents and Settings\Federico Saravia\Local Settings\Temp\APNLogs\ci.log, En cuarentena, [ec2cb228d4c50c2ade3a179c4bb7af51],
PUP.Optional.ASK, C:\Documents and Settings\Federico Saravia\Local Settings\Temp\APNLogs\ic.log, En cuarentena, [ec2cb228d4c50c2ade3a179c4bb7af51],
PUP.Optional.ASK, C:\Documents and Settings\Federico Saravia\Local Settings\Temp\APNLogs\iw.log, En cuarentena, [ec2cb228d4c50c2ade3a179c4bb7af51],
PUP.Optional.ASK.Gen, C:\Documents and Settings\Federico Saravia\Local Settings\Temp\APN-Stub\Stbe54c1d69-04d3-476b-94ea-3b67c1f8fbc3.log, En cuarentena, [1cfc9b3f6f2a0a2c13fdacfc0ff38f71],
PUM.Optional.FireFoxSearchOverride, C:\Documents and Settings\Federico Saravia\Application Data\Mozilla\Firefox\Profiles\vma9v973.default\user.js, En cuarentena, [0612f8e2c6d3a88e982e0e650400c13f],
Sectores fÃsicos: 0
(No hay elementos maliciosos detectados)
(end)
we also need >> SPECIFIC INFECTIONS LOGS
Scroll down to MCShield and follow instructions … this log you Copy and Paste here
We also need the Addition.txt file that FRST made.
If you still need help, please supply from fresh scans of FRST. Also, only ONE system per thread (choose either the XP or the Win7 but not both on this thread).
Read Slowly and all of it.
If you still have a Addition.txt log file on your desktop, please delete it now.
Start FRST that is on your Desktop by double clicking it.
The tool will start to run.
When the tool opens click Yes to disclaimer. (if it does)
Select Additional.txt in the Optional Scans section of FRST.
Press Scan button.
It will make two logs (FRST.txt and Addition.txt) on your Desktop. Please attach the logs in your reply back.
Hi, thank you for your help. Here are the requested logs. Hope that helps
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
- Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.
Also, how is the system running now?
Hi! Thank you! It works!! The virus in my xp laptop has been destroyed!! The same method will work in win 7?
Thank you very much!!
The same method will work but not the same Fixlist.txt file. YOu will have to scan the system with FRST (or FRST64 if the system is 64 bit system) and post the FRST.txt / Addition.txt log files. A Fixlist.txt script file will be produced for that system.
Hi,
Here there are the files of win 7
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
- Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.
Also, how is this system running now?
Thank you very much!! it works again in win 7! The system is running normally. Well done!
You can run this on both systems; it will clean off the tools used and give you a clean starting point to move forward with.
Clean up of Malware Removal Tools
Now that we are through using these tools, let’s clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.
[]Download Delfix from here to your desktop and double click it to start the program
[*]Ensure Remove disinfection tools is ticked
Also tick:
[]Activate UAC
[]Create registry backup
[]Purge system restore
[*]Reset system settings
http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/DelFixSelectall_zps0f04cec4.png
[*]Click Run
[*]The program will run for a few moments and then notepad will open with a log. Note: Please save this log first before rebooting your system (if asked to); DelFix does not save the log as it is trying to remove all traces of our work on your system. Please attach the log in your next reply.
You can delete any log files left on your desktop as these are no longer needed.
Done!