USB infected when inserting in laptop... Avast warns for Trojan?

Hi there!
Annoying problem over here…

When I insert my USB into my laptop, Avast warns that a trojan is found and the system starts creating and multiplying hundreds of shortcuts beginning with ‘trz’ and some of them ending in .tmp.

I thought that my USB-stick was infected because I inserted it in my desktop computer, but I ran a scan over there and it indeed found infections in my usb stick, but I could remove most of them (going from 139 multiplied shortcuts to 25), but some of them are still present in the USB. But when I run a scan on my removable disk (the USB, everything is fine).

So I try the USB back on my laptop, and again: Avast starts warning for the trojan and again multiplied shortcuts trzXXX.tmp are increasing. So I really think the problem is on my laptop.
BUT When I run a scan on my laptop through Avast fast scan: nothing is found?? I found this weird and decided to also run Malwarebyte, and that program found 11 infected objects. I deleted them as required and restarted my pc.

What should I do now? Retry the USB? This is really not normal anymore.

I really hope you can help me because I really need my laptop since I’m writing my thesis :cry:

http://forum.avast.com/index.php?topic=53253.0

your computer / USB stick is infected … follow the guide given by Eddy

attach the requested logs. Malwarebytes / OTL / aswMBR

when done a malware expert will help you

Thank you! I’ll start on it right away

First: the log of MBAM:

and diconect the usb stick… it will be cleaned later

Hi prior to running the OTL scan

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

Hi, I’m already running the OTL and waiting, since that was the next step on the list. I’ll do the MCShield as soon as OTL is finished.

Here are the OTL Logs

Here’s the MCShield LOG. Can I put out the USB or not?

New LOG of aswMBR:

The program has also generated a .dat file, but I couldn’t upload it.

So here, I did all the scans and you have all the logs. I really hope you could help me!

After this run check the USB again with MCShield

The dat file is a dump of the MBR and I now have no need for that

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2865317
IE - HKU\S-1-5-21-3361117193-384026249-2084028618-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2865317
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3361117193-384026249-2084028618-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - Startup: C:\Users\Sara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iTunesHelper.vbe ()
[2012-02-24 23:41:29 | 000,000,000 | ---D | M] -- C:\Users\Sara\AppData\Roaming\Babylon

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here it is

Hmm does not want to go, how is the computer now ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKCU..\Run: [iTunesHelper] wscript.exe //B "C:\Users\Sara\AppData\Local\Temp\iTunesHelper.vbe" File not found
O4 - Startup: C:\Users\Sara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iTunesHelper.vbe ()

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download Anti VBS/VBE to your desktop

[]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[
]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report

Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run

At first sight, nothing seems to be wrong with my laptop. But that was the case too before all these tests. It’s when I insert the USB that my Avast keeps warning for a trojan horse and all these shortcuts are multiplied. Should I try the USB device again in my laptop, or first run OTL according to your latest instruction?

Run OTL and prior to running anti vbs/vbe insert the USB and let MCShield have another go at it first then run anti vbs/vbe

Here are the logs of the OTL and Anti-VBS/VBE

The other attachment is what I received when rebooting the laptop after I ran the fix in OTL.
Hope you can help me.

OK the vbe reg entry does not want to go… Time for the big boy

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here’s the Combofix log

My pc is running normal, but that was the same before I noticed the infection on the USB.
So basically, if I hadn’t inserted my USB, I would never have noticed the virus in my computer since it didn’t do anything visible like really slowing my laptop or sth like that. What does the log say?

Avast blocked it from infecting the computer apart from adding the registry key. However, as there was no file to run it was harmless.

The log looks good and the key is no longer showing

You may need to reformat the USB to ensure it is totally clean

Any further problems ?