usbAl script file on flash drive hides all files and folders

Hello, everyone
So two days ago a friend of mine gave me his usb drive, cause it behave funny. Anything he copy to it became a shortcut.
I have hiden files and system files showing on my pc so i found all the files on the usb drive were there just hiden, and a strange file named usbAl.vbs, he said he didn’t need any of the content of the usb, so I did a format with the HPUSBDisk tool. Every thing was OK until the next day when I pluged my usb stick and the same usbAl.vbs appeared. So I checked the pc with Avast Free, Malwarebytes, Trojan remover, and today i even installed a trial version of Nod32, I also ran Combofix, but the problem persists. Avast free found nothing, malwarebytes deleted a couple of toolbars, trojan remover renamed a file but didn’t fix the problem, and Nod found all my archives susspicios and wanted to delete them but still nothing.
Any idea what should I do next, reinstall of windows is still not an option, because of some licensed software.
Thanks, in advance.

p.s. I ran the DDS that is recomended in most posts, here are the logs:

malware removers are notified…

if you have logs from Malwarebytes / Combofix then attach them also

Sorry can’t find tha malwarebytes one.

Combofix log:

you could send the usbal.vbs file to avast virus lab via www.avast.com/contacts

or mail the file in a password protected zipped archive to virus@avast.com

Hi,

Who told you to run Combofix?

  • you didn’t run it aright with instructions.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

----- next -----

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

OK these are the logs from FRST and MCshield:

p.s. I uploded a second version of AllScans.txt, since the secont time I pluged in my usb drive a warning apeared.

can you upload and scan usbAl.vbs at www.virustotal.com
post link to scan result here

magna86 will soon be back and help you…

link

did you send the file to avast labs for analysis.

If not send it via www.avast.com/contacts

OR

send all the suspected and infected files to virus@avast.com and wait for detection to be added.Add some additional info in e-mail body with link to this topic.

Send samples in enclosed archive with a password,use 7-zip program.

Password should be “virus”

mention password in e-mail body

@m_a_k

We shall remove all malware from your system and then I will ask FRST Quarantine folder for analysis. First things first …

MCShield has been detect malware source in the third USB mem device (the latest one that you have been attach to USB for MCShield scanning ) and malware is removed now.

Please do the following:

----- FIX -----

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

START
File: C:\WINDOWS\system32\hkcmd.exe
HKLM\...\Run: [usbAl] - C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\usbAl.vbs [150772 2013-07-28] () <===== ATTENTION
HKCU\...\Run: [usbAl] - C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\usbAl.vbs [150772 2013-07-28] () <===== ATTENTION
Startup: C:\Documents and Settings\Windows XP Pro\Start Menu\Programs\Startup\usbAl.vbs ()
SearchScopes: HKCU - DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www1.delta-search.com/?q={searchTerms}&affID=119776&babsrc=SP_ss&mntrId=BCB3001E8C0CDCC4
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www1.delta-search.com/?q={searchTerms}&affID=119776&babsrc=SP_ss&mntrId=BCB3001E8C0CDCC4
FF SearchPlugin: C:\Documents and Settings\Windows XP Pro\Application Data\Mozilla\Firefox\Profiles\2186w7x4.default\searchplugins\BrowserProtect.xml
FF SearchPlugin: C:\Documents and Settings\Windows XP Pro\Application Data\Mozilla\Firefox\Profiles\2186w7x4.default\searchplugins\delta.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml
C:\Documents and Settings\Windows XP Pro\Application Data\Mozilla\Firefox\Profiles\2186w7x4.default\searchplugins\BrowserProtect.xml
C:\Documents and Settings\Windows XP Pro\Application Data\Mozilla\Firefox\Profiles\2186w7x4.default\searchplugins\delta.xml
C:\Program Files\mozilla firefox\searchplugins\babylon.xml
File: C:\WINDOWS\system32\ztvunrar36.dll
C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\usbAl.vbs
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
CMD: ipconfig /flushdns
Hosts:
END
  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

----- next -----

Re-check:
Re-run FRST, just hit Scan button and attach here fresh created FRST.txt logreport.

----- next -----

Please find C:\FRST[b]Quarantine[/b] folder, zip-it / rar-it with password and please upload file here:

http://www.wikisend.com

Please post me here download link.

These are the logs and a link to Quarantine folder:

Quarantine.rar

p.s. I send a letter to virus@avast.com with the problem and archive of the usbAl.vbs file, but forgot to send the logs and a link to the thred :-[

Don’t worry, it is enough that file was sent to VirusTotal. If one or more AV detect some file as malware, sample will be automatically send to others AV vendors, avast including.
In a few days you can expect detection.
Can you tell me the password please?

Password: frst

Thanks.

FRST wasn’t able to remove malware file, so we shall need to repeat the procedure with fixlist.txt

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

START
UNLOCK: C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp
HKLM\...\Run: [usbAl] - C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\usbAl.vbs [150772 2013-07-28] () <===== ATTENTION
HKCU\...\Run: [usbAl] - C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\usbAl.vbs [150772 2013-07-28] () <===== ATTENTION
Startup: C:\Documents and Settings\Windows XP Pro\Start Menu\Programs\Startup\usbAl.vbs ()
C:\Documents and Settings\Windows XP Pro\Start Menu\Programs\Startup\usbAl.vbs
C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\usbAl.vbs
END
  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

------ next -----

Re-run FRST, hit Scan button and attach here fresh FRST.txt logreport.

Here are the logs from FRST:

p.s. I am sorry for the long thread

p.s. I am sorry for the long thread
Don't worry. When we run into a new malware, thread know to go at least three pages. ;) four - five pages is an average for a new malware. ;D

Hm … something keeps files from deleting.
How FRST is deadly on Vista and above systems and you have XP, we will use Combofix and his CFScript because CF is big daddy for XP.

Delete old copy of Combofix, you need to download fresh copy of Combofix from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

Open notepad and copy/paste the text present inside the code box below:

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"usbAl"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"usbAl"=-

File::
C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\usbAl.vbs
c:\documents and settings\Windows XP Pro\Start Menu\Programs\Startup\usbAl.vbs

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

----- next ----

Re-run FRST and post me frech created FRST log to see what is going on after running Combofix.

Here are the logs from Combofix and FRST:

p.s. I tried plugging some USB drives, good news, and no usbAl.vbs appears. :slight_smile:

One more script:

Open notepad and copy/paste the text present inside the code box below:

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Windows XP Pro^Start Menu^Programs^Startup^usbAl.vbs]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\usbAl]

File::
c:\documents and settings\Windows XP Pro\Start Menu\Programs\Startup\usbAl.vbs
c:\windows\pss\usbAl.vbsStartup
C:\Program Files\mozilla firefox\browser\searchplugins\911bg.xml
C:\Program Files\mozilla firefox\browser\searchplugins\diribg.xml
C:\Program Files\mozilla firefox\browser\searchplugins\pe-bg.xml
C:\Program Files\mozilla firefox\browser\searchplugins\portalbgdict.xml
C:\Windows\system32\drivers\scsiport.sys

KillAll::

Driver::
ScsiPort

FileLook::
c:\windows\system32\wscript.exe
c:\windows\system32\eappprxy.dll

Firefox::
FF - ProfilePath - c:\documents and settings\Windows XP Pro\Application Data\Mozilla\Firefox\Profiles\2186w7x4.default\
FF - user.js: extensions.delta.tlbrSrchUrl - 
FF - user.js: extensions.delta.id - bcb35a4f000000000000001e8c0cdcc4
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15816
FF - user.js: extensions.delta.vrsn - 1.8.16.16
FF - user.js: extensions.delta.vrsni - 1.8.16.16
FF - user.js: extensions.delta.vrsnTs - 1.8.16.1618:49
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.ffxUnstlRst - true
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

----- next -----

Can you please re-upload to me Quarantine folders created by FRST and Combofix?

C:\FRST[b]Quarantine[/b]
C:\Qoobox[b]Quarantine[/b]

Attach it with password.

http://www.wikisend.com

Please post me here download link.

Hi everyone!
I’ve just fixed a computer infected with usbAl.vbs, so i decided to post you my solution in a few steps.

  1. Enable hidden files and folders and disable hide system files, from folder options.
  2. Stop the script service from Task manager, usually it will be something like “wscript.exe” process (The virus is run using the Windows-based script host).

If you do not want to save any data just format your usb drive and proceed to step 5, otherwise continue with step 3

  1. Open your usb drive and remove all shortcuts and the usbAl.vbs
  2. Open command prompt and write the following (I’ll use G: as an example drive letter, you replace the letter with the infected drive’s letter)

cd G:
G:
attrib -s -h /S /D

!Wait until the command finishes

  1. Go to C:\Users..YOUR_USER_ACCOUT…\AppData\Local\Temp and delete the file usbAl.vbs
  2. Copy %appdata%\Microsoft\Windows\Start Menu\Programs\Startup and paste it in windows explorer and press enter. Delete usbAl.vbs from there

Not the simplest guide, but if you know a bit of windows you’ll be alright.
This was on a windows 7 x86 machine, so if you have XP or something more antique just adapt the directories so they will suite your OS

Best regards,
Momchil Marinov

3. Open your usb drive and remove all shortcuts and the usbAl.vbs
or you can just install MCShield and let it remove it .... as seen in allscan log attached in reply nr.#5. ;)