VBS:Agent-AVH [Trj]: How to remove?

Hi, Avast, Stinger & Trend Micro found VBS:Agent-AVH [Trj] on my stick. Well, I had my applications on it, pics etc. Better to rescue. At the end of the day, I deleted everything on my stick, formated it and Avast and the other tools still found the same threat.
HijackThis found following things on my HDD:
O4 - HKLM..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
O4 - HKLM..\Run: [BCSSync] “C:\Program Files\Microsoft Office\Office14\BCSSync.exe” /DelayServices
O4 - HKLM..\Run: [AvastUI.exe] “C:\Program Files\AVAST Software\Avast\AvastUI.exe” /nogui
O4 - HKLM..\Run: [Adobe ARM] “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM..\Run: [SDTray] “C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe”
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /minimized /regrun
O4 - HKCU..\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\DTLite.exe” -autorun
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU..\Run: [jSugLyCC] wscript.exe //B “C:\Users\XYZ\AppData\Local\Temp\jSugLyCC.vbs”
O4 - Startup: jSugLyCC.vbs

PLS HELP. Stick and HDD are rotten. Any idea how to remove it without destroying windows 7?
Any useful tools with ubuntu?
Pls keep in my mind I am NOT an expert. I would need a step by step guidance.
Many thanks,
alex

Follow this guide and attach the requested logs: http://forum.avast.com/index.php?topic=53253.0

Needed are Malwarebytes, OTL and aswMBR (NOT COMPATIBLE WITH WINDOWS 8 AND 8.1)

When done you will get help. :wink:

At the end of the day, I deleted everything on my stick, formated it and Avast and the other tools still found the same threat.
no need for that....removal experts here would have cleaned it ;)

Thanks guys!

Well, I rescued most of it on my HDD. That’s why I have another threat now. Not a very smart move.
I am sure, your help will be needed soon. ;D

Hi, do not use USB, until we clean your PC.

Please download Anti-VBSVBEx64.exe on your Desktop

[*]Double click to run the tool and wait until it finishes.
[*]It will make a log named Anti-VBSVBE.txt. Please attach it to your reply.

===========================================================

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

After running through the following steps of Malwarebytes’ Anti-Malware, OTL, McShield, I’ve generated so far…

Hi TwinHeadedEagle, USB stick is gone. But till I now, I followed the instructions of …Steven Winderlich
« on: Today at 03:09:43 PM »

Follow this guide and attach the requested logs: http://forum.avast.com/index.php?topic=53253.0

I will download Anti-VBSVBEx64.exe …and follow your instructions as well.
Thanks for your support! :smiley:

That’s the logfile:

Running fix at 09.01.2014 21:24:16

Found: C:\Users\XYZ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jSugLyCC.vbs - deleted.

Found: C:\Users\XYZ\AppData\Local\Temp\jSugLyCC.vbs - deleted.

Found: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jSugLyCC - deleted.

Fix finished at 09.01.2014 21:24:19

Anti-VBS/VBE, build 7, dr_Bora, http://www.mcshield.net/download/tools/Anti-VBSVBE/

After running Farbar Recovery Scan Tool, I have following log files

Good, PC is now clean…

Let’s take care of USB:

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedia - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

aswMBR.exe just told me twice AVAST ANTIROOTKIT doesn’t work anymore…any ideas?

Might be too much treatment 8)

Just follow my instructions, no need for anything else…

First USB:

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 2.8.3.24 / DB: 2014.1.6.1 / Windows 7 <<<

09.01.2014 21:59:24 > Drive G: - scan started (no label ~7633 MB, NTFS flash drive )…

—> Executing generic S&D routine… Searching for files hidden by malware…

—> Items to process: 1

—> G:\jSugLyCC.vbs > unhidden.

G:\jSugLyCC.lnk - Malware > Deleted. (14.01.09. 21.59 jSugLyCC.lnk.532757; MD5: 91c2997be48571e537f9c66de3a9781f)

G:\jSugLyCC.vbs.vir - Malware > Deleted. (14.01.09. 21.59 jSugLyCC.vbs.vir.794105; MD5: 1cfb7313325113c591caf2a0bc122a89)

=> Malicious files : 2/2 deleted.
=> Hidden files : 1/1 unhidden.


::::: Scan duration: 1sec ::::::::::::::::::

And the second USB:

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 2.8.3.24 / DB: 2014.1.6.1 / Windows 7 <<<

09.01.2014 22:00:19 > Drive H: - scan started (BACKUP PATR ~30144 MB, FAT32 flash drive )…

H:\Stefan Goergey.lnk - Malware > Deleted. (14.01.09. 22.04 Stefan Goergey.lnk.368893; MD5: 2f367c0158183c55a4845463034ec93d)

H:\Mihai Paulescu.lnk - Malware > Deleted. (14.01.09. 22.04 Mihai Paulescu.lnk.513847; MD5: 11b514dab24cb0fdb8c79202b8e8321a)

H:\Server.lnk - Malware > Deleted. (14.01.09. 22.04 Server.lnk.496846; MD5: 4b97394eb20e0cedfa11f447aa246e01)

H:\DESKTOP OLD LAPTOP.lnk - Malware > Deleted. (14.01.09. 22.04 DESKTOP OLD LAPTOP.lnk.970684; MD5: a1807ea2233e52a1a31cb6231c08728d)

H:\jSugLyCC.vbs - Suspicious > Renamed. (MD5: 1cfb7313325113c591caf2a0bc122a89)

Resetting attributes: H:\Stefan Goergey < Successful.

Resetting attributes: H:\Mihai Paulescu < Successful.

Resetting attributes: H:\Server < Successful.

Resetting attributes: H:\DESKTOP OLD LAPTOP < Successful.

=> Malicious files : 4/4 deleted.
=> Suspicious files : 1/1 renamed.
=> Hidden folders : 4/4 unhidden.


::::: Scan duration: 3min 57sec ::::::::::::


Btw, couldn"t find the ALLSCANS TXT…sorry for that. Hope it will work that way as well.

Here we go:

Your clean now, just another check and we’re done :slight_smile:

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer );

Attach here Gmer logreports.

this is the VBS file MCShield found on your drive
https://www.virustotal.com/en/file/8c2501d8cbceb8c5adb867c2e14979612ef0cc9b32aea21d77f445926e82b3e9/analysis/

GMER LOG:

Many thanks!!!

Ok, we’re done :slight_smile:

Keep using MCShield, it will protect you in the future.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

Cheers :slight_smile: