VBS: Agent

Hello! I’m having trouble removing an infection by VBS: Agent-AWN [Trj] and also LNK:Jenxcus-F [Trj]. Run all the scans following the procedures recommended here https://forum.avast.com/index.php?topic=53253.0 and still can’t get rid of this thing.
MC Shield finds the threat in my USB drives and deletes it (as does my Avast Antivirus) but it reappears. I’m attaching the logs.
Can anyone recommend something that will work? I have more than one computer infected, and have no idea what to do.

(Sorry I’m not attaching the Malwarebytes log, but I can’t find it. I know it must be somewhere in its folder, but I can´t figure out what it’s called)

Many thanks.

(Sorry I'm not attaching the Malwarebytes log, but I can't find it. I know it must be somewhere in its folder, but I can´t figure out what it's called)
open malwarebytes > history (top right) > application logs (left side)

Hi pseiguer, :slight_smile:

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):

  • Please do not create any new threads on this while we are working on your system as it wastes another volunteer’s time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
    • Please do not install any new software while we are working on this system as it may hinder our process.
    • Malware removal is a complicated process so don’t stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
    • Please do not try to fix anything without being ask.
    • Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
    • Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
    • Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
    • If you are confused about any instruction, stop and ask. Do not keep on going.
    • Do not repeat the steps if you face any problems.
    • I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
    • Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
    • The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.

  • Step #1 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    [li]Open Notepad.exe. Do not use any other text editor software;
    - Copy and Paste the contents inside the code-box to your Notepad
    [/li]
Start
Emptytemp:

HKLM\...\Run: [1138s] => wscript.exe //B "C:\ProgramData\1138s.vbe"
C:\ProgramData\1138s.vbe
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-3502842846-2846736217-2083574128-1000\...\Run: [1138s] => wscript.exe //B "C:\ProgramData\1138s.vbe"
C:\ProgramData\1138s.vbe
Startup: C:\Users\PAULA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1138s.vbe ()
C:\Users\PAULA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1138s.vbe
2014-10-05 15:57 - 2013-08-10 20:47 - 00039755 ___SH () C:\ProgramData\1138s.vbe
C:\Users\PAULA\AppData\Local\Temp\install_reader11_es_gtbd_chrd_dn_aih.exe
End
  •   [li]Click on [b]File[/b] > [b]Save as...[/b]
    

[list]
[li]Inside the File Name box type fixlist.txt
- From the Save as type drop down list, choose All Files
[/li]
- Save the file to your Desktop;
- Re-run FRST.exe and click Fix;

		[li][b]Note[/b]: If FRST advises there is a new updated version to be downloaded, do so/allow this.
	[/li]
	- After the completion, a log will be produced;
	- Attach the log in your next reply.
[/list][/li]

  • Required Log(s):

      [li]FRST Fix Log
    

    [/li]
    Regards,
    Valinorum

Thank you very much for your help Valinorum! I’ll try to follow your instructions faithfully.

For now, here is the required log (BTW, I will later ask you for help removing this worm from my USB drives, because I can’t use them as they are!):

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-10-2014
Ran by PAULA at 2014-10-06 19:56:08 Run:1
Running from C:\Users\PAULA\Desktop
Loaded Profile: PAULA (Available profiles: PAULA)
Boot Mode: Normal

Content of fixlist:


Start
Emptytemp:

HKLM.…\Run: [1138s] => wscript.exe //B “C:\ProgramData\1138s.vbe”
C:\ProgramData\1138s.vbe
HKLM-x32.…\Run: =>
HKU\S-1-5-21-3502842846-2846736217-2083574128-1000.…\Run: [1138s] => wscript.exe //B “C:\ProgramData\1138s.vbe”
C:\ProgramData\1138s.vbe
Startup: C:\Users\PAULA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1138s.vbe ()
C:\Users\PAULA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1138s.vbe
2014-10-05 15:57 - 2013-08-10 20:47 - 00039755 ___SH () C:\ProgramData\1138s.vbe
C:\Users\PAULA\AppData\Local\Temp\install_reader11_es_gtbd_chrd_dn_aih.exe
End


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\1138s => value deleted successfully.
Could not move “C:\ProgramData\1138s.vbe” => Scheduled to move on reboot.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ => value deleted successfully.
HKU\S-1-5-21-3502842846-2846736217-2083574128-1000\Software\Microsoft\Windows\CurrentVersion\Run\1138s => value deleted successfully.
Could not move “C:\ProgramData\1138s.vbe” => Scheduled to move on reboot.
C:\Users\PAULA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1138s.vbe => Moved successfully.
“C:\Users\PAULA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1138s.vbe” => File/Directory not found.
Could not move “C:\ProgramData\1138s.vbe” => Scheduled to move on reboot.
C:\Users\PAULA\AppData\Local\Temp\install_reader11_es_gtbd_chrd_dn_aih.exe => Moved successfully.
EmptyTemp: => Removed 19.7 GB temporary data.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-10-06 20:04:14)<=

C:\ProgramData\1138s.vbe => Is moved successfully.
C:\ProgramData\1138s.vbe => Is moved successfully.
C:\ProgramData\1138s.vbe => Is moved successfully.

==== End of Fixlog ====

Perform the MCShield step now on your USB drive.

The problem is that when I plug in the USB drive MCShield automatically scans it and gives me this log:

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2014.10.5.1 / Windows 7 <<<

07/10/2014 09:16:19 a.m. > Drive L: - scan started (STORE N GO ~7632 MB, FAT32 flash drive )…

L:.Trashes.lnk - Malware > Deleted. (14.10.07. 09.16 .Trashes.lnk.165371; MD5: 777e541f5bb4f1fe0397cf08cd202fe6)

L:\1138s.vbe - Malware > Deleted. (14.10.07. 09.16 1138s.vbe.613670; MD5: eb5b7a1556568c05ab34e7f69cba1f03)

Resetting attributes: L:.Trashes < Successful.

=> Malicious files : 2/2 deleted.
=> Hidden folders : 1/1 unhidden.


::::: Scan duration: 5sec ::::::::::::::::::


But then, if I unplug it and plug it again, I get the same thing: it keeps telling me it found malware and deleted it. Is it possible that it’s a false positive, or is it that it can’t really cleanse it? I get the same result with my other USB drives.

Is it possible that it's a false positive,
no .... this is one of the files found

First submission 2013-09-18 07:53:08 UTC ( 1 year ago )
https://www.virustotal.com/en/file/b7760cc104f4175a651a41808b9ef4112fad568aec917f97f282a5e2ce23376d/analysis/

have notified the MCShield guys, so they may come here and take a look

Give me fresh FRST scan log.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2014.10.5.1 / Windows 7 <<<

07/10/2014 01:58:23 p.m. > Drive L: - scan started (STORE N GO ~7632 MB, FAT32 flash drive )…

L:.Trashes.lnk - Malware > Deleted. (14.10.07. 13.58 .Trashes.lnk.154415; MD5: 777e541f5bb4f1fe0397cf08cd202fe6)

L:\1138s.vbe - Malware > Deleted. (14.10.07. 13.58 1138s.vbe.930610; MD5: eb5b7a1556568c05ab34e7f69cba1f03)

Resetting attributes: L:.Trashes < Successful.

=> Malicious files : 2/2 deleted.
=> Hidden folders : 1/1 unhidden.


::::: Scan duration: 4sec ::::::::::::::::::


WP

Sorry, I misread your last post.
Can I attach the new log? It’s too long for cut and paste- the system won’t accept my reply.

Can I attach the new log?
yes....

I meant, may I? Because Valinorum told me very emphatically not to…

instead of using 20 posts with copy and paste (something that may happen with long diagnostic logs like OTL / FRST ) attach it

and if Valinorum absolutely want it copy/pasted, you can always redo it if he say so :wink:

OK, here it is. Valinorum, if you want it copied I’ll do so…

Hi,

  • Step #2 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    [li]Open Notepad.exe. Do not use any other text editor software;
    - Copy and Paste the contents inside the code-box to your Notepad
    [/li]
Start
CloseProcesses:
Emptytemp:
(Microsoft Corporation) C:\Windows\System32\wscript.exe
HKLM\...\Run: [1138s] => wscript.exe //B "C:\ProgramData\1138s.vbe"
HKU\S-1-5-21-3502842846-2846736217-2083574128-1000\...\Run: [1138s] => wscript.exe //B "C:\ProgramData\1138s.vbe"
Startup: C:\Users\PAULA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1138s.vbe ()
C:\Users\PAULA\AppData\Local\Temp\install_reader11_es_gtbd_chrd_dn_aih.exe
C:\ProgramData\1138s.vbe
2014-10-05 15:57 - 2013-08-10 20:47 - 00039755 ___SH () C:\ProgramData\1138s.vbe
End
  •   [li]Click on [b]File[/b] > [b]Save as...[/b]
    

[list]
[li]Inside the File Name box type fixlist.txt
- From the Save as type drop down list, choose All Files
[/li]
- Save the file to your Desktop;
- Re-run FRST.exe and click Fix;

		[li][b]Note[/b]: If FRST advises there is a new updated version to be downloaded, do so/allow this.
	[/li]
	- After the completion, a log will be produced;
	- Attach the log in your next reply.
[/list][/li]

Do a fresh FRST scan after the fix and attach the log as well.


  • Required Log(s):

      [li]FRST Fix Log
      - FRST.txt
    

    [/li]
    Regards,
    Valinorum

Here you are.

Apply the MCShiled scan to your USB devices now and report myself the result.

It seems to be working. So far I’ve tried it with two drives and after detecting malware on the initial scan, it doesn’t appear on the second scan.
I’ll get back to you when I’ve finished cleansing all of them.

Acknowledged.

OK so far, except for a little glitch. With one drive MCShield always tells me when beginning the scan that the drive is infected. But later, when the scan is finished, it says that no malware was found. This doesn’t happen with my other USB drives.

Does this mean anything, or is this computer clean? If so, can you help me with my laptop and the other desktop in my house? I’m guessing they all must have the same infection.