good evening.

I got this worm in school, somebody borrowed my usb drive and when i got it back it hides all the files and folders and creates a .lnk for all of them. I thought i was already able to remove it, but my computer starting to act funny. I noticed that my settings closes every time I open it, like it just pops up.

I tried scanning my computer for several times, (twice on safe mode using windows defender) i got no infection. I tried other anti virus, still no luck on that area. I came across a similar problem here with worm creating shortcuts, but now sure if it is the same as my problem.

I tried ADWCleaner, but every time i run it, same set of files is being deleted. now i do not know what to do and i do not want to reformat my laptop.

help please…

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253

also in the guide Asyn gave you…

scroll down to > SPECIFIC INFECTIONS LOGS and follow MCShield instructions

This log you copy and paste here (the others you attach)

I got this worm in school, somebody borrowed my usb drive .....

sir thank you for the replies. took me a while to finish scanning everything. I’m working in the Admin Account since my other account proves to be in limbo.

Results:
Malwarebytes yield a negative result, thus no scan log was created., here

for the MCShield, here is the log:

MCShield AllScans.txt <<<

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

9/15/2016 12:52:00 AM > Drive C: - scan started (no label ~443 GB, NTFS HDD )…
=> The drive is clean.

9/15/2016 12:52:00 AM > Drive D: - scan started (New Volume ~488 GB, NTFS HDD )…
=> The drive is clean.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

9/15/2016 12:54:46 AM > Drive F: - scan started (RECOVERY ~7440 MB, NTFS flash drive )…
=> The drive is clean.

attached are the other logs i got.

Now you have to be patient and wait for one of the removal experts listed in the guide to arrive, this may take hours

sir i’m willing to wait for them.

anyway, i went back and logged into my other account, same thing, i cannot open the settings, even the select available connection is having trouble. I cannot also run the programs i used to diagnose the laptop earlier (malwarebytes and the rest).

Futhermore, my laptop is trying to access a website in which one of my antivirus is blocking, i will attach the pic of the warning.

i also attached the adw logs i was able to get earlier.

thank you very much.

one of my antivirus is blocking

Earlier sir i only have Windows Defender, but after scanning my system and it cannot detect any malware, i opted to install another one to see if that can detect the malware, sadly even that one was not able to find it.

While running the 2nd anti virus that message popped up. (Blocked IP).

We will deal with the excess of AV / anti-malware on your system later. Please do the following and tell me how your system is then (I do need to see the resulting Fixlog.txt file also).

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

- Right-click on 

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.

sir dbrisendine, attached is the fixlog i got after running the fix. I also uninstalled the other AV, now i am left with Windows Defender.

How is your system running now? Is the LNK issue gone?

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

- [b]Vista/7/8 users:[/b] Right click the [b]AdwCleaner[/b] icon on the desktop, click [b]Run as administrator[/b] and accept the UAC prompt to run AdwCleaner.

You will see the following console:

http://i1351.photobucket.com/albums/p785/dbreeze2/Scanners%20screens/AdwCleaner_v5016_zpsf8ln0fea.png

- Click the [b]Scan[/b] button and wait for the scan to finish.
- After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: [b]Waiting for action. Please uncheck elements you don't want to remove.[/b]
- Click the [b]Clean[/b] button.
- [b]Everything checked[/b] will be deleted.
- When the program has finished cleaning a report appears.
- Once done it will ask to reboot, allow this

http://1.bp.blogspot.com/-vitKqfMQS4o/UEDylIQ7HJI/AAAAAAAABLc/Hx-IwqKoaxg/s1600/adwcleaner_delete_restart.jpg

- On reboot a log will be produced; please attach that in your next reply. This report is also saved to [b]C:\AdwCleaner\AdwCleaner[C#].txt[/b]

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here’s Why and Here. You can always Reinstall it.

sir dbrisendine, ran the AdwCleaner. Attached is the log file.

thank you very much.

How is the system now?

good evening sir. unfortunately, my settings still closes by itself. I ran the MCShield before attaching the usb drive, it said the drive is clean, but i found a data.bat and a file history folder shortcut in it.

i have attached the pics.

As long as you have MCShield set to automatically start with the boot of the Windows, it will not let the malware run (the autorun.inf file on the USB has been removed). If you want the malwre to be automatically deleted, you have to change a setting in MCShield to do so; the default is to just disinfect and shield but not to delete (in case of False Positive in the user’s mind).

The settings permissions are most likely changed by the malware. This should reset them to default values. The software has been updated so the pictures may be a little different than the new software but you should be able to make sense of what to do. If not, come back and ask questions until you are sure.

Please download “Windows Repair - All in One” from here. Please choose “Save file…” if you get options to open the file. Once the download is complete, run the file and install the program on your system. Please use the default settings for locations as it will help with log retrieval and fixing the registry should anything be needed.

Right click on the desktop shortcut for “Tweaking.com - Windows Repair” and select ‘Run as administrator’.

The program will run a self check to make sure that all the correct files are in place for it to run and then it will load the program. As you can see, there are many steps to take in using this program. Mainly, the first few steps involve checking for proper Windows files and backing up the system as a precaution.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step1_zpswsvkpwps.png

You can read the notes on the first screen but the important thing to do is click on “ReBoot to Safe Mode” and allow the system to restart itself. Once the system is started in safe mode and you have logged in (using an administrative level account), restart the program and move onto the Step2 screen.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step2_PreScan_Check_v3_9_6_zps8ku4ffgf.png

Please click on “Open Pre-Scan” to load a utility to verify some Windows resource / build files and settings.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step2_PreScan_Start_zpsqsnaduax.png

Click on “Start Scan” and allow the routine to run. You can see the status of the checks in the window.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step2_PreScan_Finish_zpscticsthm.png

When the routine is finished, it will report on any problems found and you can click on the appropriate repair button if needed. Once this is done, you can close this window and click on Step3.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step3_CheckDisk_zpsn3dmzb3p.png

Click on the “Check” to see if a repair disk check routine needs to run. A Command Prompt window will open and you can view the status of the routine. If the routine finds that repairs need to be made, please select “Open Disk Check at Next Boot” and then click on the “Reboot To Safe Mode” button. Once the routine(s) completes, please select Step4.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step4_SFCscan_zpsrgf8dxrt.png

Please click on “Do It” to run a SFC /scannow routine. If the routine makes any repairs, please reboot your system (again into Safe Mode). If the routine does not make any repairs, please move onto Step5.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step5_Backup_zpsu1i9cqxu.png

Once there, click on “Backup” under the 1. Registry Backup. This will make a complete backup of the current registry which can be reloaded should anything go wrong with the repairs that are going to be made. Next, click on the “Create” under 2. System Restore. Once both of these backups are made, select Repairs.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step6_Repairs_Tips_zpspmp4g2yh.png

I would suggest that you read the Tips For The Best Repairs Results. Once this is done, click on “Open Repairs”.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step6_Repairs_Start_current_version_zpslbh2ltju.png

On this screen, uncheck All Repairs and then click (select) the following click the following: 1, 2, 3, 4, 5, 6, 8, 10, 11, 13, 15, 16, 21, 23, 26, 27, 31 and 32. The screen and options should look very much like the picture above. Click “Start Repairs” and confirm that the program starts running the fixes. This will take a while to run, so you can let it run unattended if you like. Log files are being recorded as the repairs are being executed. Once the repairs are finished, reboot your system (normal boot now) and tell me how it is running now.