system
1
I found a similar topic : https://forum.avast.com/index.php?topic=142075.0
But solving the problem is different in every case…?
I would appreciate it if someone helped me. 
I plugged in my usb drive and I first noticed my pc slowed down suddenly. Then I realized all my files had a few kilobytes, some of the word documents had an ‘application’ icon instead of a MS Office one. The second time I plugged in the usb drive both the original files AND the shortcuts appeared. For example:
My pdf appears as if it is an image:
http://puu.sh/aMJ1N/58c2351639.png
http://puu.sh/aMIWH/c2d01c275b.png
But also as a PDF document… (but the icon is transparent…?)
http://puu.sh/aMIZz/909c75e423.png
And what the hell is this? ???
http://puu.sh/aMJ6B/6353eede82.png
Eddy
2
system
3
Hello! Well, I scanned with Malwarebytes Anti-Malware and everything is ok according to them.
I started scanning with Farbar but I’ve been seeing “Application errors: 14039” for an hour. The scan doesn’t seem to stop. The ‘x’ button does nothing. I think i’m going to force close it soon…
I don’t see any way of attaching those texts files… must be because I’m new here.
logs so far:
Pondus
4
I don't see any way of attaching those texts files... must be because I'm new here.
below the box you write in ..... [b]Attachments and other options[/b]
system
5
Oh, thank you, Pondus! edits
Hi there the USB is probably infected
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKLM\...\Run: [39740771_2 (scrambled)] => wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\39740771_2 (scrambled).vbe" <===== ATTENTION
HKU\S-1-5-21-2117982335-1953125690-2862676845-1000\...\Run: [39740771_2 (scrambled)] => wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\39740771_2 (scrambled).vbe" <===== ATTENTION
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39740771_2 (scrambled).vbe ()
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39740771_2 (scrambled).vbe
C:\Users\Admin\AppData\Local\Temp\39740771_2 (scrambled).vbe
BHO: Visual Bookmarks -> {D5FEC983-01DB-414a-9456-AF95AC9ED7B5} -> No File
BHO-x32: Visual Bookmarks -> {D5FEC983-01DB-414a-9456-AF95AC9ED7B5} -> No File
FF user.js: detected! => C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7ccseq2u.default\user.js
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG
Plug in the drive and McShield will start a scan
Then get the log which will be located under the logs tab on the main page
And post that
FINALLY
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
system
7
Hello there! I applied the FRST fix.
But right after the fix a file opened: 39740771_2(scrambled).vbe
Continue with MCShield and Adwcleaner please then produce a fresh FRST scan
system
9
MCShield solved the problem i guess.
Problem is: that vbe file opens after every restart.
Could you now run a fresh FRST scan so that I can locate the vbe start point
system
11
I scanned with FRST but it freezes at “Application errors: 14039”. The log is overwritten? It’s the same FRST.txt? Do i need to post that?
Lets try this first and then run FRST after that
Download Anti VBS/VBE to your desktop
[]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report
Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run
system
13
Log says the vbe got deleted parties hard
I’ll run FRST soon.
EDIT: Same freezing as before… force closed again…
EDIT 2: I’m now trying to run it with antivirus disabled, maybe it works… ?
OK big boy time
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
system
15
I disabled my antivirus but Combofix still says it is open… How to exit?
system
16
I’ll just uninstall it to be sure :-\
You can ignore that and accept the warning if you have disabled it
system
18
This Combofix thingy added IE to my desktop and made it a default browser…
meh
I added the log :3 Thank you for the help so far!
No weird vbe anymore.
Looks like antivbs killed it properly
Any further problems
system
20
Nope. Everything’s fine I think. Thank you very much! :3