wscript.exe shortcut virus

So the USBs we’ve been using have been infected by the shortcut virus. It shows the target as being somewhere in C:\Windows\system32. I also dunno if it’s related to the virus, but deleting files is also impossible for the USBs.
Could someone possibly help me clean the main PC (which is probably carrying the virus) and the affected USBs? And hopefully without damaging any files.

I’ve attached a malwarebytes log, and another log with a scan of one of the USB drives.

Also attach OTL log http://forum.avast.com/index.php?topic=53253.0

Monitoring…

Okay, these are the OTL logs.

First of all, I need you to unplug any usb you have and do not use it until we clean the system. We’ll deal with USB later…

Then…

Please download Anti-VBSVBEx64.exe on your Desktop

  • Double click to run the tool and wait until it finishes.
  • It will make a log named Anti-VBSVBE.txt. Please attach it to your reply.

Then…

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Here are the other things you asked for:

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

HKU\Mom\...\Run: [qzapepgryf] - C:\Users\Mom\AppData\Roaming\qzapepgryf..vbs [126679 2013-08-11] ()
C:\Users\Mom\AppData\Roaming\qzapepgryf..vbs
Startup: C:\Users\Mom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qzapepgryf..vbs ()
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\avguidx.dll
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\bitool.dll
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\iGearedHelper.dll
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\nvStereoApiI64.dll
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\nvStInst.exe
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\ose00000.exe
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\uttE216.tmp.exe
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\vlc-2.0.7-win32.exe
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\vlc-2.0.8-win32.exe
C:\Users\Jasper Chua - Admin\AppData\Local\Temp\{2275F7C6-69CD-4573-AC48-41D049979D91}-24.0.1312.56_24.0.1312.52_chrome_updater.exe
C:\Users\Jenilee Chua\AppData\Local\Temp\fwupnp.dll
C:\Users\Jenilee Chua\AppData\Local\Temp\hotchannel.exe
C:\Users\Jenilee Chua\AppData\Local\Temp\logclient.dll
C:\Users\Jenilee Chua\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Jenilee Chua\AppData\Local\Temp\tipsbubble.dll
C:\Users\Jenilee Chua\AppData\Local\Temp\tipsclient.dll
C:\Users\Jenilee Chua\AppData\Local\Temp\tipsdone.dll
C:\Users\Jenilee Chua\AppData\Local\Temp\tipsflash.dll
C:\Users\Mom\AppData\Local\Temp\SkypeSetup.exe
cmd: ipconfig /flushdns

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Then…

Re-run FRST and attach fresh report…

Here we go, fixlog and another FRST scan report.

Ok, PC is now clean, let’s clean USB…

Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Log attached!
Hopefully these are all the USBs that were affected. (Sorry if I’m not sure. My parents were the ones tinkering with them.)

Ok, you’re clean now. Any problems?

Hmm…
The USBs aren’t totally clean. There are still some shortcuts for some files (which still link to the cmd32), and are the vir files normally supposed to be present?

EDIT: I’m sorry to leave now, but I have to sleep. I’ll be back in around 8-10hours. Please post if you have something that can help, and I’ll get to work on it once I’m back online. Thanks for taking the trouble so far!

Open MCShield Control center, and under Scanner tab tick Always unhide items on flash drives

Ther rescan USB with MCShield. Delete all of the shortcut files you find…

We’re done here, only to remove used tools. Keep using MCShield on all accounts on your PC, you’ll need to start MCShield manually on other accounts and to set language for MCShield to start monitoring.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

sir TwinHeadedEagle also need ur help plz i have tthe problem and i do the FRST you said there and here are the notepads you asked Jellywolf

Download attached fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

sir here is it and what should i do next?

sir plz reply i need to remove it and the virus from my flash drive because it became “shortcut” from the flash drive tnx also for your help

Ok, re-run FRST and attach fresh report.

is this the file ? after that sir what should i do to remove the virus from my 2 memory card and 1 usb device ?

Yes, this is it, PC is clean. Let’s move on USB

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.