wscript/shortcut virus

Hi everyone!,

Recently I’ve been experimenting some troubles with this virus: both my USB drive and my smartphone got infected by this annoying malware.

Any help would be really appreciated, thanks! :slight_smile:

Hi there, lets clean the usb up first and then search for other bad boys

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

THEN

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[
]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Hi again!

Sorry for the late reply, should I plug both the USB drive and the phone or just the USB drive for the moment?

Thanks for your time, sir! :wink:

Do both one after the other, although I am not sure that MCShield works on a phone… Is the phone Android or Apple ?

It’s an Android phone.

So, if I undestood it right, I have to do two different MCShield scans: one for the USB drive and another one for the phone, right?

Concerning to the OTL scan: should I scan with the USB and the phone plugged or it is not necessary?

Concerning to the OTL scan: should I scan with the USB and the phone plugged or it is not necessary?
disconnected

MCShield will do a auto scan evrytime you plug in a usb drive…you may try the phone also

then as requested attach the allscan log

Do you have an AV on the android ? https://play.google.com/store/apps/details?id=com.avast.android.mobilesecurity&hl=en_GB

Hello!

Alright, thank you both, here are the logs. The problem is, in the folder where I saved OTL I couldn’t find any file called Extras.txt, just the OTL.txt

And no, essexboy, I don’t have any AV on my phone, so thanks for the suggestion! :slight_smile:

I couldn't find any file called [b]Extras.txt,[/b] just the OTL.txt
it is only created first time you run OTL ..... run it before? anyway it is not important, and usually not needed..... just extra tech info

Essexboy will be online later and continue. :wink:

Haha yeah, I have run it before changing it to another folder, but I couldn’t find it anyway…

Oh, and I plugged in my phone again and got a new (better) scan, where some new items were found :o

Thanks Pondus, have a nice day!

OK it is a mess the main problem is the VBE file on the phone

Run this programme with the phone connected

Download Anti VBS/VBE to your desktop

[]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[
]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report

Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=hp&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1001\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
FF - prefs.js..keyword.URL: "http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&installDate=18/09/2013&q="
FF - prefs.js..network.proxy.http: "213.0.88.86"
FF - prefs.js..network.proxy.http_port: 8080
O3:64bit: - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [iTunesHelper] wscript.exe //B "C:\Users\Usuario\AppData\Local\Temp\iTunesHelper.vbe" File not found
O4 - HKU\S-1-5-21-2104657585-1371390912-4140370265-1001..\Run: [iTunesHelper] wscript.exe //B "C:\Users\Usuario\AppData\Local\Temp\iTunesHelper.vbe" File not found
O4 - Startup: C:\Users\Usuario\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iTunesHelper.vbe ()
[2014/02/02 17:45:54 | 033,349,632 | -HS- | C] () -- C:\Users\Usuario\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iTunesHelper.vbe
(C:\ProgramData\Microsoft\Windows\Start Menu\Programs\?????) -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\?????

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

FINALLY

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Good morning!

Finally I had some time and here are the logs. The thing is after running AdwCleaner I got two logs, AdwCleaner[S0].txt and AdwCleaner[R0].txt, but there’s no AdwCleaner[S1].txt.

How is the computer behaving now, any problems ?

Hello! Computer is behaving normal (just like before), but my phone is still infected, as well as my USB drive :frowning:

OK for the phone could you download and install the Avast antivirus and then run a full scan

For the USB I would recommend that you reformat it

Wow, thank you very much! All devices are virus-free now :smiley:

It seems like the phone was not infected after all, just had some .lnk files and hidden folders (which MCShield corrected), but the virus was not there because I did run the avast antivirus and found nothing. For the USB I reformatted and it’s fine now. But I still have a question: in the phone appeared a file called “config.dat”, should I delete it?

It seems like the phone was not infected after all, just had some .lnk files and hidden folders (which MCShield corrected), but the virus was not there because I did run the avast antivirus and found nothing.
or MCShield killed it ..... see the bottom of your MCShield phone log ....58 files deleted. ;)

Yeah, MCShield killed it for sure! But I mean, the phone got infected again after MCShield did its work, so when I plugged in the phone again this morning MCShield detected a lot of malicious files again and deleted them, and now it’s clean :slight_smile:

Sorry for my English, it’s not my mother tongue :stuck_out_tongue:

The main cleaner was probably a combination of anti-vbs and MCShield in tandem. Anti-vbs managed to kill the infector file and MCShield second run reset the link files

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

Alright!, everything seems to work fine until now. You can close this thread if you want

Thank you very much for all the help you provided. Keep up the good work! ;D