Shortcut virus CMD in C:\Windows\System32 - How to erase it???

[Acnalb]

Hi!

Yesterday I used my USB to print a document in an internet cafe. When I came back home I inserted the USB in my laptop and all my USB files turned into shorcuts.
Each time I erase the files and put new ones, they turn into shorcuts. I right-clicked one of the shortcuts, and looked at the target location, and it's somewhere in System32, and the file in System32 that it highlights is cmd.exe
Basically, I have the same problem solved here:

http://forum.avast.com/index.php?topic=138715.0

but I guess each PC needs a special treatment in this matter. Thank you all for your answers

PS: I won't insert any other USB until I'm sure it's solved.

[Valinorum]

Peruse the thread here and attach the following logs --

• OTL.txt
• Extras.txt
• aswMBR Log
• MCShield

A helper will be here to assist you.

[Acnalb]

I don't get this :/

[Secondmineboy]

Maybe its not in their database yet.

Attach OTL and aswMBR logs here please.

[Pondus]

Maybe its not in their database yet.

because it is a filetype that Malwarebytes does not target?...

[Acnalb]

Done
the following are OTL logs

[Acnalb]

And these are aswMBR logs

[Pondus]

i think all malware experts are in bed now so it will be some hours before they are online.....

[Eddy]

Did you tell mbam to scan the usb?
And get mcshield. ( http://www.mcshield.net/ )

[Pondus]

Did you tell mbam to scan the usb?
And get mcshield. ( http://www.mcshield.net/ )

the cleaning guys does this in a certain order Eddy ..... and Malwarebytes does not detect this if it is a VBS worm

[Acnalb]

I'm doing this before I go to sleep, that's why I post so late

[Valinorum]

While I analyze your log, read my reply here and attach the MCShield log.

[Valinorum]

Hi Acnalb,

Did you knowingly make the following directory?

Code: [Select]

C:\Users\user\Desktop\fuck

• Step #1 Fix with OTL
  
  • Re-run OTL by right clicking and choosing Run as administrator;
    
  • Under the Custom Scans/Fixes Box copy and paste the following contents inside the code box.
    

Code: [Select]

:Commands
[createrestorepoint]

:OTL
O4 - HKU\S-1-5-21-157729090-2090861767-380975361-1000..\Run: [jSugLyCC] wscript.exe //B "C:\Users\user\AppData\Local\Temp\jSugLyCC.vbs" File not found
O13 - gopher Prefix: missing

:Commands
[emptytemp]


• Click on "Run Fix" and let the program run unhindered;
  
• Your PC will reboot automatically and a log will be opened;
• Please attach it in your next reply.

• Step #2 Fix With Anti-VBS/VBE
  Download and run the appropriate version from here. Let the scan finish and attach the log when done.
  

• Step #3 Scan with OTL
  
  • Re-run OTL.exe
    
  • Copy and Paste the following code inside the Custom Scans/Fixes box;
    
  Code: [Select]
  netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
dir "%systemdrive%\*" /S /A:L /C
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
  • Click the Quick Scan button;
    
  • After the scan two logs will be produced;
  • Attach the logs in your next reply
  
  
  
  • Required Log(s):
    
    • OTL Log(s) --
    • OTL Fix Log;
    • OTL.txt
    • Anti-VBS Log
  Regards,
  Valinorum

[Acnalb]

MCS log

[Acnalb]

Oh yes, I'm sorry! I was so angry about losing my files (all my university classes were there) so I created that directory and I put there the files I managed to save