Avast WEBforum
Other => Viruses and worms => Topic started by: dann on November 22, 2013, 07:08:11 AM
-
I was transferring files from my other laptop this week and when I plugged in my USB to another computer, all my files changed into shortcuts! So I uploaded them to Dropbox so I have a backup but I plugged in my USB again and it did the same thing. I don't know how to proceed, since my computer doesn't detect any viruses or malware. Thank you! :(
-
you are infected
follow this guide and attach logs (not copy and paste). http://forum.avast.com/index.php?topic=53253.0
disconnect any USB stick
run in order listed. Malwarebytes / OTL / aswMBR
-
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) ((http://www.mcshield.net/personal/magna86/Images/FRST_canned.png)) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Under Optional Scan ensure "Driver MD5" are ticked.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
.
************* Next ****************
> Check USB storage devices / removable drives
Download MCShield from one of the following links:
MyCity - Official download link (http://www.mcshield.net/downloads.html)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
- Double click MCShield-Setup to install the application.
- Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
- Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that MCShield has created.
Start -> All Programs -> MCShield -> Logs
Attach here -> AllScans.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
-
Hi! Sorry if it's been a long time since I replied, been out for a while and haven't had the chance to deal with this. Did all that you said, here are the logs:
(malwarebytes, OTL, aswMBR)
-
FRST and MCShield logs:
Thank you so much!
-
this is what MCShield found on your Removable drive
https://www.virustotal.com/en/file/788e27d361bd9785108d1a83018fc6319ab7edb7652f7ebc71032de4b4277e38/analysis/
argus will soon be back and help you....
-
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
HKCU\...\Run: [krqvsfjxld] - C:\Users\jasoloria\AppData\Local\Temp\krqvsfjxld.vbs [69833 2013-07-22] () <===== ATTENTION
MountPoints2: {52ba3709-e82b-11e0-9076-889ffae69694} - E:\AutoRun.exe
MountPoints2: {52ba3718-e82b-11e0-9076-889ffae69694} - E:\AutoRun.exe
MountPoints2: {a206c24a-e8b4-11e0-b9e4-889ffae69694} - E:\AutoRun.exe
Startup: C:\Users\jasoloria\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krqvsfjxld.vbs ()
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?babsrc=HP_Prot
URLSearchHook: HKLM-x32 - Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
URLSearchHook: HKCU - Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100996&mntrId=446590e4000000000000ac8112234d8c
BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
BHO-x32: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
BHO-x32: ooVoo toolbar, powered by Ask.com - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM-x32 - Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
Toolbar: HKLM-x32 - Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
Toolbar: HKLM-x32 - ooVoo toolbar, powered by Ask.com - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKCU - No Name - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
CHR HKLM-x32\...\Chrome\Extension: [niapdbllcanepiiimjjndipklodoedlc] - C:\Users\JASOLO~1\AppData\Local\Temp\YontooLayers.crx
C:\Users\jasoloria\AppData\Local\Temp\krqvsfjxld.vbs
C:\Users\jasoloria\AppData\Local\Temp\7za.exe
C:\Users\jasoloria\AppData\Local\Temp\ApnStub.exe
C:\Users\jasoloria\AppData\Local\Temp\fp_pl_pfs_installer.exe
C:\Users\jasoloria\AppData\Local\Temp\GLF6DB8.tmp.ConduitEngineSetup.exe
C:\Users\jasoloria\AppData\Local\Temp\GUR8A83.exe
C:\Users\jasoloria\AppData\Local\Temp\GURDE7B.exe
C:\Users\jasoloria\AppData\Local\Temp\HonLauncherInstall.exe
C:\Users\jasoloria\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\jasoloria\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\jasoloria\AppData\Local\Temp\MSNC70.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2020700.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2020800.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2020901.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2030101.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2030300.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2050002.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2050202.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2050204.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2050300.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2050500.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2050600.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2050800.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2050901.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2051001.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2051101.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2051202.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2051302.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2051401.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2051500.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2051600.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2051602.exe
C:\Users\jasoloria\AppData\Local\Temp\patch_2051700.exe
C:\Users\jasoloria\AppData\Local\Temp\prxGLF6DB8.tmp.tbVuze.dll
C:\Users\jasoloria\AppData\Local\Temp\QuickTimeInstaller.exe
C:\Users\jasoloria\AppData\Local\Temp\SkypeSetup.exe
C:\Users\jasoloria\AppData\Local\Temp\tbinst.exe
C:\Users\jasoloria\AppData\Local\Temp\Tsu-192C.dll
C:\Users\jasoloria\AppData\Local\Temp\Update1.exe
C:\Users\jasoloria\AppData\Local\Temp\YontooSetup-Silent.exe
C:\Users\jasoloria\AppData\Local\Temp\_te3377.exe
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.
*********** Next ************
Please download zoek.zip or zoek.rar by smeenk ((http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png)) from here (http://hijackthis.nl/smeenk) or here (http://home.kpn.nl/stefsmeenk/zoek.exe) and save it to your Desktop.
Unpack the archive...
- Close any open browsers
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button.
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
-
Hi, I can't seem to run zoek.exe. After double clicking it, the administrator dialog box shows up and when I click Yes to run it, the loading circle beside the mouse cursor appears and disappears after around 5 seconds, and I waited for 5 minutes and the program still hasn't ran. Here is the log for FRST though.
-
OK, looks good.
How to the system behaves now?