Avast WEBforum
Other => Viruses and worms => Topic started by: Ricky Vybz on October 26, 2013, 05:29:06 PM
-
Hello everyone, this is my first time on the forum and what I have seen on this forum is a great team of people with best knowledge on the net for dealing with all sorts of virus and malware issues, I am hoping to get some of this knowledge and help with my problem. Reason why I am here is the Cool.vbs virus, this virus seems to be pretty new and its wreaking havoc on many computer systems around the city. This virus came onto my system via a flash drive a few days ago, I had USB Disk Security installed at the time, it identified the virus and I tried to delete it using that program. It seemed like it did but when I inserted another flash drive and all the files became shortcuts plus USB disk security identified it again. AVG 2011 was also on the system along with McAfee, however it seems that AVG was not working because it didn't respond to the virus at all, neither McAfee. When I started researching the cool.vbs virus I read that you should not have more than one full antivirus program on a system because they will conflict and can cause major problems so I removed McAfee, I also read that most anitvirus programs can't detect cool.vbs
I called up a friend of mine who is a computer technician and he was telling me that his store was over run with systems customers are taking to him with the cool.vbs virus. He said that he was working with an antivirus named SMAD, and he was getting good results so far. In my reading however I didn't see anyone mention of SMAD but I downloaded it anyway from CNET onto another system at home, SMAD AV 2013 9.4.1 (October 5, 2013) version to be exact. This system is my workhorse system running windows 7, 64bit, 8gig Ram. The system with the cool.vbs virus is running XP, 32 bit (office computer). I scanned my system (workhorse) with SMAD and it found no infections, I also have USB disk security and Avast on the workhorse. I inserted the infected flash drive in the workhorse system and SMAD, USB disk sec and Avast identified the cool.vbs virus. Avast moved it to chest, SMAD identified over 162 viruses and 192 hidden files on the flash drive, all the files that cool.vbs made into shortcuts were seen as viruses by SMAD and the original files were hidden. I used SMAD to remove all the viruses and unhide the files, it did this successfully and when I ejected the flash drive and reinserted it it was clean and all files were there.
Now the problem is that on the XP system, which I now downloaded SMAD onto and ran, when I insert the clean flash disks into that system SMAD finds the same amount of viruses and hidden files and when I use SMAD to clean the USB it does so but as soon as the flash drive is reinserted it is infected again. This tells me that cool.vbs is on the system itself and is reinfecting the flash drive.
I found it strange that I could clean the flash drives on my workhorse and it doesn't infect the workhorse but with the XP system after cleaning the flash drives with SMAD the system just reinfects them. Now as I said earlier AVG 2011 was not working so I decided to uninstall thinking that maybe cool.vbs was hiding there in some AVG file folder. AVG gave me hell to uninstall, it would constantly show up in my program list even when it said it was uninstalled, I had to use many different downloads of the removal tool to get rid of it finally.
WOW, thats alot of info, I hope that I explained the necessary information clearly, I am really looking forward to any help I can get to have this issue resolved, and I have extreme faith in this community. Lets kill cool.vbs 8)
Thanks in advance and if any more info is needed I will gladly provide it. Thanks again.
Rick.
-
Follow this Thread and attach logs: http://forum.avast.com/index.php?topic=53253.0
When done malware removers will be notified.
-
Hi,
@Ricky Vybz
When you follow and create logs for AdwCleaner, Malwarebytes, OTL and aswMBR, then install MCShield tool aswell.
Attach here all created logs, AllScans.txt including.
-
Hey Guys thanks for the quick response @magna86 and Steven. I am gonna attach the logs in multiply replies so it is easier to examine.
This is the AdwLog:
-
The MBAM Log:
-
This log is not the Malwarebytes Log.
You can find the logs in the interface under logs. Double click and save a copy to your desktop.
-
This log is not the Malwarebytes Log.
it probably is, as the name is correct for Malwarebytes PRO protection log
however that is not the log we want.... and it is also posted wrong so not readable. ???
the log to attach is the Scan log, it is listed the same place in Malwarebytes but the scan logs are at the bottom..
and check date so you attach the correct one. ;)
-
Sorry about that, I didn't know there were two types of MBAM logs, I attached the correct one now.
I also just did the OTL scan so I attached logs also, both OTL.txt and Extras.txt
-
Okay guys, these are the rest of the logs you requested, aswMBR.txt and Allscan.txt, I had updated aswMBR with Avast virus definitions as the program suggested that this would ensure detection of the latest threats. Hope we can come up with a solution now and I am very happy with the support I am getting thus far.
Ricky
-
Hi,
USB Disk Security can not provide a valid USB protection. My honest advice to you is to uninstall this tool.
MCShield shall protect you from infected USB memory devices as they are infected (look at AllScans.txt log created by MCShield, and as you can see, USB Disk Security didn't clean them as it should).
First, we need to clean mashine using OTL, then we will allow MCShield to fully clean any USB based malware leftovers. While malware is active on mashine, re-infections occurs. This OTLFix shall clean malware from mashine.
1. => do NOT attach any USB device !
2. Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:SERVICES
roapcm66puuieau
:COMMANDS
[CREATERESTOREPOINT]
:FILES
C:\WINDOWS\system32\hemasse.exe
C:\Documents and Settings\Sav Infant\Application Data\*.vbs
C:\Documents and Settings\Sav Infant\Start Menu\Programs\Startup\*.vbs
C:\WINDOWS\*.tmp
C:\WINDOWS\System32\*.tmp
ipconfig /flushdns /c
:REG
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COOL"=-
:COMMANDS
[EMPTYTEMP]
:OTL
@Alternate Data Stream - 514576 bytes -> C:\WINDOWS\Temp:temp
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
O4 - HKU\S-1-5-21-1454471165-1220945662-839522115-1004..\Run: [COOL] wscript.exe //B "C:\Documents and Settings\Sav Infant\Application Data\COOL.vbs" File not found
O33 - MountPoints2\{2f0c16c8-eef9-11e2-a069-0025225457d8}\Shell - "" = AutoRun
O33 - MountPoints2\{2f0c16c8-eef9-11e2-a069-0025225457d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2f0c16c8-eef9-11e2-a069-0025225457d8}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL 89898\g98f9.js
O33 - MountPoints2\{2f0c16c8-eef9-11e2-a069-0025225457d8}\Shell\explore\command - "" = I:\89898\g98f9.js
O33 - MountPoints2\{2f0c16c8-eef9-11e2-a069-0025225457d8}\Shell\open\command - "" = I:\89898\g98f9.js
O33 - MountPoints2\{627d77e4-8c17-11e2-a021-0025225457d8}\Shell - "" = AutoRun
O33 - MountPoints2\{627d77e4-8c17-11e2-a021-0025225457d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{627d77e4-8c17-11e2-a021-0025225457d8}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
O33 - MountPoints2\{6482aee4-ac29-11e2-a034-0025225457d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6482aee4-ac29-11e2-a034-0025225457d8}\Shell\AutoRun\command - "" = L:\5e5e\g4f.js
O33 - MountPoints2\{6482aee4-ac29-11e2-a034-0025225457d8}\Shell\explore\command - "" = L:\5e5e\g4f.js
O33 - MountPoints2\{6482aee4-ac29-11e2-a034-0025225457d8}\Shell\open\command - "" = L:\5e5e\g4f.js
O33 - MountPoints2\{6b6aa4b8-a0d1-11e0-9eaf-0025225457d8}\Shell - "" = AutoRun
O33 - MountPoints2\{6b6aa4b8-a0d1-11e0-9eaf-0025225457d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6b6aa4b8-a0d1-11e0-9eaf-0025225457d8}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{7e120214-b362-11e2-a03b-0025225457d8}\Shell\AutoRun\command - "" = H:\urDrive.exe
O33 - MountPoints2\{b0d06f41-1799-11e0-950b-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{b0d06f41-1799-11e0-950b-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b0d06f41-1799-11e0-950b-806d6172696f}\Shell\AutoRun\command - "" = E:\ASRSetup.exe
O33 - MountPoints2\{d0449aca-107e-11e1-9f08-0025225457d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d0449aca-107e-11e1-9f08-0025225457d8}\Shell\AutoRun\command - "" = H:\golden/fish.exe
O33 - MountPoints2\{d0449aca-107e-11e1-9f08-0025225457d8}\Shell\Explore\command - "" = H:\golden/fish.exe
O33 - MountPoints2\{d0449aca-107e-11e1-9f08-0025225457d8}\Shell\Open\command - "" = H:\golden/fish.exe- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn't appear, it can be found here:
c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log
3. Attach USB devices. Keep MCShield active and if MCS again find malware on USB, attach here fresh AllScans.txt logreprot.
-
@magna86 How long should I expect Otl to run? It has been running for almost 4hours yesterday and didn't finish, unfortunately the power went and I had to restart the system and do the run fix again. How do I know that it is running and isn't just stuck or hung up? All I see at the lower left panel of Otl is 'killing processes. Don't interrupt', am I suppose to see other information being displayed?
Thanks much,
Ricky
-
Hi,
@magna86 How long should I expect Otl to run? It has been running for almost 4hours yesterday and didn't finish, unfortunately the power went and I had to restart the system and do the run fix again. How do I know that it is running and isn't just stuck or hung up? All I see at the lower left panel of Otl is 'killing processes. Don't interrupt', am I suppose to see other information being displayed?
Aye, this is OTL's hung ...
OTLFix shouldn't been running more that ~ 5 minutes top.
OTL can't kill some running processes. Try to see what it trying to shutdown and turn it off by yourself.
or...
Restart your computer, disable security softver, turn off all running programs (turn it off all, they all shall be loaded after reboot) and try to re-run OTLFix ...
-
@Magna86 I can't shut down the computer like normal, I have to hold down the power button for 5 secs to get it to shut down.
What is the best way to turn of all running programs, should I end them from within task manager or I should close any programs I may have open?
Ricky
-
@magna86, I finally got OTL run/fix to run, I killed a few processes one by one from the task manager. The log is attached, looking forward to the next step. Thanks again.
Ricky
-
I killed a few processes one by one from the task manager.
Now you know the best way to kill running programs. :)
Follow Step#3 and attach AllScans.txt. Also, re-run OTL, just hit QuickScan and attach here fresh OTL.txt
-
Followed step 3 but I am not able to get a Allscan.txt from McShield, when I plugged in the flash drive McShield scanned and produced a temp_scan_I.txt, even though I disabled SMAD AV it still scanned and found infections. I ignored SMAD and used McShield fix the infections it found on the flash, after it cleaned the drive it gave me the temp_scan_I.txt. I ejected then reinserted the flash drive and SMAD found 19 infections while MCShield found none. I used SMAD to clean the drive this time, after reinserting the flash drive once more no further infections were found.
I have attached the temp_scan_I.txt
How do I get McShield to give me another Allscans.txt log?
I am going to run the OTL QuickScan right now and attach it.
Thanks,
Ricky.
-
This is the McShield temp_scan_I.txt log report.
-
This is the new OTL log report, OTL2.txt.
I am eagerly waiting on your advice.
Ricky
-
Re-run OTL.exe.
- Click on [None] button.
Notice: [none] button shall switch into [Standard] button. That's Ok.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
C:\Program Files\Smadav\*.exe /verifysig
C:\Program Files\Smadav\*.exe /MD5
/md5start
COOL.vbs
530368.exe
/md5stop
- Then click the RunScan button at the top.
- Let the program run unhindered, when it is done it shall open notepad with logreport (OTL.txt). Attach here that logreport.
------------
note to myself: check unicode sek
------------
-
@magna86, thanks very much for your help, attached is the OTL log, its OTL3.txt
-
Hi,
Start > ControlPanel > Add or Remove Programs:
Uninstall / Remove Smadsoft or Smadav software. As I remove it via OTLFix aswell.
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
PRC - [2013/10/17 13:20:36 | 001,556,480 | ---- | M] (Smadsoft) -- C:\Program Files\Smadav\SMΔRTP.exe
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
O4 - HKLM..\Run: [COOL] wscript.exe //B "C:\Documents and Settings\Sav Infant\Application Data\COOL.vbs" File not found
:FILES
C:\Program Files\Smadav
C:\Documents and Settings\Sav Infant\Start Menu\Programs\Startup\COOL.vbs
C:\Documents and Settings\All Users\Desktop\SMADΔV.lnk
C:\Documents and Settings\All Users\Desktop\SMAD?V.lnk
C:\Documents and Settings\All Users\Desktop\SMADΔV.lnk
:COMMANDS
[CREATERESTOREPOINT]
[EMPTYTEMP]
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn't appear, it can be found here:
----------- next ---------------
1. Please download ComboFix by sUBs from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.
--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
Instructions how to disable avast:
- Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
- In the window that opens on the top right corner, click Settings.
- In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
- => Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log
-
@magna86.
I have done the OTL runfix and now have downloaded Combofix, I disabled Malwarebytes and McShield. Doubled clicked on Combofix and agreed to install it and have it run. I got a message saying that Combofix has identified AVG Internet Security 2011 real time scanner is active and I should close it before clicking "OK". If you remember at the start of this thread I said that I was having difficulty removing AVG and I eventually removed it using the AVG remover, how can combofix still see AVG 2011 being active if I uninstalled it? I still have the avg remover tool.exe original download files on the desktop, could Combofix see this and assume that it is AVG 2011 and its active?
Please advise, I closed the window that Combofix opened to tell me that it found AVG 2011 and then another window came up saying that Warning!! AVG Internet Security 2011, the above real time scanner are active but combofix shall continue to run. Kindly note that this is at your own risk. What should I do?
I attached the OTL log also.
Thanks much,
Ricky
-
Hi,
Feel free to continue with ComboFix. We shall remove orphans via CFScript.
-
Combofix Log attached
-
Running ComboFix via CFScript:
Open notepad and copy/paste the text present inside the code box below:
SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}
{8decf618-9569-4340-b34a-d78d28969b66}
Folder::
c:\documents and settings\Sav Infant\Local Settings\Application Data\MFAData
c:\documents and settings\Sav Infant\Local Settings\Application Data\Avg2014
c:\documents and settings\All Users\Application Data\McAfee
c:\program files\McAfee Security Scan
c:\program files\MyPC Backup
c:\documents and settings\Sav Infant\Application Data\Smadav
C:\[Smad-Cage]
ClearJavaCache::
FileLook::
c:\windows\system32\Drivers\AsrCDDrv.sys
Save this as CFScript.txt
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
-
Combo fix second log file
-
We're almost done. This will be finished quickly...
Open notepad and copy/paste the text present inside the code box below:
DeQuarantine::
C:\Qoobox\Quarantine\c\[smad-cage]
Quit::
Save this as CFScript.txt
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
-
Thanks magna86 for all the help. The log that i got did not say combofix.txt, I instead got DeQuarantine.txt, I attached it below.
-
The log that i got did not say combofix.txt, I instead got DeQuarantine.txt, I attached it below.
Ah...Yes, I've used my default canned for running CF using CFScript, therefore it said "ComboFix.txt" but the name is DeQuarantine.txt.
How's your computer running now?
-
The computer is running okay now, I never had any major operating issues, the main issue was that the whenever I insert a flash drive into the computer it keep changing the files to shortcuts. I just put in a flash drive and I did not see any of the files turn in shortcuts, that is a very good thing, that tells me that the virus is no more ;D, thanks very much magna86. However there are 4 removable disk drives icons in "My Computer" even when there is no flash drives connected. What could cause this and how do I fix it?
Since the virus is gone now what do I do with the programs I downloaded to do the fix, can I go ahead and uninstall them?
Thanks very much for help, I can't stop saying it.
Ricky
-
...the main issue was that the whenever I insert a flash drive into the computer it keep changing the files to shortcuts.
This malware spreads thru USB devices and in addition it presented & install/load itself to the host computer.
All USB devaces has been cleaned by MCShield tool. And I recommended to you to keep MCShield.
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD.
However there are 4 removable disk drives icons in "My Computer" even when there is no flash drives connected.
Can't tell from here... Right click > Eject ..?
Since the virus is gone now what do I do with the programs I downloaded to do the fix, can I go ahead and uninstall them?
Pros always cleans up after himself. 8)
It is necessary to uninstall ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
---------------------------
> Re-run AdwCleaner and click on [Uninstall] button.
---------------------------
> Re-run OTL and click on CleanUp! button.
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.
-
Thanks very much magna86, don't know how else to thank you for all that you have done for me. I have other computers that are infected also so I will be looking for you help again. I will definitely recommend Avast forum to all my friends. You helpers are the best, thanks alot. I give you another star my friend.
Ricky
-
Thank you Ricky for your kind words. ;)
I have other computers that are infected also so I will be looking for you help again.
Feel free to open new topic for each computer, and some of the Malware Analysts members shall assist you. ;)
-
Magna86, which antivirus is the best for identifying the cool.vbs virus on a system and neutralize the infection?
Ricky
-
Hey Ricky,
This .vbs malware works like this.
credits goes to dr_Bora
Spreading in the order:
- For each removable drive:
- Copies the malicious vbs file (whose opening is provided in the next step)
- For each removable drive:
- For each file USB:\file.ext preform the S+H and creates USB:\file.lnk (which starts cmd.exe, which starts on malware)
- For each folder USB:\folder do the S+H and creates USB:\folder.lnk (which starts cmd.exe, which starts on malware)
PS: ( ;D) malware connects to hxxp://xkiller.no-ip.info where he received varius command for example: execute file, send data, upgrade it, go to sleep ...
MCShield covers .lnk files and the malicious VBS, as well as recovery of original files is covered in the two MCS's Anti-Replicator routines (one for lnk file and the vbs and the recovery of legitimate files this, one for folders).
which antivirus is the best for identifying the cool.vbs virus on a system and neutralize the infection?
Without proper testing (I don't have time for it) can't tell but avast 2014 owns new "DeepScreen" technic for malware detections. This should be enough for avast to prevend spreading on host mashine.
Someone else from avast team perhaps would be more appropriate to answer this.
-
theres a easy way....enter with SAFE MOOD (run<msconfig<boot< mark safe boot) ..... open ccleaner<tools<start up then delete fofo or cool or something like this....then run with normal mood.
-
@theapu
Please do not foolishly advise someone to do something that you yourself do not understand enough ...