Avast WEBforum

Other => Viruses and worms => Topic started by: RunaLlena on November 01, 2013, 04:59:23 AM

Title: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: RunaLlena on November 01, 2013, 04:59:23 AM
Hi,   :)
yesterday my USB drive picked up a virus from an Internet cafe and my brothers laptop was infected and now every time that I've inserted an USB in the laptop my files turned into shortcuts. 
I right-clicked one of the shortcuts, and looked at where its target location is, and it's somewhere in System32. When I open its target location, it takes me to System32, and the file in System32 that it highlights is cmd.exe

It's something like this:
http://imageshack.us/a/img545/1559/7oey.png (http://imageshack.us/a/img545/1559/7oey.png)

 how can I delete this virus? Thank you in advance
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on November 01, 2013, 07:08:17 AM
Hi,

From now on, do not use any USB on this computer, until I tell you so.



Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

Then...



Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link (http://www2.gmer.net/download.php)
Note: file will be random named



Double-clicking to run GMER.
> Attach here Gmer logreports.



Then...



Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: RunaLlena on November 01, 2013, 03:10:04 PM
Twin, thank you for helping me again  ;D :D :)

ok, I've attached the files
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on November 01, 2013, 03:51:08 PM
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Startup: C:\Users\Max\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.vbs ()
C:\Users\Max\AppData\Roaming\Microsoft.vbs
HKLM\...\Run: [IntelTBRunOnce] - C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs [4526 2010-11-29] ()
C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs
HKCU\...\Run: [Microsoft] - C:\Users\Max\AppData\Roaming\Microsoft.vbs [32768 2013-06-08] ()
C:\Users\Max\AppData\Local\Temp
cmd: ipconfig /flushdns

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.



Then...



Re-run FRST and post me the fresh report.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: RunaLlena on November 01, 2013, 04:07:26 PM
ok  ;)
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on November 01, 2013, 07:25:16 PM
Hi,


System is now clean, let's clean USB


Download MCShield from one of the following links:

MyCity -  Official download link (http://www.mcshield.net/downloads.html)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)

Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
When all scanning is done, you need to attach a logreport that MCShield has created.

Start -> All Programs -> MCShield -> Logs

Attach here -> AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: RunaLlena on November 02, 2013, 02:06:59 PM
my virus is completely gone!!!!!
thank you for all your help,  thank you, thank you  ;D :D :)
best regards
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on November 02, 2013, 02:57:52 PM
Did you followed my last post about MCShield? Please attach the report, so we can finish...
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: RunaLlena on November 02, 2013, 03:02:10 PM
yes I did  ;)
haha I forgot attach the file I'm sorry
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on November 02, 2013, 03:37:45 PM
Ok, we're done here :)

You're clean. Keep using MCShield, it will protect you in the future.


Please download  DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: RunaLlena on November 02, 2013, 03:54:53 PM
oki  :)

Twin, thank you very much for taking your time to help me   ;D

Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Pondus on November 02, 2013, 04:12:03 PM
Quote
yesterday my USB drive picked up a virus from an Internet cafe and my brothers laptop was infected and now every time that I've inserted an USB in the laptop my files turned into shortcuts. 
Your Brother may need a check also?...... or was this his computer



Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: RunaLlena on November 02, 2013, 05:14:55 PM
Quote
Your Brother may need a check also?...... or was this his computer

it's my brothers laptop but I often use his computer, and the USB is mine  :)

and now it's clean  ;D

thank you
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 07, 2013, 05:04:42 AM
Hello Twin headed eagle !

I here face the same problem but I am attaching herewith the log created by gmer and Farbar addition.txt and FRST.txt . I am facing problem only with my PLAYSTATION PORTABLE FOLDERS and not in any other Pen drive or external hard drives. I need to copy a game folder to play it, but all folders are in shortcut having destination folder as cmd (C:\Windows\System32).

Please help me

Thanks in advance

Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on December 07, 2013, 11:03:46 AM
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
HKCU\...\Run: [MICROS~1] - C:\Users\Balaji\AppData\Local\Temp\MICROS~1.VBS [152739 2013-09-26] () <===== ATTENTION
C:\Users\Balaji\AppData\Local\Temp\MICROS~1.VBS
Startup: C:\Users\Balaji\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS ()
SearchScopes: HKCU - {A643866A-DEF7-471A-9D9B-6568AED1DC54} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3072253
BHO-x32: Browse2sauVe - {DAE24DC8-0763-9FBE-8520-236D139AECEE} - C:\ProgramData\Browse2sauVe\5145c9a53c1f3.dll No File
C:\ProgramData\Browse2sauVe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
C:\Users\Balaji\AppData\Local\Temp
cmd: ipconfig /flushdns
AlternateDataStreams: C:\ProgramData\Temp:862BDB1A
AlternateDataStreams: C:\ProgramData\Temp:D1B5B4F1

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.



> Check USB storage devices / removable drives


Download MCShield from one of the following links:

MyCity -  Official download link (http://www.mcshield.net/downloads.html)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)

Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
When all scanning is done, you need to attach a logreport that MCShield has created.

Start -> All Programs -> MCShield -> Logs

Attach here -> AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 07, 2013, 04:54:30 PM
Hello TwinHeadedEagle !

Thanks for helping me out again !  :)

Herewith I am attaching 3 text files :- i.) The initial scan of McShield ii.) The Log report  and   iii.) AllScans

I checked the USB drive, that is the PSP, but the folders remain in shortcut form.

Thanks once again  and please reply as soon as possible .
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on December 07, 2013, 05:01:57 PM
Re-run FRST, press Scan and attach fresh report. How are the things now?
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 07, 2013, 05:09:50 PM
Hello Sir,

Thanks for your prompt reply.

Here are the fresh FRST and Addition report alongwith the latest McShield log report.
The situation seems similar : all shortcut folders , but now the files within them seem to be deleted as an error pops up telling it cannot find or locate them. but another page opens
with a blank older of the same name.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 07, 2013, 05:25:06 PM
Hello Sir,

One more new development from my previous post.

I disconnected the USB and reconnected again. McShield held new reports and I am attaching it here.
It seems it found a virus again and terminated the files.

three folders were relieved from the shortcut state when I checked the PSP the moment after the scan by McShield and I was able to access them as well.
These were the ISO folder and a PSP folder with another Music folder.

But these transformed back to their shortcut state  a few seconds after.....
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on December 07, 2013, 06:00:57 PM
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
HKCU\...\Run: [MICROS~1] - C:\Users\Balaji\AppData\Local\Temp\MICROS~1.VBS [152739 2013-09-26] () <===== ATTENTION
C:\Users\Balaji\AppData\Local\Temp\MICROS~1.VBS
MountPoints2: {2d5c19f1-eb5e-11e2-b825-ca3b13010967} - D:\Setup.exe
MountPoints2: {c5107f09-22ee-11e3-a104-8c31140b1db2} - D:\Setup.exe
Startup: C:\Users\Balaji\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS ()
SearchScopes: HKCU - {C54FC543-61A9-4E31-B1C5-943358AD8087} URL = http://www.mysearchresults.com/search?c=2402&t=15&q={searchTerms}
Task: {192A48BA-0F74-42C0-8CA9-84652981944B} - System32\Tasks\{D4E0CE48-2627-4E53-B140-47375ADE0D48} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {20C23D6B-58D6-40BB-87D2-9F43B2F6C4F1} - System32\Tasks\{4A5C158C-439D-4A32-81E6-C639168EA4A6} => C:\Users\Balaji\Desktop\SETUP.EXE
C:\Users\Balaji\Desktop\SETUP.EXE
Task: {33719C2E-7EC1-48DD-963F-98BA6E3A3CDD} - System32\Tasks\{ACA90015-7A06-470F-A178-871F39F6A368} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {53C8025D-E404-43A8-86B8-94853AC45624} - System32\Tasks\{28E90CCA-A548-4FB5-A8C5-A351ED861849} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {8D347378-4B88-413E-8CF7-C5CDA5943597} - System32\Tasks\{B4C3B763-1096-4647-B93F-CDF4C1927AB6} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {922B73FF-473A-4701-BB76-CCAB938E8156} - System32\Tasks\{1A2F2AE2-21A9-42C2-8E34-495E9238F6EA} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {9DE9AA96-F7B5-45E9-9E4C-E57508F15AD8} - System32\Tasks\{111A1073-1E12-44EA-A071-E7B455D2793C} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {B4172B90-4BED-4DCD-A705-C3F3F40E90A6} - System32\Tasks\{B316956C-AAEA-4487-87C7-0EF16F5B3BAE} => C:\Users\Balaji\Desktop\SETUP.EXE

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 07, 2013, 08:04:30 PM
Hello TwinHeadedEagle !

I am attaching herewith the fixlog.txt for your reference.
Sir, most of the files have returned to normal state after this fixture !
But one game file I pasted is still in shortcut form and it is an ISO file and an autorun.txt  is also in shortcut form.


Thank you once again !
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on December 07, 2013, 10:20:58 PM
Re-run FRST and attach fresh report...
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 08, 2013, 05:12:27 AM
Hello TwinHeadedEagle !

Here's the fresh report !

Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 08, 2013, 05:29:04 AM

Hello TwinHeadedEagle

A new development here...... everything seemed to be in order until my last post but now suddenly all folders in the PSP have become
shortcuts again . I do not seem to understand the problem but I guess the two shortcut files I told you could have affected all of them too.

I am attaching the fresh reports

Thanks for helping me !
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on December 08, 2013, 11:36:43 AM
Virus comeback after we clean it. Please do not use any USB until we clean it...


1. Please download ComboFix by sUBs from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.


--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.

Instructions how to disable avast:
Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.

ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.

If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 08, 2013, 02:57:51 PM
Hello TwinHeadedEagle

I am attaching herewith the log report of ComboFix

The problem is I had forgotten to plug in my USB device before the Fix started but did it inbetween ( I mean in a few seconds after it started) .....

Will it cause a problem?
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 08, 2013, 03:21:04 PM
Hello TwinHeadedEagle

I am attaching a fresh report of ComboFix after I re-ran the whole fix, this time with the PSP connected to the computer.

As you had mentioned I never tampered anything with the device or the pc while the scan took place both the times.

Thanks once again !
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on December 08, 2013, 03:26:52 PM
Open notepad and copy/paste the text present inside the code box below:


Code: [Select]
File::
c:\users\Balaji\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS

ClearJavaCache::

Save this as CFScript.txt

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )


Now plugin all devices, and attach MCShield report.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 08, 2013, 07:47:15 PM
Hello TwinHeadedEagle !

Thank you very much for your help it seems that the virus is finally removed from all the folders except the two I mentioned before.

I am attaching herewith the latest log report of ComboFix after I ran the .exe with the code you gave.
I am also attaching the latest MCShield allscans report and the last scan which reported driver is clean.

This is the first time MCShield reported "No virus Found".

Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on December 08, 2013, 08:54:06 PM
Good, virus is removed from your PC. We only need to take care of your USB.

Open MCShield Control Center, tick this option, and confirm with OK.

Re-scan USB and tell me how are the things now?


Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 09, 2013, 04:52:27 AM
Hello TwinHeadedEagle !

I am attaching herewith the scan reports of McShield after checking the unhide option in scanner menu.

Thank you very much for helping me !
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on December 09, 2013, 08:52:51 AM
USB seems clean now, any remaining problems?
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 09, 2013, 11:48:38 AM
Hello TwinHeadedEagle !

Thank you very much ! :)

There seems to be no remaining problems !

I reviewed MCShield report and it said "No malware detected".

As for the two remaining files I told you about earlier , I deleted them .

It was a set of an autorun.inf file and an iso game with its shortcut.

Thank you again for spending your precious time to help me ! Thank you !  :)

I would like if you suggest some measures to be taken if this occurs in the future .

 
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: TwinHeadedEagle on December 09, 2013, 12:01:35 PM
There should be no issue in the future, keep using MCShield and it will protect you surely against such threats.


Please download  DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: master_robotics on December 09, 2013, 02:12:26 PM

Thank you sir once again for helping me !  :)

I downloaded Delfix as you said and all the tools are removed  !

Thank you sir !
Title: USB Shortcut virus
Post by: REDACTED on September 18, 2014, 08:31:35 PM
I'm having the same problem of usb virus in my laptop.If u can help me, I would be thankful to you...
Title: Re: USB Shortcut virus
Post by: Pondus on September 18, 2014, 08:55:53 PM
I'm having the same problem of usb virus in my laptop.If u can help me, I would be thankful to you...
how to get help instructions.   https://forum.avast.com/index.php?topic=53253.0
attach requested logs in a new topic you start
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on October 02, 2014, 05:23:00 PM
hello,
eversince i connected a flashdrive to my laptop, i began encountering the same problem. now all these shortcuts have appeared on all my files. i would be greatful for any help on this.my os is windows 7 ultimate SP1 (32bits).furthermore, everytime i start up my machine, this message on notepad keeps popping up:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
what does this message mean?
thanks in advance.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Michael (alan1998) on October 02, 2014, 05:38:18 PM
Everyone, start your own thread and attach the FRST, aswMBR and MBAM log files!
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on October 02, 2014, 06:00:13 PM
following the thread started by runa llena and with the assistance of twinheadedeagle , the following files are the results of the  scans.
thanks.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on October 21, 2014, 04:29:47 PM
Having the same issue
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Asyn on October 21, 2014, 04:31:24 PM
Having the same issue
Please start your own topic and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on October 21, 2014, 04:34:05 PM
Having the same issue
Please start your own topic and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0

Thanks
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 03:13:29 PM
i hav same problem solv me pl Z eagle sir
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Michael (alan1998) on December 17, 2014, 03:31:12 PM
Mad, start your own thread. I haven't seen Twin in a while, so it may be someone else.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 04:14:36 PM
here I hav sended my logs sir ? tel me nxt step ?
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Michael (alan1998) on December 17, 2014, 04:18:54 PM
Alright then. Sit tight.

Install MCShield (http://www.mcshield.net/download.html) as you will need it.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 04:23:39 PM
OK DONE
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Michael (alan1998) on December 17, 2014, 04:24:13 PM
Now wait, a Remover is online. However, he is usually quite busy..
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 04:25:31 PM
OK SIR BUT BE quick to solve my problem plz
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Michael (alan1998) on December 17, 2014, 04:28:39 PM
I am not "capable" of solving it. I am just a "mod".

I can guess your issue was targeted by FRST as it removed a VBS file, but I can also guess you have a few other infections judging by the random processes running from your desktop..

Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: essexboy on December 17, 2014, 04:31:32 PM
Have you run MCShield ?  If so could you attach the log

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\Run: [ads] => wscript.exe //B "C:\ProgramData\ads.vbs"
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\Run: [Windows Update] => C:\Google\Windowsupdate.lnk [758 2014-10-14] ()
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\Run: [AdopeUpdate] => C:\Google\GoogleUpdate.lnk [633 2014-10-14] ()
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\Run: [AdopeFlash] => C:\Google\AutoIt3.exe [750320 2012-01-29] (AutoIt Team)
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\MountPoints2: {089a935c-7254-11e4-8273-ec0ec4175d74} - "H:\AutoRun.exe" {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A01B06 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\MountPoints2: {52953862-6b4e-11e4-826e-28d244d31175} - "H:\Windows/AutoRun.exe"
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\MountPoints2: {8128abd2-5a96-11e4-825a-ec0ec4175d74} - "H:\.\StartModem.exe"
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\MountPoints2: {a3d8d34b-635e-11e4-8263-28d244d31175} - "H:\Startme.exe"
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\MountPoints2: {f2d111c2-6b1e-11e4-826e-28d244d31175} - "H:\Windows/AutoRun.exe"
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\MountPoints2: {f2d111d8-6b1e-11e4-826e-28d244d31175} - "H:\Windows/AutoRun.exe"
Startup: C:\Users\Madhava004\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ads.vbs ()
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:51168;https=127.0.0.1:51168
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3781095135-741699957-74562839-1002 -> {0858ACCC-5861-414B-B5F1-97999198371C} URL =
2014-12-15 18:45 - 2014-12-17 20:04 - 00000906 _____ () C:\ProgramData\ProgramData.lnk
2014-12-15 18:44 - 2014-12-15 18:44 - 00000000 _RSHD () C:\Skypee
2014-12-15 18:44 - 2014-12-15 18:44 - 00000000 _RSHD () C:\Google
2014-12-15 18:43 - 2014-05-18 04:05 - 00024964 ___SH () C:\ProgramData\ads.vbs
2014-12-13 12:29 - 2014-12-13 12:29 - 00000000 ____D () C:\Users\Madhava004\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ultimate ZIP Cracker Trial
2014-12-13 12:29 - 2014-12-13 12:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ultimate ZIP Cracker Trial
2014-12-13 12:29 - 2014-12-13 12:29 - 00000000 ____D () C:\Program Files (x86)\UZC Trial
2014-11-18 17:57 - 2014-11-18 17:57 - 00000000 ____D () C:\Program Files (x86)\b6f2344f-1e6b-46e8-b225-b143b03d9c83
2014-11-18 17:07 - 2014-11-18 17:07 - 00003174 _____ () C:\windows\System32\Tasks\{1D35AC7E-B58F-4434-AEF4-F61618FE7774}
2014-12-17 20:04 - 2014-08-20 17:24 - 01058373 _____ () C:\windows\SysWOW64\rootpa.e2e
C:\Google
C:\ProgramData\ads.vbs
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 05:00:20 PM
ok I hav ur 2 steps and next is wat ?
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 05:08:29 PM
here my mc shield logs
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 05:18:43 PM
sir are u thr ? plz finish last setup ? plz
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Michael (alan1998) on December 17, 2014, 05:33:03 PM
Mad, we do have jobs outside of this. This is a volunteer position.

Your USB's are infected. Grab them all, and one by one, plug them into your computer. Ensure MCShield is on and let MCShield scan it first and removed any present infections.

Then repost the Allscans.txt file please.

Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 05:43:33 PM
Sir but i hav sended them already and i deleted the shortcuts and restartd systm and i didnt them once again i think the virus is gone in my computr and when i insert usb it scanned and inserted for 2nd time it shows malware not detected wat does it mean ? The virus is gone ?????? Plz tel me
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Michael (alan1998) on December 17, 2014, 05:47:47 PM
The log (AllScans.txt) was BEFORE you scanned the USB's. We need to see it AFTER you scanned them all.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 06:01:02 PM
Ya i inserted then it shows scan finishd and malware not detected and i hav not found any vshortcut virus my laptop and in my pendrives !!!
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 06:11:38 PM
But whn i insert Pendriv in laptop the mc show pendrive scaned and malware not detected when i open pendrive no single files are in pendrive which is think virus gone
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 06:31:37 PM
Here it is my mc allscans list
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 06:40:12 PM
My virus gone plz next step wat to do plz bro plz and thank thank u u u u  a lot for this help plz reply me one last time
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: essexboy on December 17, 2014, 06:50:54 PM
Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Remove tools

Download and run Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)

(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware

(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)

Malwarebytes (http://www.malwarebytes.org/mbam-download.php).

Update and run weekly to keep your system clean

Unchecky (http://unchecky.com/)

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme  ;)

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices  (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe  :wave:
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 06:58:18 PM
Thank u for ur wonderful idea and for ur talent thank u so much
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on December 17, 2014, 07:09:24 PM
One small doubt does i must hav these crypto and malware update and ynchecky it is must or just recommed ed for safe ah ???
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: essexboy on December 17, 2014, 07:44:57 PM
They are just recommendations :)
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on April 19, 2015, 05:08:00 AM
Hello. New user here   :D

I also have the same problem as OP's. My hard drive keeps generating these folder shortcuts that lead to CMD system32, so I followed TwinHeadedEagle's instructions (Adwcleaner - GMER - FRST)

Thanks for the help in advance!
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Asyn on April 19, 2015, 06:22:44 AM
Hello. New user here   :D

I also have the same problem as OP's. My hard drive keeps generating these folder shortcuts that lead to CMD system32, so I followed TwinHeadedEagle's instructions (Adwcleaner - GMER - FRST)

Thanks for the help in advance!
Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on May 14, 2015, 06:55:47 AM
Hello. I am new here...
I also have the same problem as OP's.
My HDD keeps generating these folder shortcuts that lead to CMD system32...
so I followed TwinHeadedEagle's instructions (Adwcleaner - GMER - FRST)...
Here is attachment... Kindly tell me next step... Thanks in advanced...
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Asyn on May 14, 2015, 06:57:02 AM
Hello. I am new here...
I also have the same problem as OP's.
Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on August 11, 2015, 11:18:13 AM
Hello, first of all I am really sorry to bring this up but I had a similar (with a usb showing links to system32 but when i clicked on the folders they open normally but in a new window) problem and downloaded the adwcleaner from your link here and ran it. When it closed, it asked me to rr my computer and now it's so slow!! It won't connect to the internet and takes forever to boot up. All this happened just by running that adwcleaner.


Can you please help me? I tried to fix the usb and now my PC is sluggish.

Im a music producer and I really can't afford another format, i just installed windows 10.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Asyn on August 11, 2015, 11:22:30 AM
Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on August 15, 2015, 05:01:19 PM
sir help me please i'm having trouble on (c:windows\system32) shorcut folders please help. and thank you
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Pondus on August 15, 2015, 05:06:42 PM
sir help me please i'm having trouble on (c:windows\system32) shorcut folders please help. and thank you
For help start your own topic and follow instructions in the sticky post at top in this forum section

Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on October 18, 2015, 05:42:41 PM
when i connect pendrive in my laptop all my files and folder in all drive(C, D, E) become shortcut with another folder. like one folder is saha.avi.exe which shows application file with size 348kb ,after putting cursor on it, it shows file description:windows Defender Service with file version 1.0.0.0.
and another file with same name as shortcut as saha.avi.exe with file size 1kb(758byte) after putting cursor on it,showing location:C:\Windows\system32
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on October 18, 2015, 05:45:20 PM
when i connect pendrive in my laptop all my files and folder in all drive(C, D, E) become shortcut with another folder. like one folder is saha.avi.exe which shows application file with size 348kb ,after putting cursor on it, it shows file description:windows Defender Service with file version 1.0.0.0.
and another file with same name as shortcut as saha.avi.exe with file size 1kb(758byte) after putting cursor on it,showing location:C:\Windows\system32
please give me urgent solution to these problem.
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Pondus on October 18, 2015, 06:26:37 PM
Quote
please give me urgent solution to these problem.
for reciving help, first follow instructions here  https://forum.avast.com/index.php?topic=53253.0

start your own topic and attach requested logs

Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on November 23, 2015, 07:03:01 AM
URGENT

Hello.

My System got infected with same virus.

Attaching the files herewith (As per your instructions). Only thing is GMER not running completely. Tried downloading many times.

Please provide for a solution asap.

Akanksha
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Asyn on November 23, 2015, 07:05:25 AM
Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on March 22, 2017, 12:43:44 PM
Sir please Help me
 i have attach thease files
i faced shortcut virus in my computer it says location cmd system32
please help me...
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Asyn on March 22, 2017, 12:45:10 PM
Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Pondus on March 22, 2017, 12:45:41 PM
Sir please Help me
 i have attach thease files
i faced shortcut virus in my computer it says location cmd system32
please help me...
For help, start your own topic and attach logs
Helping multiple users in same topic will be chaos

Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: REDACTED on July 12, 2017, 06:44:25 PM
Did you followed my last post about MCShield? Please attach the report, so we can finish...

Hi sir twin, I hope you can help me with my problem. I already did the 3 sans, here are the logs
Title: Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
Post by: Pondus on July 12, 2017, 07:13:54 PM
Did you followed my last post about MCShield? Please attach the report, so we can finish...

Hi sir twin, I hope you can help me with my problem. I already did the 3 sans, here are the logs
1. Sir Twin does not frequent this form much anymore
2. For help, always start your own topic. Helping multiple users in same topic is just chaos