Avast WEBforum
Other => Viruses and worms => Topic started by: RunaLlena on November 01, 2013, 04:59:23 AM
-
Hi, :)
yesterday my USB drive picked up a virus from an Internet cafe and my brothers laptop was infected and now every time that I've inserted an USB in the laptop my files turned into shortcuts.
I right-clicked one of the shortcuts, and looked at where its target location is, and it's somewhere in System32. When I open its target location, it takes me to System32, and the file in System32 that it highlights is cmd.exe
It's something like this:
http://imageshack.us/a/img545/1559/7oey.png (http://imageshack.us/a/img545/1559/7oey.png)
how can I delete this virus? Thank you in advance
-
Hi,
From now on, do not use any USB on this computer, until I tell you so.
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.
- Click on the Scan button.
- After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
- After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
- Post logfile will also be saved in the C:\AdwCleaner folder.
Then...
Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:
Gmer download link (http://www2.gmer.net/download.php)
Note: file will be random named
Double-clicking to run GMER.
- Wait for initial scan to finish - if there is any query, click No;
- Click Scan button and wait until the full scan is complete;
- Click Save ... - save the report to the Desktop (named Gmer );
> Attach here Gmer logreports.
Then...
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
-
Twin, thank you for helping me again ;D :D :)
ok, I've attached the files
-
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Startup: C:\Users\Max\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.vbs ()
C:\Users\Max\AppData\Roaming\Microsoft.vbs
HKLM\...\Run: [IntelTBRunOnce] - C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs [4526 2010-11-29] ()
C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs
HKCU\...\Run: [Microsoft] - C:\Users\Max\AppData\Roaming\Microsoft.vbs [32768 2013-06-08] ()
C:\Users\Max\AppData\Local\Temp
cmd: ipconfig /flushdns
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Then...
Re-run FRST and post me the fresh report.
-
ok ;)
-
Hi,
System is now clean, let's clean USB
Download MCShield from one of the following links:
MyCity - Official download link (http://www.mcshield.net/downloads.html)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
- Double click MCShield-Setup to install the application.
- Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
- Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that MCShield has created.
Start -> All Programs -> MCShield -> Logs
Attach here -> AllScans.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
-
my virus is completely gone!!!!!
thank you for all your help, thank you, thank you ;D :D :)
best regards
-
Did you followed my last post about MCShield? Please attach the report, so we can finish...
-
yes I did ;)
haha I forgot attach the file I'm sorry
-
Ok, we're done here :)
You're clean. Keep using MCShield, it will protect you in the future.
Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.
Run the tool and check the following boxes below;
- Remove disinfection tools
- Create registry backup
- Purge System Restore
Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
> I don't need DelFix log report.
-
oki :)
Twin, thank you very much for taking your time to help me ;D
-
yesterday my USB drive picked up a virus from an Internet cafe and my brothers laptop was infected and now every time that I've inserted an USB in the laptop my files turned into shortcuts.
Your Brother may need a check also?...... or was this his computer
-
Your Brother may need a check also?...... or was this his computer
it's my brothers laptop but I often use his computer, and the USB is mine :)
and now it's clean ;D
thank you
-
Hello Twin headed eagle !
I here face the same problem but I am attaching herewith the log created by gmer and Farbar addition.txt and FRST.txt . I am facing problem only with my PLAYSTATION PORTABLE FOLDERS and not in any other Pen drive or external hard drives. I need to copy a game folder to play it, but all folders are in shortcut having destination folder as cmd (C:\Windows\System32).
Please help me
Thanks in advance
-
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
HKCU\...\Run: [MICROS~1] - C:\Users\Balaji\AppData\Local\Temp\MICROS~1.VBS [152739 2013-09-26] () <===== ATTENTION
C:\Users\Balaji\AppData\Local\Temp\MICROS~1.VBS
Startup: C:\Users\Balaji\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS ()
SearchScopes: HKCU - {A643866A-DEF7-471A-9D9B-6568AED1DC54} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3072253
BHO-x32: Browse2sauVe - {DAE24DC8-0763-9FBE-8520-236D139AECEE} - C:\ProgramData\Browse2sauVe\5145c9a53c1f3.dll No File
C:\ProgramData\Browse2sauVe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
C:\Users\Balaji\AppData\Local\Temp
cmd: ipconfig /flushdns
AlternateDataStreams: C:\ProgramData\Temp:862BDB1A
AlternateDataStreams: C:\ProgramData\Temp:D1B5B4F1
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
> Check USB storage devices / removable drives
Download MCShield from one of the following links:
MyCity - Official download link (http://www.mcshield.net/downloads.html)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
- Double click MCShield-Setup to install the application.
- Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
- Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that MCShield has created.
Start -> All Programs -> MCShield -> Logs
Attach here -> AllScans.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
-
Hello TwinHeadedEagle !
Thanks for helping me out again ! :)
Herewith I am attaching 3 text files :- i.) The initial scan of McShield ii.) The Log report and iii.) AllScans
I checked the USB drive, that is the PSP, but the folders remain in shortcut form.
Thanks once again and please reply as soon as possible .
-
Re-run FRST, press Scan and attach fresh report. How are the things now?
-
Hello Sir,
Thanks for your prompt reply.
Here are the fresh FRST and Addition report alongwith the latest McShield log report.
The situation seems similar : all shortcut folders , but now the files within them seem to be deleted as an error pops up telling it cannot find or locate them. but another page opens
with a blank older of the same name.
-
Hello Sir,
One more new development from my previous post.
I disconnected the USB and reconnected again. McShield held new reports and I am attaching it here.
It seems it found a virus again and terminated the files.
three folders were relieved from the shortcut state when I checked the PSP the moment after the scan by McShield and I was able to access them as well.
These were the ISO folder and a PSP folder with another Music folder.
But these transformed back to their shortcut state a few seconds after.....
-
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
HKCU\...\Run: [MICROS~1] - C:\Users\Balaji\AppData\Local\Temp\MICROS~1.VBS [152739 2013-09-26] () <===== ATTENTION
C:\Users\Balaji\AppData\Local\Temp\MICROS~1.VBS
MountPoints2: {2d5c19f1-eb5e-11e2-b825-ca3b13010967} - D:\Setup.exe
MountPoints2: {c5107f09-22ee-11e3-a104-8c31140b1db2} - D:\Setup.exe
Startup: C:\Users\Balaji\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS ()
SearchScopes: HKCU - {C54FC543-61A9-4E31-B1C5-943358AD8087} URL = http://www.mysearchresults.com/search?c=2402&t=15&q={searchTerms}
Task: {192A48BA-0F74-42C0-8CA9-84652981944B} - System32\Tasks\{D4E0CE48-2627-4E53-B140-47375ADE0D48} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {20C23D6B-58D6-40BB-87D2-9F43B2F6C4F1} - System32\Tasks\{4A5C158C-439D-4A32-81E6-C639168EA4A6} => C:\Users\Balaji\Desktop\SETUP.EXE
C:\Users\Balaji\Desktop\SETUP.EXE
Task: {33719C2E-7EC1-48DD-963F-98BA6E3A3CDD} - System32\Tasks\{ACA90015-7A06-470F-A178-871F39F6A368} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {53C8025D-E404-43A8-86B8-94853AC45624} - System32\Tasks\{28E90CCA-A548-4FB5-A8C5-A351ED861849} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {8D347378-4B88-413E-8CF7-C5CDA5943597} - System32\Tasks\{B4C3B763-1096-4647-B93F-CDF4C1927AB6} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {922B73FF-473A-4701-BB76-CCAB938E8156} - System32\Tasks\{1A2F2AE2-21A9-42C2-8E34-495E9238F6EA} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {9DE9AA96-F7B5-45E9-9E4C-E57508F15AD8} - System32\Tasks\{111A1073-1E12-44EA-A071-E7B455D2793C} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {B4172B90-4BED-4DCD-A705-C3F3F40E90A6} - System32\Tasks\{B316956C-AAEA-4487-87C7-0EF16F5B3BAE} => C:\Users\Balaji\Desktop\SETUP.EXE
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
-
Hello TwinHeadedEagle !
I am attaching herewith the fixlog.txt for your reference.
Sir, most of the files have returned to normal state after this fixture !
But one game file I pasted is still in shortcut form and it is an ISO file and an autorun.txt is also in shortcut form.
Thank you once again !
-
Re-run FRST and attach fresh report...
-
Hello TwinHeadedEagle !
Here's the fresh report !
-
Hello TwinHeadedEagle
A new development here...... everything seemed to be in order until my last post but now suddenly all folders in the PSP have become
shortcuts again . I do not seem to understand the problem but I guess the two shortcut files I told you could have affected all of them too.
I am attaching the fresh reports
Thanks for helping me !
-
Virus comeback after we clean it. Please do not use any USB until we clean it...
1. Please download ComboFix by sUBs from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.
--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
Instructions how to disable avast:
- Right click on the avast! system tray icon ((http://www.mcshield.net/pg/images/avast5.png)) in the lower right corner of the screen and scroll up to avast! shield controls;
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.
--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
-
Hello TwinHeadedEagle
I am attaching herewith the log report of ComboFix
The problem is I had forgotten to plug in my USB device before the Fix started but did it inbetween ( I mean in a few seconds after it started) .....
Will it cause a problem?
-
Hello TwinHeadedEagle
I am attaching a fresh report of ComboFix after I re-ran the whole fix, this time with the PSP connected to the computer.
As you had mentioned I never tampered anything with the device or the pc while the scan took place both the times.
Thanks once again !
-
Open notepad and copy/paste the text present inside the code box below:
File::
c:\users\Balaji\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS
ClearJavaCache::
Save this as CFScript.txt
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
Now plugin all devices, and attach MCShield report.
-
Hello TwinHeadedEagle !
Thank you very much for your help it seems that the virus is finally removed from all the folders except the two I mentioned before.
I am attaching herewith the latest log report of ComboFix after I ran the .exe with the code you gave.
I am also attaching the latest MCShield allscans report and the last scan which reported driver is clean.
This is the first time MCShield reported "No virus Found".
-
Good, virus is removed from your PC. We only need to take care of your USB.
Open MCShield Control Center, tick this option, and confirm with OK.
Re-scan USB and tell me how are the things now?
-
Hello TwinHeadedEagle !
I am attaching herewith the scan reports of McShield after checking the unhide option in scanner menu.
Thank you very much for helping me !
-
USB seems clean now, any remaining problems?
-
Hello TwinHeadedEagle !
Thank you very much ! :)
There seems to be no remaining problems !
I reviewed MCShield report and it said "No malware detected".
As for the two remaining files I told you about earlier , I deleted them .
It was a set of an autorun.inf file and an iso game with its shortcut.
Thank you again for spending your precious time to help me ! Thank you ! :)
I would like if you suggest some measures to be taken if this occurs in the future .
-
There should be no issue in the future, keep using MCShield and it will protect you surely against such threats.
Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.
Run the tool and check the following boxes below;
- Remove disinfection tools
- Create registry backup
- Purge System Restore
Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
> I don't need DelFix log report.
-
Thank you sir once again for helping me ! :)
I downloaded Delfix as you said and all the tools are removed !
Thank you sir !
-
I'm having the same problem of usb virus in my laptop.If u can help me, I would be thankful to you...
-
I'm having the same problem of usb virus in my laptop.If u can help me, I would be thankful to you...
how to get help instructions. https://forum.avast.com/index.php?topic=53253.0
attach requested logs in a new topic you start
-
hello,
eversince i connected a flashdrive to my laptop, i began encountering the same problem. now all these shortcuts have appeared on all my files. i would be greatful for any help on this.my os is windows 7 ultimate SP1 (32bits).furthermore, everytime i start up my machine, this message on notepad keeps popping up:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
what does this message mean?
thanks in advance.
-
Everyone, start your own thread and attach the FRST, aswMBR and MBAM log files!
-
following the thread started by runa llena and with the assistance of twinheadedeagle , the following files are the results of the scans.
thanks.
-
Having the same issue
-
Having the same issue
Please start your own topic and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
-
Having the same issue
Please start your own topic and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
Thanks
-
i hav same problem solv me pl Z eagle sir
-
Mad, start your own thread. I haven't seen Twin in a while, so it may be someone else.
-
here I hav sended my logs sir ? tel me nxt step ?
-
Alright then. Sit tight.
Install MCShield (http://www.mcshield.net/download.html) as you will need it.
-
OK DONE
-
Now wait, a Remover is online. However, he is usually quite busy..
-
OK SIR BUT BE quick to solve my problem plz
-
I am not "capable" of solving it. I am just a "mod".
I can guess your issue was targeted by FRST as it removed a VBS file, but I can also guess you have a few other infections judging by the random processes running from your desktop..
-
Have you run MCShield ? If so could you attach the log
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\Run: [ads] => wscript.exe //B "C:\ProgramData\ads.vbs"
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\Run: [Windows Update] => C:\Google\Windowsupdate.lnk [758 2014-10-14] ()
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\Run: [AdopeUpdate] => C:\Google\GoogleUpdate.lnk [633 2014-10-14] ()
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\Run: [AdopeFlash] => C:\Google\AutoIt3.exe [750320 2012-01-29] (AutoIt Team)
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\MountPoints2: {089a935c-7254-11e4-8273-ec0ec4175d74} - "H:\AutoRun.exe" {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A01B06 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\MountPoints2: {52953862-6b4e-11e4-826e-28d244d31175} - "H:\Windows/AutoRun.exe"
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\MountPoints2: {8128abd2-5a96-11e4-825a-ec0ec4175d74} - "H:\.\StartModem.exe"
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\MountPoints2: {a3d8d34b-635e-11e4-8263-28d244d31175} - "H:\Startme.exe"
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\MountPoints2: {f2d111c2-6b1e-11e4-826e-28d244d31175} - "H:\Windows/AutoRun.exe"
HKU\S-1-5-21-3781095135-741699957-74562839-1002\...\MountPoints2: {f2d111d8-6b1e-11e4-826e-28d244d31175} - "H:\Windows/AutoRun.exe"
Startup: C:\Users\Madhava004\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ads.vbs ()
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:51168;https=127.0.0.1:51168
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3781095135-741699957-74562839-1002 -> {0858ACCC-5861-414B-B5F1-97999198371C} URL =
2014-12-15 18:45 - 2014-12-17 20:04 - 00000906 _____ () C:\ProgramData\ProgramData.lnk
2014-12-15 18:44 - 2014-12-15 18:44 - 00000000 _RSHD () C:\Skypee
2014-12-15 18:44 - 2014-12-15 18:44 - 00000000 _RSHD () C:\Google
2014-12-15 18:43 - 2014-05-18 04:05 - 00024964 ___SH () C:\ProgramData\ads.vbs
2014-12-13 12:29 - 2014-12-13 12:29 - 00000000 ____D () C:\Users\Madhava004\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ultimate ZIP Cracker Trial
2014-12-13 12:29 - 2014-12-13 12:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ultimate ZIP Cracker Trial
2014-12-13 12:29 - 2014-12-13 12:29 - 00000000 ____D () C:\Program Files (x86)\UZC Trial
2014-11-18 17:57 - 2014-11-18 17:57 - 00000000 ____D () C:\Program Files (x86)\b6f2344f-1e6b-46e8-b225-b143b03d9c83
2014-11-18 17:07 - 2014-11-18 17:07 - 00003174 _____ () C:\windows\System32\Tasks\{1D35AC7E-B58F-4434-AEF4-F61618FE7774}
2014-12-17 20:04 - 2014-08-20 17:24 - 01058373 _____ () C:\windows\SysWOW64\rootpa.e2e
C:\Google
C:\ProgramData\ads.vbs
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
-
ok I hav ur 2 steps and next is wat ?
-
here my mc shield logs
-
sir are u thr ? plz finish last setup ? plz
-
Mad, we do have jobs outside of this. This is a volunteer position.
Your USB's are infected. Grab them all, and one by one, plug them into your computer. Ensure MCShield is on and let MCShield scan it first and removed any present infections.
Then repost the Allscans.txt file please.
-
Sir but i hav sended them already and i deleted the shortcuts and restartd systm and i didnt them once again i think the virus is gone in my computr and when i insert usb it scanned and inserted for 2nd time it shows malware not detected wat does it mean ? The virus is gone ?????? Plz tel me
-
The log (AllScans.txt) was BEFORE you scanned the USB's. We need to see it AFTER you scanned them all.
-
Ya i inserted then it shows scan finishd and malware not detected and i hav not found any vshortcut virus my laptop and in my pendrives !!!
-
But whn i insert Pendriv in laptop the mc show pendrive scaned and malware not detected when i open pendrive no single files are in pendrive which is think virus gone
-
Here it is my mc allscans list
-
My virus gone plz next step wat to do plz bro plz and thank thank u u u u a lot for this help plz reply me one last time
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Remove tools
Download and run Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Unchecky (http://unchecky.com/)
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme ;)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave:
-
Thank u for ur wonderful idea and for ur talent thank u so much
-
One small doubt does i must hav these crypto and malware update and ynchecky it is must or just recommed ed for safe ah ???
-
They are just recommendations :)
-
Hello. New user here :D
I also have the same problem as OP's. My hard drive keeps generating these folder shortcuts that lead to CMD system32, so I followed TwinHeadedEagle's instructions (Adwcleaner - GMER - FRST)
Thanks for the help in advance!
-
Hello. New user here :D
I also have the same problem as OP's. My hard drive keeps generating these folder shortcuts that lead to CMD system32, so I followed TwinHeadedEagle's instructions (Adwcleaner - GMER - FRST)
Thanks for the help in advance!
Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
-
Hello. I am new here...
I also have the same problem as OP's.
My HDD keeps generating these folder shortcuts that lead to CMD system32...
so I followed TwinHeadedEagle's instructions (Adwcleaner - GMER - FRST)...
Here is attachment... Kindly tell me next step... Thanks in advanced...
-
Hello. I am new here...
I also have the same problem as OP's.
Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
-
Hello, first of all I am really sorry to bring this up but I had a similar (with a usb showing links to system32 but when i clicked on the folders they open normally but in a new window) problem and downloaded the adwcleaner from your link here and ran it. When it closed, it asked me to rr my computer and now it's so slow!! It won't connect to the internet and takes forever to boot up. All this happened just by running that adwcleaner.
Can you please help me? I tried to fix the usb and now my PC is sluggish.
Im a music producer and I really can't afford another format, i just installed windows 10.
-
Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
-
sir help me please i'm having trouble on (c:windows\system32) shorcut folders please help. and thank you
-
sir help me please i'm having trouble on (c:windows\system32) shorcut folders please help. and thank you
For help start your own topic and follow instructions in the sticky post at top in this forum section
-
when i connect pendrive in my laptop all my files and folder in all drive(C, D, E) become shortcut with another folder. like one folder is saha.avi.exe which shows application file with size 348kb ,after putting cursor on it, it shows file description:windows Defender Service with file version 1.0.0.0.
and another file with same name as shortcut as saha.avi.exe with file size 1kb(758byte) after putting cursor on it,showing location:C:\Windows\system32
-
when i connect pendrive in my laptop all my files and folder in all drive(C, D, E) become shortcut with another folder. like one folder is saha.avi.exe which shows application file with size 348kb ,after putting cursor on it, it shows file description:windows Defender Service with file version 1.0.0.0.
and another file with same name as shortcut as saha.avi.exe with file size 1kb(758byte) after putting cursor on it,showing location:C:\Windows\system32
please give me urgent solution to these problem.
-
please give me urgent solution to these problem.
for reciving help, first follow instructions here https://forum.avast.com/index.php?topic=53253.0
start your own topic and attach requested logs
-
URGENT
Hello.
My System got infected with same virus.
Attaching the files herewith (As per your instructions). Only thing is GMER not running completely. Tried downloading many times.
Please provide for a solution asap.
Akanksha
-
Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
-
Sir please Help me
i have attach thease files
i faced shortcut virus in my computer it says location cmd system32
please help me...
-
Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
-
Sir please Help me
i have attach thease files
i faced shortcut virus in my computer it says location cmd system32
please help me...
For help, start your own topic and attach logs
Helping multiple users in same topic will be chaos
-
Did you followed my last post about MCShield? Please attach the report, so we can finish...
Hi sir twin, I hope you can help me with my problem. I already did the 3 sans, here are the logs
-
Did you followed my last post about MCShield? Please attach the report, so we can finish...
Hi sir twin, I hope you can help me with my problem. I already did the 3 sans, here are the logs
1. Sir Twin does not frequent this form much anymore
2. For help, always start your own topic. Helping multiple users in same topic is just chaos