Author Topic: shortcut virus (Read 4390 times)

bedo99999 · « **on:** February 16, 2014, 04:01:23 PM »

Hi,
all my folders in my flash drives are converted into shortcut icons & when right clicked & show file location is chosen, itsays "‪C:\WINDOWS\System32\cmd.exe"
Could you please help me with this?

essexboy · « **Reply #1 on:** February 16, 2014, 04:11:22 PM »

Hi your flash drives are infected

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

THEN

Download Anti VBS/VBE to your desktop

download the appropriate version (32 bit or 64 bit) and double click the file to run it.
After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
Post that report

Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run

bedo99999 · « **Reply #2 on:** February 16, 2014, 04:34:40 PM »

this is first log

bedo99999 · « **Reply #3 on:** February 16, 2014, 04:38:02 PM »

second log

essexboy · « **Reply #4 on:** February 16, 2014, 05:01:18 PM »

OK now those are clean lets look at the computer

Download OTL to your Desktop
Secondary link

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Select All Users
Select LOP and Purity
Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs

bedo99999 · « **Reply #5 on:** February 16, 2014, 05:27:40 PM »

otl.txt

bedo99999 · « **Reply #6 on:** February 16, 2014, 05:28:38 PM »

Extras.txt

essexboy · « **Reply #7 on:** February 16, 2014, 06:04:34 PM »

Are you using Samdav antivirus ? Your system is badly infected, I see you have run Combofix, could you attach the log for that

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
SRV - [2014/02/13 11:20:28 | 000,080,664 | ---- | M] () [Auto | Running] -- C:\Program Files\maucampo\bin\utilmaucampo.exe -- (Util maucampo)
SRV - [2014/02/13 11:17:16 | 000,080,664 | ---- | M] () [Auto | Running] -- C:\Program Files\maucampo\updatemaucampo.exe -- (Update maucampo)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\anvsnddrv.sys -- (anvsnddrv)
O2 - BHO: (maucampo) - {5d7d4fb9-aca5-4013-8879-c58dcd4df9f1} - C:\Program Files\maucampo\maucampoBHO.dll (maucampo)
O4 - HKLM..\Run: [06864143dea93515509ebd6f1b2637f2] C:\ProgramData\Avasit.exe (SAJROY8j7nVVuZX)
O4 - HKU\S-1-5-21-214351162-642781372-3813588257-1000..\Run: [06864143dea93515509ebd6f1b2637f2] C:\ProgramData\Avasit.exe (SAJROY8j7nVVuZX)
O4 - HKLM..\RunOnce: [network_smb_media1firecom] "C:\Users\NABILB~1\AppData\Local\Temp\BI_RunOnce.exe" /initurl http://dw50j5zef9twa.cloudfront.net/init/cUduMakJ/:uid:? /affid "-" /id "0" /name " " /uniqid cUduMakJ /uuid 00000000-0000-0000-0000-001FD0054F7D /diskserial 2020202057202d44435750414339363835393431 /biosserial /biosversion SECCSD - 42302e31 /csname 945GCM-S2L File not found
O4 - Startup: C:\Users\nabilbahr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\06864143dea93515509ebd6f1b2637f2.exe (SAJROY8j7nVVuZX)
[2014/02/16 13:32:13 | 000,000,000 | ---D | C] -- C:\Users\nabilbahr\AppData\Roaming\SpeedyPC Software
[2014/02/16 13:32:13 | 000,000,000 | ---D | C] -- C:\Users\nabilbahr\AppData\Roaming\DriverCure
[2014/02/16 13:31:35 | 000,000,000 | ---D | C] -- C:\ProgramData\SpeedyPC Software
[2014/02/12 23:58:28 | 000,249,344 | ---- | C] (SAJROY8j7nVVuZX) -- C:\Users\nabilbahr\AppData\Roaming\new.exe
[2014/02/10 12:24:35 | 000,249,344 | ---- | C] (SAJROY8j7nVVuZX) -- C:\Windows\new.exe
[2014/02/10 12:24:27 | 000,249,344 | ---- | C] (SAJROY8j7nVVuZX) -- C:\Users\nabilbahr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\06864143dea93515509ebd6f1b2637f2.exe
[2014/02/10 12:24:20 | 000,249,344 | ---- | C] (SAJROY8j7nVVuZX) -- C:\ProgramData\Avasit.exe
[2014/02/10 12:24:12 | 000,249,344 | ---- | C] (SAJROY8j7nVVuZX) -- C:\Windows\System32\new.exe
[2014/02/10 12:00:34 | 000,000,000 | ---D | C] -- C:\Program Files\maucampo
[2014/02/12 23:58:28 | 000,249,344 | ---- | M] (SAJROY8j7nVVuZX) -- C:\Users\nabilbahr\AppData\Roaming\new.exe
[2014/02/16 13:32:13 | 000,000,000 | ---D | M] -- C:\Users\nabilbahr\AppData\Roaming\SpeedyPC Software

:Files

:Commands
[resethosts]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

bedo99999 · « **Reply #8 on:** February 16, 2014, 07:16:40 PM »

the log

essexboy · « **Reply #9 on:** February 16, 2014, 07:55:07 PM »

How is the computer behaving now .. What problems remain

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Attach the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

bedo99999 · « **Reply #10 on:** February 16, 2014, 08:15:02 PM »

Virus removed , Thanks a lot

essexboy · « **Reply #11 on:** February 17, 2014, 03:55:33 PM »

No further problems then ?

bedo99999 · « **Reply #12 on:** February 18, 2014, 02:31:49 PM »

I don't know $:-\$

essexboy · « **Reply #13 on:** February 18, 2014, 03:31:24 PM »

Did malwarebytes find anything ?

Author Topic: shortcut virus (Read 4390 times)

bedo99999

shortcut virus

essexboy

Re: shortcut virus

bedo99999

Re: shortcut virus

bedo99999

Re: shortcut virus

essexboy

Re: shortcut virus

bedo99999

Re: shortcut virus

bedo99999

Re: shortcut virus

essexboy

Re: shortcut virus

bedo99999

Re: shortcut virus

essexboy

Re: shortcut virus

bedo99999

Re: shortcut virus

essexboy

Re: shortcut virus

bedo99999

Re: shortcut virus

essexboy

Re: shortcut virus