usbAl script file on flash drive hides all files and folders

[magna86]

p.s. I am sorry for the long thread

Don't worry. When we run into a new malware, thread know to go at least three pages. 
four - five pages is an average for a new malware. 

Hm ... something keeps files from deleting.
How FRST is deadly on Vista and above systems and you have XP, we will use Combofix and his CFScript because CF is big daddy for XP.
=========================================

Delete old copy of Combofix, you need to download fresh copy of Combofix from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.



Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"usbAl"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"usbAl"=-

File::
C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\usbAl.vbs
c:\documents and settings\Windows XP Pro\Start Menu\Programs\Startup\usbAl.vbs
Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )



----- next ----

Re-run FRST and post me frech created FRST log to see what is going on after running Combofix.

[m_a_k]

Here are the logs from Combofix and FRST:

p.s. I tried plugging some USB drives, good news, and no usbAl.vbs appears. 

[magna86]

One more script:


Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Windows XP Pro^Start Menu^Programs^Startup^usbAl.vbs]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\usbAl]

File::
c:\documents and settings\Windows XP Pro\Start Menu\Programs\Startup\usbAl.vbs
c:\windows\pss\usbAl.vbsStartup
C:\Program Files\mozilla firefox\browser\searchplugins\911bg.xml
C:\Program Files\mozilla firefox\browser\searchplugins\diribg.xml
C:\Program Files\mozilla firefox\browser\searchplugins\pe-bg.xml
C:\Program Files\mozilla firefox\browser\searchplugins\portalbgdict.xml
C:\Windows\system32\drivers\scsiport.sys

KillAll::

Driver::
ScsiPort

FileLook::
c:\windows\system32\wscript.exe
c:\windows\system32\eappprxy.dll

Firefox::
FF - ProfilePath - c:\documents and settings\Windows XP Pro\Application Data\Mozilla\Firefox\Profiles\2186w7x4.default\
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - bcb35a4f000000000000001e8c0cdcc4
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15816
FF - user.js: extensions.delta.vrsn - 1.8.16.16
FF - user.js: extensions.delta.vrsni - 1.8.16.16
FF - user.js: extensions.delta.vrsnTs - 1.8.16.1618:49
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.ffxUnstlRst - true
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false


Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )


----- next -----


Can you please re-upload to me Quarantine folders created by FRST and Combofix?

C:\FRST\Quarantine
C:\Qoobox\Quarantine

Attach it with password.

http://www.wikisend.com

Please post me here download link.

[bagabont]

Hi everyone!
I've just fixed a computer infected with usbAl.vbs, so i decided to post you my solution in a few steps.

1. Enable hidden files and folders and disable hide system files, from folder options.
2. Stop the script service from Task manager, usually it will be something like "wscript.exe" process (The virus is run using the Windows-based script host).

If you do not want to save any data just format your usb drive and proceed to step 5, otherwise continue with step 3

3. Open your usb drive and remove all shortcuts and the usbAl.vbs
4. Open command prompt and write the following (I'll use G: as an example drive letter, you replace the letter with the infected drive's letter)

cd G:
G:
attrib -s -h /S /D

!Wait until the command finishes


5. Go to C:\Users\..YOUR_USER_ACCOUT..\AppData\Local\Temp and delete the file usbAl.vbs
6. Copy %appdata%\Microsoft\Windows\Start Menu\Programs\Startup and paste it in windows explorer and press enter. Delete usbAl.vbs from there


Not the simplest guide, but if you know a bit of windows you'll be alright.
This was on a windows 7 x86 machine, so if you have XP or something more antique just adapt the directories so they will suite your OS

Best regards,
Momchil Marinov

[Pondus]

3. Open your usb drive and remove all shortcuts and the usbAl.vbs

or you can just install MCShield and let it remove it .... as seen in allscan log attached in reply nr.#5.   

[m_a_k]

Hello,
I am verry sory for the slow responce, but I have been away from the computer(other people were using it while I was gone).

Here are the links you required:

Quarantine.rar  pass:combofix

Quarantine.rar pass:frst

[magna86]

Hi,

How I lost track of what we are doing here and what is going on. Delete old FRST.exe and download fresh copy, re-run FRST and post fresh logs. Now I have to start over with the analysis.
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Thanks for Quarantine. I shall download them and analyze them some later.

[m_a_k]

ahhh, this is ebarrassing
Sorry for all the inconvenience(having to strart all over again), should have told someone to keep track of this thread, while I was away.

This is the fress log:

[magna86]

Please go to Start --> Run
Copy/paste the contents of the code box below into the Run box and click OK:

Code: [Select]

cmd /c del /a/f/q C:\Documents and Settings\Windows XP Pro\Local Settings\temp\avgnt.exe
Why have you been uninstall MCShield? This kind of malware is USB based and I can't clean it up if you re-infect PC with infected USB. Therefore, you shall require MCShield for preventive.


Download & install MCShield again and repeat the procedure with scanning your USB mem devices. Please post here fresh AllScan.txt

[m_a_k]

Hello, again

Installed MCShield, all drives are ok I think, here is the log file:

[magna86]

It is necessary to uninstall ComboFix :

• Click Start (or ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.


------- next --------


Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

• Remove disinfection tools
• Create registry backup
• Purge System Restore

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.


------- ==== --------


I recommended you to keep Malwarebytes and to use MCShield if you will.
You may download Malwarebytes from here:
http://www.malwarebytes.org/


You may download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

[m_a_k]

Thank you very much, for all the help and patience.