Author Topic: Cool.vbs Virus - Please help me remove it from my desktop and prevent it  (Read 19003 times)

0 Members and 1 Guest are viewing this topic.

Ricky Vybz

  • Guest
Hello everyone, this is my first time on the forum and what I have seen on this forum is a great team of people with best knowledge on the net for dealing with all sorts of virus and malware issues, I am hoping to get some of this knowledge and help with my problem. Reason why I am here is the Cool.vbs virus, this virus seems to be pretty new and its wreaking havoc on many computer systems around the city. This virus came onto my system via a flash drive a few days ago, I had USB Disk Security installed at the time, it identified the virus and I tried to delete it using that program. It seemed like it did but when I inserted another flash drive and all the files became shortcuts plus USB disk security identified it again. AVG 2011 was also on the system along with McAfee, however it seems that AVG was not working because it didn't respond to the virus at all, neither McAfee. When I started researching the cool.vbs virus I read that you should not have more than one full antivirus program on a system because they will conflict and can cause major problems so I removed McAfee, I also read that most anitvirus programs can't detect cool.vbs

I called up a friend of mine who is a computer technician and he was telling me that his store was over run with systems customers are taking to him with the cool.vbs virus. He said that he was working with an antivirus named SMAD, and he was getting good results so far. In my reading however I didn't see anyone mention of SMAD but I downloaded it anyway from CNET onto another system at home, SMAD AV 2013 9.4.1 (October 5, 2013) version to be exact. This system is my workhorse system running windows 7, 64bit, 8gig Ram. The system with the cool.vbs virus is running XP, 32 bit (office computer). I scanned my system (workhorse) with SMAD and it found no infections, I also have USB disk security and Avast on the workhorse. I inserted the infected flash drive in the workhorse system and SMAD, USB disk sec and Avast identified the cool.vbs virus. Avast moved it to chest, SMAD identified over 162 viruses and 192 hidden files on the flash drive, all the files that cool.vbs made into shortcuts were seen as viruses by SMAD and the original files were hidden. I used SMAD to remove all the viruses and unhide the files, it did this successfully and when I ejected the flash drive and reinserted it it was clean and all files were there.

Now the problem is that on the XP system, which I now downloaded SMAD onto and ran, when I insert the clean flash disks into that system SMAD finds the same amount of viruses and hidden files and when I use SMAD to clean the USB it does so but as soon as the flash drive is reinserted it is infected again. This tells me that cool.vbs is on the system itself and is reinfecting the flash drive.

I found it strange that I could clean the flash drives on my workhorse and it doesn't infect the workhorse but with the XP system after cleaning the flash drives with SMAD the system just reinfects them. Now as I said earlier AVG 2011 was not working so I decided to uninstall thinking that maybe cool.vbs was hiding there in some AVG file folder. AVG gave me hell to uninstall, it would constantly show up in my program list even when it said it was uninstalled, I had to use many different downloads of the removal tool to get rid of it finally.

WOW, thats alot of info, I hope that I explained the necessary information clearly, I am really looking forward to any help I can get to have this issue resolved, and I have extreme faith in this community. Lets kill cool.vbs  8)

Thanks in advance and if any more info is needed I will gladly provide it. Thanks again.

Rick.   

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #1 on: October 26, 2013, 05:30:47 PM »
Follow this Thread and attach logs: http://forum.avast.com/index.php?topic=53253.0

When done malware removers will be notified.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #2 on: October 26, 2013, 06:26:18 PM »
Hi,

@Ricky Vybz
When you follow and create logs for AdwCleaner, Malwarebytes, OTL and aswMBR, then install MCShield tool aswell.
Attach here all created logs, AllScans.txt including.

Ricky Vybz

  • Guest
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #3 on: October 26, 2013, 08:13:45 PM »
Hey Guys thanks for the quick response @magna86 and Steven. I am gonna attach the logs in multiply replies so it is easier to examine.
This is the AdwLog:


Ricky Vybz

  • Guest
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #4 on: October 26, 2013, 08:29:27 PM »
The MBAM Log:

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #5 on: October 26, 2013, 08:47:19 PM »
This log is not the Malwarebytes Log.

You can find the logs in the interface under logs. Double click and save a copy to your desktop.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #6 on: October 26, 2013, 08:53:15 PM »
Quote
This log is not the Malwarebytes Log.
it probably is, as the name is correct for Malwarebytes PRO protection log

however that is not the log we want.... and it is also posted wrong so not readable.   ???

the log to attach is the Scan log, it is listed the same place in Malwarebytes but the scan logs are at the bottom..
and check date so you attach the correct one.   ;)



Ricky Vybz

  • Guest
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #7 on: October 26, 2013, 09:00:27 PM »
Sorry about that, I didn't know there were two types of MBAM logs, I attached the correct one now.

I also just did the OTL scan so I attached logs also, both OTL.txt and Extras.txt

Ricky Vybz

  • Guest
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #8 on: October 26, 2013, 10:48:46 PM »
Okay guys, these are the rest of the logs you requested, aswMBR.txt and Allscan.txt, I had updated aswMBR with Avast virus definitions as the program suggested that this would ensure detection of the latest threats. Hope we can come up with a solution now and I am very happy with the support I am getting thus far.

Ricky   

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #9 on: October 27, 2013, 12:14:35 AM »
Hi,
USB Disk Security can not provide a valid USB protection. My honest advice to you is to uninstall this tool.

MCShield shall protect you from infected USB memory devices as they are infected (look at AllScans.txt log created by MCShield, and as you can see, USB Disk Security didn't clean them as it should).
First, we need to clean mashine using OTL, then we will allow MCShield to fully clean any USB based malware leftovers. While malware is active on mashine, re-infections occurs. This OTLFix shall clean malware from mashine.


1. => do NOT attach any USB device !

2. Re-run OTL.exe.

  • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

Code: [Select]
:SERVICES
roapcm66puuieau

:COMMANDS
[CREATERESTOREPOINT]

:FILES
C:\WINDOWS\system32\hemasse.exe
C:\Documents and Settings\Sav Infant\Application Data\*.vbs
C:\Documents and Settings\Sav Infant\Start Menu\Programs\Startup\*.vbs
C:\WINDOWS\*.tmp
C:\WINDOWS\System32\*.tmp
ipconfig /flushdns /c

:REG
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COOL"=-

:COMMANDS
[EMPTYTEMP]

:OTL
@Alternate Data Stream - 514576 bytes -> C:\WINDOWS\Temp:temp
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
O4 - HKU\S-1-5-21-1454471165-1220945662-839522115-1004..\Run: [COOL] wscript.exe //B "C:\Documents and Settings\Sav Infant\Application Data\COOL.vbs" File not found
O33 - MountPoints2\{2f0c16c8-eef9-11e2-a069-0025225457d8}\Shell - "" = AutoRun
O33 - MountPoints2\{2f0c16c8-eef9-11e2-a069-0025225457d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2f0c16c8-eef9-11e2-a069-0025225457d8}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL 89898\g98f9.js
O33 - MountPoints2\{2f0c16c8-eef9-11e2-a069-0025225457d8}\Shell\explore\command - "" = I:\89898\g98f9.js
O33 - MountPoints2\{2f0c16c8-eef9-11e2-a069-0025225457d8}\Shell\open\command - "" = I:\89898\g98f9.js
O33 - MountPoints2\{627d77e4-8c17-11e2-a021-0025225457d8}\Shell - "" = AutoRun
O33 - MountPoints2\{627d77e4-8c17-11e2-a021-0025225457d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{627d77e4-8c17-11e2-a021-0025225457d8}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
O33 - MountPoints2\{6482aee4-ac29-11e2-a034-0025225457d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6482aee4-ac29-11e2-a034-0025225457d8}\Shell\AutoRun\command - "" = L:\5e5e\g4f.js
O33 - MountPoints2\{6482aee4-ac29-11e2-a034-0025225457d8}\Shell\explore\command - "" = L:\5e5e\g4f.js
O33 - MountPoints2\{6482aee4-ac29-11e2-a034-0025225457d8}\Shell\open\command - "" = L:\5e5e\g4f.js
O33 - MountPoints2\{6b6aa4b8-a0d1-11e0-9eaf-0025225457d8}\Shell - "" = AutoRun
O33 - MountPoints2\{6b6aa4b8-a0d1-11e0-9eaf-0025225457d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6b6aa4b8-a0d1-11e0-9eaf-0025225457d8}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{7e120214-b362-11e2-a03b-0025225457d8}\Shell\AutoRun\command - "" = H:\urDrive.exe
O33 - MountPoints2\{b0d06f41-1799-11e0-950b-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{b0d06f41-1799-11e0-950b-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b0d06f41-1799-11e0-950b-806d6172696f}\Shell\AutoRun\command - "" = E:\ASRSetup.exe
O33 - MountPoints2\{d0449aca-107e-11e1-9f08-0025225457d8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d0449aca-107e-11e1-9f08-0025225457d8}\Shell\AutoRun\command - "" = H:\golden/fish.exe
O33 - MountPoints2\{d0449aca-107e-11e1-9f08-0025225457d8}\Shell\Explore\command - "" = H:\golden/fish.exe
O33 - MountPoints2\{d0449aca-107e-11e1-9f08-0025225457d8}\Shell\Open\command - "" = H:\golden/fish.exe
  • Then click the Run Fix button at the top.
  • Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log


3. Attach USB devices. Keep MCShield active and if MCS again find malware on USB, attach here fresh AllScans.txt logreprot.
« Last Edit: October 27, 2013, 12:16:13 AM by magna86 »

Ricky Vybz

  • Guest
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #10 on: October 27, 2013, 05:48:45 PM »
@magna86 How long should I expect Otl to run?  It has been running for almost 4hours yesterday and didn't finish, unfortunately the power went and I had to restart the system and do the run fix again. How do I know that it is running and isn't just stuck or hung up? All I see at the lower left panel of Otl is 'killing processes. Don't interrupt', am I suppose to see other information being displayed?

Thanks much,
Ricky

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #11 on: October 28, 2013, 01:14:04 PM »
Hi,

@magna86 How long should I expect Otl to run?  It has been running for almost 4hours yesterday and didn't finish, unfortunately the power went and I had to restart the system and do the run fix again. How do I know that it is running and isn't just stuck or hung up? All I see at the lower left panel of Otl is 'killing processes. Don't interrupt', am I suppose to see other information being displayed?

Aye, this is OTL's hung ...
OTLFix shouldn't been running more that ~ 5 minutes top.
OTL can't kill some running processes. Try to see what it trying to shutdown and turn it off by yourself.
or...
Restart your computer, disable security softver, turn off all running programs (turn it off all, they all shall be loaded after reboot) and try to re-run OTLFix ...



Ricky Vybz

  • Guest
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #12 on: October 28, 2013, 02:03:09 PM »
@Magna86 I can't shut down the computer like normal, I have to hold down the power button for 5 secs to get it to shut down.

What is the best way to turn of all running programs, should I end them from within task manager or I should close any programs I may have open?

Ricky

Ricky Vybz

  • Guest
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #13 on: October 28, 2013, 02:14:30 PM »
@magna86, I finally got OTL run/fix to run, I killed a few processes one by one from the task manager. The log is attached, looking forward to the next step. Thanks again.

Ricky

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Cool.vbs Virus - Please help me remove it from my desktop and prevent it
« Reply #14 on: October 28, 2013, 03:05:56 PM »
I killed a few processes one by one from the task manager.

Now you know the best way to kill running programs.  :)

Follow Step#3 and attach AllScans.txt. Also, re-run OTL, just hit QuickScan and attach here fresh OTL.txt