Shortcut virus - location: cmd (C:\Windows\System32) ????

[master_robotics]

Hello TwinHeadedEagle !

Thanks for helping me out again ! 

Herewith I am attaching 3 text files :- i.) The initial scan of McShield ii.) The Log report  and   iii.) AllScans

I checked the USB drive, that is the PSP, but the folders remain in shortcut form.

Thanks once again  and please reply as soon as possible .

[TwinHeadedEagle]

Re-run FRST, press Scan and attach fresh report. How are the things now?

[master_robotics]

Hello Sir,

Thanks for your prompt reply.

Here are the fresh FRST and Addition report alongwith the latest McShield log report.
The situation seems similar : all shortcut folders , but now the files within them seem to be deleted as an error pops up telling it cannot find or locate them. but another page opens
with a blank older of the same name.

[master_robotics]

Hello Sir,

One more new development from my previous post.

I disconnected the USB and reconnected again. McShield held new reports and I am attaching it here.
It seems it found a virus again and terminated the files.

three folders were relieved from the shortcut state when I checked the PSP the moment after the scan by McShield and I was able to access them as well.
These were the ISO folder and a PSP folder with another Music folder.

But these transformed back to their shortcut state  a few seconds after.....

[TwinHeadedEagle]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

HKCU\...\Run: [MICROS~1] - C:\Users\Balaji\AppData\Local\Temp\MICROS~1.VBS [152739 2013-09-26] () <===== ATTENTION
C:\Users\Balaji\AppData\Local\Temp\MICROS~1.VBS
MountPoints2: {2d5c19f1-eb5e-11e2-b825-ca3b13010967} - D:\Setup.exe
MountPoints2: {c5107f09-22ee-11e3-a104-8c31140b1db2} - D:\Setup.exe
Startup: C:\Users\Balaji\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS ()
SearchScopes: HKCU - {C54FC543-61A9-4E31-B1C5-943358AD8087} URL = http://www.mysearchresults.com/search?c=2402&t=15&q={searchTerms}
Task: {192A48BA-0F74-42C0-8CA9-84652981944B} - System32\Tasks\{D4E0CE48-2627-4E53-B140-47375ADE0D48} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {20C23D6B-58D6-40BB-87D2-9F43B2F6C4F1} - System32\Tasks\{4A5C158C-439D-4A32-81E6-C639168EA4A6} => C:\Users\Balaji\Desktop\SETUP.EXE
C:\Users\Balaji\Desktop\SETUP.EXE
Task: {33719C2E-7EC1-48DD-963F-98BA6E3A3CDD} - System32\Tasks\{ACA90015-7A06-470F-A178-871F39F6A368} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {53C8025D-E404-43A8-86B8-94853AC45624} - System32\Tasks\{28E90CCA-A548-4FB5-A8C5-A351ED861849} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {8D347378-4B88-413E-8CF7-C5CDA5943597} - System32\Tasks\{B4C3B763-1096-4647-B93F-CDF4C1927AB6} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {922B73FF-473A-4701-BB76-CCAB938E8156} - System32\Tasks\{1A2F2AE2-21A9-42C2-8E34-495E9238F6EA} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {9DE9AA96-F7B5-45E9-9E4C-E57508F15AD8} - System32\Tasks\{111A1073-1E12-44EA-A071-E7B455D2793C} => C:\Users\Balaji\Desktop\SETUP.EXE
Task: {B4172B90-4BED-4DCD-A705-C3F3F40E90A6} - System32\Tasks\{B316956C-AAEA-4487-87C7-0EF16F5B3BAE} => C:\Users\Balaji\Desktop\SETUP.EXE

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

[master_robotics]

Hello TwinHeadedEagle !

I am attaching herewith the fixlog.txt for your reference.
Sir, most of the files have returned to normal state after this fixture !
But one game file I pasted is still in shortcut form and it is an ISO file and an autorun.txt  is also in shortcut form.


Thank you once again !

[TwinHeadedEagle]

Re-run FRST and attach fresh report...

[master_robotics]

Hello TwinHeadedEagle !

Here's the fresh report !

[master_robotics]

Hello TwinHeadedEagle

A new development here...... everything seemed to be in order until my last post but now suddenly all folders in the PSP have become
shortcuts again . I do not seem to understand the problem but I guess the two shortcut files I told you could have affected all of them too.

I am attaching the fresh reports

Thanks for helping me !

[TwinHeadedEagle]

Virus comeback after we clean it. Please do not use any USB until we clean it...


1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

• Right click on the avast! system tray icon () in the lower right corner of the screen and scroll up to avast! shield controls;
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

[master_robotics]

Hello TwinHeadedEagle

I am attaching herewith the log report of ComboFix

The problem is I had forgotten to plug in my USB device before the Fix started but did it inbetween ( I mean in a few seconds after it started) .....

Will it cause a problem?

[master_robotics]

Hello TwinHeadedEagle

I am attaching a fresh report of ComboFix after I re-ran the whole fix, this time with the PSP connected to the computer.

As you had mentioned I never tampered anything with the device or the pc while the scan took place both the times.

Thanks once again !

[TwinHeadedEagle]

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

File::
c:\users\Balaji\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS

ClearJavaCache::
Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )


Now plugin all devices, and attach MCShield report.

[master_robotics]

Hello TwinHeadedEagle !

Thank you very much for your help it seems that the virus is finally removed from all the folders except the two I mentioned before.

I am attaching herewith the latest log report of ComboFix after I ran the .exe with the code you gave.
I am also attaching the latest MCShield allscans report and the last scan which reported driver is clean.

This is the first time MCShield reported "No virus Found".

[TwinHeadedEagle]

Good, virus is removed from your PC. We only need to take care of your USB.

Open MCShield Control Center, tick this option, and confirm with OK.

Re-scan USB and tell me how are the things now?