Author Topic: Shortcut virus - location: cmd (C:\Windows\System32) ????  (Read 107799 times)

0 Members and 1 Guest are viewing this topic.

RunaLlena

  • Guest
Shortcut virus - location: cmd (C:\Windows\System32) ????
« on: November 01, 2013, 04:59:23 AM »
Hi,   :)
yesterday my USB drive picked up a virus from an Internet cafe and my brothers laptop was infected and now every time that I've inserted an USB in the laptop my files turned into shortcuts. 
I right-clicked one of the shortcuts, and looked at where its target location is, and it's somewhere in System32. When I open its target location, it takes me to System32, and the file in System32 that it highlights is cmd.exe

It's something like this:
http://imageshack.us/a/img545/1559/7oey.png

 how can I delete this virus? Thank you in advance

Offline TwinHeadedEagle

  • Malware Removal Expert
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2987
    • Zemana
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #1 on: November 01, 2013, 07:08:17 AM »
Hi,

From now on, do not use any USB on this computer, until I tell you so.



Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Post logfile will also be saved in the C:\AdwCleaner folder.
Then...



Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named



Double-clicking to run GMER.
  • Wait for initial scan to finish - if there is any query, click No;
  • Click Scan button and wait until the full scan is complete;
  • Click Save ... - save the report to the Desktop (named Gmer );
> Attach here Gmer logreports.



Then...



Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
My help is free, however if you'd like to show your appreciation by leaving a donation, it will be much appreciated ------> DONATE

RunaLlena

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #2 on: November 01, 2013, 03:10:04 PM »
Twin, thank you for helping me again  ;D :D :)

ok, I've attached the files

Offline TwinHeadedEagle

  • Malware Removal Expert
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2987
    • Zemana
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #3 on: November 01, 2013, 03:51:08 PM »
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Startup: C:\Users\Max\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.vbs ()
C:\Users\Max\AppData\Roaming\Microsoft.vbs
HKLM\...\Run: [IntelTBRunOnce] - C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs [4526 2010-11-29] ()
C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs
HKCU\...\Run: [Microsoft] - C:\Users\Max\AppData\Roaming\Microsoft.vbs [32768 2013-06-08] ()
C:\Users\Max\AppData\Local\Temp
cmd: ipconfig /flushdns

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.



Then...



Re-run FRST and post me the fresh report.
My help is free, however if you'd like to show your appreciation by leaving a donation, it will be much appreciated ------> DONATE

RunaLlena

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #4 on: November 01, 2013, 04:07:26 PM »
ok  ;)

Offline TwinHeadedEagle

  • Malware Removal Expert
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2987
    • Zemana
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #5 on: November 01, 2013, 07:25:16 PM »
Hi,


System is now clean, let's clean USB


Download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

  • Double click MCShield-Setup to install the application.
  • Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
  • Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that MCShield has created.

Start -> All Programs -> MCShield -> Logs

Attach here -> AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
My help is free, however if you'd like to show your appreciation by leaving a donation, it will be much appreciated ------> DONATE

RunaLlena

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #6 on: November 02, 2013, 02:06:59 PM »
my virus is completely gone!!!!!
thank you for all your help,  thank you, thank you  ;D :D :)
best regards

Offline TwinHeadedEagle

  • Malware Removal Expert
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2987
    • Zemana
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #7 on: November 02, 2013, 02:57:52 PM »
Did you followed my last post about MCShield? Please attach the report, so we can finish...
My help is free, however if you'd like to show your appreciation by leaving a donation, it will be much appreciated ------> DONATE

RunaLlena

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #8 on: November 02, 2013, 03:02:10 PM »
yes I did  ;)
haha I forgot attach the file I'm sorry

Offline TwinHeadedEagle

  • Malware Removal Expert
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2987
    • Zemana
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #9 on: November 02, 2013, 03:37:45 PM »
Ok, we're done here :)

You're clean. Keep using MCShield, it will protect you in the future.


Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;
  • Remove disinfection tools
  • Create registry backup
  • Purge System Restore

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.
My help is free, however if you'd like to show your appreciation by leaving a donation, it will be much appreciated ------> DONATE

RunaLlena

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #10 on: November 02, 2013, 03:54:53 PM »
oki  :)

Twin, thank you very much for taking your time to help me   ;D


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #11 on: November 02, 2013, 04:12:03 PM »
Quote
yesterday my USB drive picked up a virus from an Internet cafe and my brothers laptop was infected and now every time that I've inserted an USB in the laptop my files turned into shortcuts. 
Your Brother may need a check also?...... or was this his computer



« Last Edit: November 02, 2013, 04:18:47 PM by Pondus »

RunaLlena

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #12 on: November 02, 2013, 05:14:55 PM »
Quote
Your Brother may need a check also?...... or was this his computer

it's my brothers laptop but I often use his computer, and the USB is mine  :)

and now it's clean  ;D

thank you

master_robotics

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #13 on: December 07, 2013, 05:04:42 AM »
Hello Twin headed eagle !

I here face the same problem but I am attaching herewith the log created by gmer and Farbar addition.txt and FRST.txt . I am facing problem only with my PLAYSTATION PORTABLE FOLDERS and not in any other Pen drive or external hard drives. I need to copy a game folder to play it, but all folders are in shortcut having destination folder as cmd (C:\Windows\System32).

Please help me

Thanks in advance


Offline TwinHeadedEagle

  • Malware Removal Expert
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2987
    • Zemana
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #14 on: December 07, 2013, 11:03:46 AM »
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
HKCU\...\Run: [MICROS~1] - C:\Users\Balaji\AppData\Local\Temp\MICROS~1.VBS [152739 2013-09-26] () <===== ATTENTION
C:\Users\Balaji\AppData\Local\Temp\MICROS~1.VBS
Startup: C:\Users\Balaji\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MICROS~1.VBS ()
SearchScopes: HKCU - {A643866A-DEF7-471A-9D9B-6568AED1DC54} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3072253
BHO-x32: Browse2sauVe - {DAE24DC8-0763-9FBE-8520-236D139AECEE} - C:\ProgramData\Browse2sauVe\5145c9a53c1f3.dll No File
C:\ProgramData\Browse2sauVe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
C:\Users\Balaji\AppData\Local\Temp
cmd: ipconfig /flushdns
AlternateDataStreams: C:\ProgramData\Temp:862BDB1A
AlternateDataStreams: C:\ProgramData\Temp:D1B5B4F1

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.



> Check USB storage devices / removable drives


Download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

  • Double click MCShield-Setup to install the application.
  • Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
  • Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that MCShield has created.

Start -> All Programs -> MCShield -> Logs

Attach here -> AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
My help is free, however if you'd like to show your appreciation by leaving a donation, it will be much appreciated ------> DONATE