Author Topic: cool.vbs in my usb drive and my start up folder  (Read 3535 times)

0 Members and 1 Guest are viewing this topic.

anamon

  • Guest
cool.vbs in my usb drive and my start up folder
« on: November 13, 2013, 07:59:54 PM »
every usb drive i connect, all the folders become hidden and theres this cool.vbs in it which is probably causing it. After searching i found the same cool.vbs in appdata\roaming and appdata\roaming\microsoft\windows\start menu.
help please

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: cool.vbs in my usb drive and my start up folder
« Reply #1 on: November 13, 2013, 08:02:23 PM »
start with MCShield instructions and attach log.   
http://forum.avast.com/index.php?topic=53253.msg998925#msg998925


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: cool.vbs in my usb drive and my start up folder
« Reply #2 on: November 13, 2013, 08:04:31 PM »
then continue with this


follow instructions and attach logs (not copy and paste)  http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL

when done, removal experts will be notified and help you
when finish, all tools used will be removed


anamon

  • Guest
Re: cool.vbs in my usb drive and my start up folder
« Reply #3 on: November 13, 2013, 08:26:48 PM »
reports attatched.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: cool.vbs in my usb drive and my start up folder
« Reply #4 on: November 13, 2013, 08:35:15 PM »
removal experts are notified, it may take some hours before one arrive so be patient...


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: cool.vbs in my usb drive and my start up folder
« Reply #5 on: November 13, 2013, 08:38:16 PM »
rerun AdwCleaner and this time click clean
rerun Malwarebytes ...make sure evrything detected is marked for removal and click...remove selected


argus

  • Guest
Re: cool.vbs in my usb drive and my start up folder
« Reply #6 on: November 13, 2013, 08:51:38 PM »
Hi,


Re-run OTL.exe.

  • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

Code: [Select]

:OTL
IE - HKU\S-1-5-21-2525547328-2840125149-3846810408-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www1.delta-search.com/?babsrc=HP_ss&mntrId=BC7694DE8007091B&affID=123884&tt=110813_YTB&tsp=4973
IE - HKU\S-1-5-21-2525547328-2840125149-3846810408-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www1.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=BC7694DE8007091B&affID=123884&tt=110813_YTB&tsp=4973
O2:[b]64bit:[/b] - BHO: (no name) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - No CLSID value found.
O4 - HKU\S-1-5-21-2525547328-2840125149-3846810408-1001..\Run: [COOL] wscript.exe //B "C:\Users\Tamzeed\AppData\Roaming\COOL.vbs" File not found
O4 - HKU\S-1-5-21-2525547328-2840125149-3846810408-1001..\Run: [tsiVideo] C:\Windows\SysWOW64\rundll32.exe C:\Users\Tamzeed\AppData\Local\Temp\\tsiVi032.dll,start File not found
O4 - Startup: C:\Users\Tamzeed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs ()

:files
C:\Users\Tamzeed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs
C:\Users\Tamzeed\AppData\Roaming\COOL.vbs

:commands
[CREATERESTOREPOINT]
[resethosts]
[emptytemp]


  • Then click the Run Fix button at the top.
  • Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log
.





**********************************







Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Under Optional Scan ensure "Driver MD5" are ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: cool.vbs in my usb drive and my start up folder
« Reply #7 on: November 13, 2013, 08:53:59 PM »
this is one of the files found by MCShield
https://www.virustotal.com/en/file/125be26b664a203918d98b3fe0c518d4946b880d3b96ccdcdaab9bdbe936ab57/analysis/

the others has not been scanned at VT



anamon

  • Guest
Re: cool.vbs in my usb drive and my start up folder
« Reply #8 on: November 13, 2013, 09:03:51 PM »
reports attatched

argus

  • Guest
Re: cool.vbs in my usb drive and my start up folder
« Reply #9 on: November 13, 2013, 09:20:19 PM »
OK, connect the flash drive and attach the MCShield last scan.txt

anamon

  • Guest
Re: cool.vbs in my usb drive and my start up folder
« Reply #10 on: November 13, 2013, 09:37:48 PM »
done. No cool.vbs thanks. thought i'd have 2 reinstall win8 again. thank u kindly

argus

  • Guest
Re: cool.vbs in my usb drive and my start up folder
« Reply #11 on: November 13, 2013, 09:42:39 PM »
Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;
  • Remove disinfection tools
  • Create registry backup
  • Purge System Restore

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.




I recommended to you to keep MCShield.
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD.

Greeting.


btw.

You can set it as the image

« Last Edit: November 13, 2013, 09:48:24 PM by argus »