wscript.exe infected shortcut virus

[zrex030]

Some other day I saw that shortcuts of random folders in my pc are being created and when I place cursor above those shortcuts it showes this

"Location: cmd (C:\Windows\system32)"      ,when i click Properties in Target section it says

"C:\Windows\system32\cmd.exe /c start wscript.exe WinUsbDriver.vbs&start explorer New" "folder&exit"

I am sure that I got this from one of the computers on my university.

Please help,forward thanks...

[Machiavelli]

Hi!

I'm Machiavelli and I'm the doctor of your PC.

Like in hospital there are rules/tips:

> Removing Malware is normally difficult
> Please follow the instructions carefully
> Please stay in contact with me until the problem is fixed
> Please read my posts completely

!NOTE! Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.

I am currently in training and my posts will need to be reviewed by an expert, so expect a slight delay between posts.

--------

Please follow this: http://forum.avast.com/index.php?topic=53253.0.

[zrex030]

ok,I will wait 

[Machiavelli]

Please follow this: http://forum.avast.com/index.php?topic=53253.0. - Thanks!

[zrex030]

that link broth me to make this topic and I would like to get similar help as the person who posted this topic http://forum.avast.com/index.php?topic=138715.0

[Machiavelli]

Nope - there are also instructions. Scroll down and make the OTL Scan and aswmbr scan ... Don't rush so much.

[zrex030]

im not rushing,im just waiting for specific instructions for solving  my problem 

[Machiavelli]

The instructions are mentioned in the link , but I'll post it now here:

• Download OTL to your Desktop
  
• Please copy the text in the Quote box below, (Do Not copy the word Quote), and paste it in the box in OTL. To do that:
  
  • Highlight everything inside the quote box, (except the word Quote), right click the mouse and click Copy.
    
    

    netsvcs
    BASESERVICES
    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    qmgr.dll
    winsock.*
    /md5stop
    dir "%systemdrive%\*" /S /A:L /C
    CREATERESTOREPOINT
    

    
    
• Open on the desktop. To do that:
  
  • XP users: Double click on the OTL icon.
    
  • Vista / 7 Users: Right click on the icon and click Run as Administrator)
    
• Make sure all other windows are closed.
• You will see a console like the one below:

• Click the box beside Scan All Users at the top of the console
• IF you have a 64bit Windows, click the box beside Include 64bit Scans at the top of the console.
  
• Make sure the Output box at the top is set to Standard Output.
  
• Check the boxes beside LOP Checkand Purity Check.
  Place the mouse pointer inside the box, right click and click Paste. This will put the above script inside OTL
  
• Click the button. Do not change any settings unless otherwise told to do so.
  
• Let the scan run uninterrupted.
• When the scan completes, it will open OTL.Txt on the desktop. The Extras.txt file will be minimized on the taskbar. These files is also saved in the same location as OTL (it should be on your desktop).
• Please copy the contents of these files and paste it into your reply. To do that:
• On the OTL.txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
• Right click inside the forum post window then click Paste. This will paste the contents of the OTL.txt file in the in the post window.

Repeat for the Extras.txt file.

Then,

aswMBR

Please download aswMBR from one of the links below and save it to your Desktop.

Download Mirror #1

• Right-click on aswMBR.exe and select Run as Administrator.
  
• Click Yes when asked to download the Avast! definitions.
  
• Click Scan to initiate the scan.
  
• When the scan finishes, click Save Log and save this to your Desktop.
  
• Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.
  

[/list][/list]

[zrex030]

Log files after OTL scan

[zrex030]

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-12-08 13:09:21
-----------------------------
13:09:21.405    OS Version: Windows x64 6.1.7601 Service Pack 1
13:09:21.406    Number of processors: 4 586 0x3A09
13:09:21.407    ComputerName: DRAGAN-PC  UserName: Dragan
13:09:21.412    Initialze error 1
13:09:24.223    AVAST engine defs: 13120601
13:09:32.593    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:09:32.595    Disk 0 Vendor: Hitachi_ GG2O Size: 476940MB BusType: 3
13:09:32.597    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
13:09:32.600    Disk 1 Vendor: SanDisk_ 11.5 Size: 22902MB BusType: 3
13:09:32.611    Disk 0 MBR read successfully
13:09:32.614    Disk 0 MBR scan
13:09:32.617    Disk 0 unknown MBR code
13:09:32.620    Disk 0 Partition 1 00     EE          GPT           2097151 MB offset 1
13:09:32.623    Disk 0 scanning C:\Windows\system32\drivers
13:09:32.626    Service scanning
13:09:33.163    Modules scanning
13:09:33.167    Disk 0 trace - called modules:
13:09:33.171    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
13:09:33.176    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80077ca060]
13:09:33.180    3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> [0xfffffa8006570430]
13:09:33.184    5 ACPI.sys[fffff88000edd7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8006574050]
13:09:33.188    AVAST engine scan C:\Windows
13:09:33.192    AVAST engine scan C:\Windows\system32
13:09:33.196    AVAST engine scan C:\Windows\system32\drivers
13:09:33.200    AVAST engine scan C:\Users\Dragan
13:09:33.204    AVAST engine scan C:\ProgramData
13:09:33.208    Scan finished successfully
13:09:36.832    Disk 0 MBR has been saved successfully to "C:\Users\Dragan\Desktop\MBR.dat"
13:09:36.836    The log file has been saved successfully to "C:\Users\Dragan\Desktop\aswMBR.txt"

[zrex030]

Waiting for further istructions...

[Michael (alan1998)]

Waiting for further istructions...

As Mach is in Germany, It might be a while till he gets online. Please be patient

[Machiavelli]

As Mach is in Germany, It might be a while till he gets online. Please be patient

From where do you know that I'm from Germany?

Free Space Warning

I see you have only less than 15% free space on your PC. That is another reason for the slowness of your computer. Because of that I recommend uninstalling software which you don't use at all.

Punkbuster Advice

We don't recommend using Punkbuster while we are fixing your PC. I see you have some gaming tools installed like Punkbuster - Punkbuster uses techniques which are like Spyware/Malware! A Fact is that it takes control about your PC and they meet the definition of Malware! I know, I'm myself a gamer, that you need Punkbuster for cool games like Battlefield 4 etc. but while we are fixing your PC it would be clever to disable Punkbuster. So please follow the following steps below:

• Download the Removal Tool for Punkbuster from here
  
• Right-click on pbsvc.exe and select Run as Administrator (if you use Win Vista / Win 7 / Win .
  
• Make sure that Uninstall/Remove PunkBuster Service is selected.
  
• Click on Next >> Yes >> Finish.
• Reboot(restart) your machine if not prompted to do so.

When we are finished you can install it again if you like of course.

SideBar Advice

In your logs I see that Windows SideBar is running! At the moment Windows Sidebar has a security vulnerability and so I recommend you to disable it for a while. More information is here so far I noticed.

To disable Windows Sidebar please follow the instructions below:

• Download the FixIt from here to your Desktop
  
• Double click on MicrosoftFixit50906.msi and follow the prompts to disable Windows Sidebar and gadgets. Once finished, reboot your computer if not advised to do so.
  

Uninstalls

I want you to uninstall following programs (XP: Start > Control Panel > Add/Remove Programs |  Vista / Win7 / Win8: Start > Control Panel > uninstall a program):

• Movies Toolbar for Chrome (Dist. by MaxiGet Ltd.)
• Movies Toolbar for Internet Explorer (Dist. by MaxiGet Ltd.)
• Funmoods

[Machiavelli]

OTL Fix

• Run OTL.
  
• Copy (Ctrl+C) and Paste (Ctrl+V) all of the following text into the Custom Scans/Fixes box:
  
  
  

Code: [Select]

:Commands
[CreateRestorePoint]

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{52db1893-8a90-4192-aede-08e00b8f8484}: "URL" = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=003&systemid=484&v=n9795-166&apn_uid=3411734024104107&apn_dtid=BND484&o=APN10640&apn_ptnrs=AG1&q={searchTerms}
IE - HKLM\..\SearchScopes\{52db1893-8a90-4192-aede-08e00b8f8484}: "URL" = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=003&systemid=484&v=n9795-166&apn_uid=3411734024104107&apn_dtid=BND484&o=APN10640&apn_ptnrs=AG1&q={searchTerms}
IE - HKU\S-1-5-21-743841737-3555611461-1389555401-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.search.ask.com/?o=APN10640A&gct=hp&d=484-003&v=n9795-166&t=4
IE - HKU\S-1-5-21-743841737-3555611461-1389555401-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www1.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=AE11FE85DE2A1987&affID=122304&tsp=4940
IE - HKU\S-1-5-21-743841737-3555611461-1389555401-1001\..\SearchScopes\{52db1893-8a90-4192-aede-08e00b8f8484}: "URL" = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=003&systemid=484&v=n9795-166&apn_uid=3411734024104107&apn_dtid=BND484&o=APN10640&apn_ptnrs=AG1&q={searchTerms}
O2 - BHO: (Funmoods Helper Object) - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - C:\Program Files (x86)\Funmoods\1.5.23.22\bh\escort.dll (Funmoods BHO)
O2 - BHO: (SelectionLinks) - {7825CFB6-490A-436B-9F26-4A7B5CFC01A9} - C:\Program Files (x86)\OApps\SelectionLinks.dll (SelectionLinks)
O2 - BHO: (Movies Toolbar (Dist. by MaxiGet Ltd.)) - {a25ac361-002e-48e8-833b-e614322236b4} - C:\Program Files (x86)\Movies Toolbar\SafetyNut\SRTOOL~1\IE\searchresultsDx.dll ()
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Movies Toolbar (Dist. by MaxiGet Ltd.)) - {a25ac361-002e-48e8-833b-e614322236b4} - C:\Program Files (x86)\Movies Toolbar\SafetyNut\SRTOOL~1\IE\searchresultsDx.dll ()
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:[b]64bit:[/b] - HKLM..\Run: [DptfPolicyLpmServiceHelper] C:\Windows\SysWOW64\DptfPolicyLpmServiceHelper.exe File not found
O4 - HKU\S-1-5-21-743841737-3555611461-1389555401-1001..\Run: [WinUsbDriver] wscript.exe //B "C:\Users\Dragan\AppData\Local\Temp\WinUsbDriver.vbs" File not found
O8:[b]64bit:[/b] - Extra context menu item: Translate with Di dictionary -  File not found
O8 - Extra context menu item: Translate with Di dictionary -  File not found
O20:[b]64bit:[/b] - AppInit_DLLs: (C:\PROGRA~3\Wincert\WIN64C~1.DLL) - C:\ProgramData\Wincert\win64cert.dll ()
O20:[b]64bit:[/b] - AppInit_DLLs: (C:\PROGRA~2\MOVIES~1\SAFETY~1\x64\SAFETY~2.DLL) - C:\Program Files (x86)\Movies Toolbar\SafetyNut\x64\safetyldr.dll ()
O20 - AppInit_DLLs: (C:\PROGRA~3\Wincert\WIN32C~1.DLL) - C:\ProgramData\Wincert\win32cert.dll ()
O20 - AppInit_DLLs: (C:\PROGRA~2\MOVIES~1\SAFETY~1\SAFETY~2.DLL) - C:\Program Files (x86)\Movies Toolbar\SafetyNut\safetyldr.dll ()
O27:[b]64bit:[/b] - HKLM IFEO\bitguard.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\bprotect.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browsemngr.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browserdefender.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browsermngr.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\browserprotect.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\bundlesweetimsetup.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\cltmngsvc.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\delta babylon.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\delta tb.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\delta2.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\deltainstaller.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\deltasetup.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\deltatb.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\deltatb_2501-c733154b.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\iminentsetup.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\rjatydimofu.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\sweetimsetup.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27:[b]64bit:[/b] - HKLM IFEO\tbdelta.exetoolbar783881609.exe: Debugger - C:\Windows\SysNative\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bitguard.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bprotect.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browsemngr.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browserdefender.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browsermngr.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browserprotect.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\bundlesweetimsetup.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\cltmngsvc.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\delta babylon.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\delta tb.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\delta2.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\deltainstaller.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\deltasetup.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\deltatb.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\deltatb_2501-c733154b.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\iminentsetup.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\rjatydimofu.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\sweetimsetup.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\tbdelta.exetoolbar783881609.exe: Debugger - C:\Windows\SysWow64\tasklist.exe (Microsoft Corporation)
O33 - MountPoints2\{1d848c7c-1b7d-11e2-8126-3085a914edfa}\Shell - "" = AutoRun
O33 - MountPoints2\{1d848c7c-1b7d-11e2-8126-3085a914edfa}\Shell\AutoRun\command - "" = F:\Windows\AutoRun.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Windows\AutoRun.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\Windows\AutoRun.exe
O36 - AppCertDlls: x64 - (C:\Program Files (x86)\Movies Toolbar\SafetyNut\x64\safetycrt.dll) - C:\Program Files (x86)\Movies Toolbar\SafetyNut\x64\safetycrt.dll ()
O36 - AppCertDlls: x86 - (C:\Program Files (x86)\Movies Toolbar\SafetyNut\safetycrt.dll) - C:\Program Files (x86)\Movies Toolbar\SafetyNut\safetycrt.dll ()
[2013.11.15 00:25:54 | 000,000,000 | ---D | C] -- C:\ProgramData\BrowserProtect
[2013.11.15 00:25:54 | 000,000,000 | ---D | C] -- C:\ProgramData\BitGuard
[2013.11.15 00:25:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Browser Manager
[2013.11.14 23:26:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Wincert
[2013.11.14 23:26:04 | 000,000,000 | ---D | C] -- C:\Users\Dragan\AppData\Local\catalinagroupltdmoviestoolbarha
[2013.11.14 23:25:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Movies Toolbar
[2013.11.14 23:25:46 | 000,000,000 | ---D | C] -- C:\ProgramData\SafetyNut
[2013.12.06 01:38:05 | 000,010,905 | ---- | M] () -- C:\end
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:5216CD26

:Commands
[EMPTYTEMP]


• Click the Run Fix button.
  
• After the reboot a log will open - please post the content of that file into your next reply

AdwCleaner

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1

• Right-click on AdwCleaner.exe and select Run as administrator.
  
• Click Scan and let the scan run.
  
• When it finishes, click Clean, following the on screen prompts
  
• After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.

Note: The log can also be found in here: C:\AdwCleaner\

[Machiavelli]

JRT Run

  Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
  
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

MCShield 2

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

OTL

• Run OTL by double-clicking on it.
  
• Click Quick Scan to start OTL.
  
• When OTL finishes scanning, a logs, OTL.txt will open.
  
• Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.