Author Topic: Help: COOL.vbs infected flash drive  (Read 1536 times)

0 Members and 1 Guest are viewing this topic.

Offline JuliaGB

  • Newbie
  • *
  • Posts: 15
Help: COOL.vbs infected flash drive
« on: December 12, 2013, 07:12:10 AM »
Hello,

I've been infected by this COOL.vbs virus when I gave a friend my flash drive to copy a file. Right after I got it back I noticed all my files were suddenly shortcuts! I tried to make them reappear by un-hiding them like I read somewhere, and although they appeared for a few seconds, that was clearly not the issue. I know this thing copies itself to my user files (I can see it when I look at the files through the command prompt but not Explorer), but I can't delete it, so I'd be very grateful if someone could help me kill it once and for all, because I'm clearly in over my head here. I checked the other threads to see if there was a tool or something that would take care of it but nothing has worked. I've tried Malwarebytes Anti-Malware (full scan, didn't find anything) and AVG (nothing). So I installed MCShield, and formatted my flash drive. Here are the logs from FRST. Please let me know if you need anything else.

Thanks in advance! :)

Offline Pondus

  • Avast √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 26289
Re: Help: COOL.vbs infected flash drive
« Reply #1 on: December 12, 2013, 07:15:47 AM »
if you installed MCShield, then it was no need to wipe your usb stick as mcshield would have cleared it

ok time to check your machine......
attach OTL diagnostic log.  http://forum.avast.com/index.php?topic=53253.0

 
« Last Edit: December 12, 2013, 07:17:25 AM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline argus

  • Anti Malware Fighter _ ASAP_
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1602
Re: Help: COOL.vbs infected flash drive
« Reply #2 on: December 12, 2013, 07:28:51 AM »
Monitoring


 My help is free, however, if you want to support my fight against malware, click here ->

Offline JuliaGB

  • Newbie
  • *
  • Posts: 15
Re: Help: COOL.vbs infected flash drive
« Reply #3 on: December 12, 2013, 07:37:14 AM »
Oh, well... I guess I was just angry at it for causing me so many problems!  :( Thankfully, there wasn't anything too important in there.

Ok, here it is.

Offline argus

  • Anti Malware Fighter _ ASAP_
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1602
Re: Help: COOL.vbs infected flash drive
« Reply #4 on: December 12, 2013, 07:40:38 AM »


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
HKCU\...\Run: [COOL] - C:\Users\Julia\AppData\Roaming\COOL.vbs [150749 2013-11-14] ()
C:\Users\Julia\AppData\Roaming\COOL.vbs
Startup: C:\Users\Julia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs ()
2013-12-11 19:45 - 2013-11-14 21:51 - 00150749 ___SH C:\Users\Julia\AppData\Roaming\COOL.vbs
2013-11-14 21:51 - 2013-12-11 19:45 - 00150749 ___SH C:\Users\Julia\AppData\Roaming\COOL.vbs
C:\Users\Julia\AppData\Local\Temp\.gbas.dll
C:\Users\Julia\AppData\Local\Temp\arh5gdfr.dll
C:\Users\Julia\AppData\Local\Temp\COIOSHelper.dll
C:\Users\Julia\AppData\Local\Temp\Execute2App.exe
C:\Users\Julia\AppData\Local\Temp\hdsaujkb.dll
C:\Users\Julia\AppData\Local\Temp\i4jdel0.exe
C:\Users\Julia\AppData\Local\Temp\jijjnrzs.dll
C:\Users\Julia\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Julia\AppData\Local\Temp\lowproc.exe
C:\Users\Julia\AppData\Local\Temp\msvcp90.dll
C:\Users\Julia\AppData\Local\Temp\msvcr90.dll
C:\Users\Julia\AppData\Local\Temp\SAV2RemoveAll.exe
C:\Users\Julia\AppData\Local\Temp\ShellLink.dll
C:\Users\Julia\AppData\Local\Temp\stubhelper.dll
C:\Users\Julia\AppData\Local\Temp\utt2E8.tmp.exe
C:\Users\Julia\AppData\Local\Temp\vyub4t5e.dll

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.







> Check USB storage devices / removable drives


Download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

  • Double click MCShield-Setup to install the application.
  • Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
  • Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that MCShield has created.

Start -> All Programs -> MCShield -> Logs

Attach here -> AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.


 My help is free, however, if you want to support my fight against malware, click here ->

Offline JuliaGB

  • Newbie
  • *
  • Posts: 15
Re: Help: COOL.vbs infected flash drive
« Reply #5 on: December 12, 2013, 08:00:35 AM »
Ok, here's the log. And I haven't used any other usb sticks other than the one I formatted :)

Offline JuliaGB

  • Newbie
  • *
  • Posts: 15
Re: Help: COOL.vbs infected flash drive
« Reply #6 on: December 12, 2013, 08:07:40 AM »
This might be a stupid question, but there's a file with no extension with some Chinese characters in the same directory as FRST... is that normal?

Offline argus

  • Anti Malware Fighter _ ASAP_
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1602
Re: Help: COOL.vbs infected flash drive
« Reply #7 on: December 12, 2013, 08:32:54 AM »
Quote
is that normal?

isn't  :)


whether this set?







Run again FRST.



Edit.


Attach here -> AllScans.txt (MCShield).
« Last Edit: December 12, 2013, 08:38:27 AM by argus »


 My help is free, however, if you want to support my fight against malware, click here ->

Offline JuliaGB

  • Newbie
  • *
  • Posts: 15
Re: Help: COOL.vbs infected flash drive
« Reply #8 on: December 12, 2013, 09:01:28 AM »
Allright, I'm a little confused now, but lets see...

I opened a new txt file to check that ANSI was selected there, and it was. Was that what you meant?

Then I ran FRST again, here are the two logs. The file with the chinese characters is still there, should I delete it?

Then I decided to stick the flash drive in just in case, and surprise surprise, that stupid COOL.vbs was there, visible. Then MCShield worked and it was gone... but when I put it back in, COOL.vbs was still on it (or maybe it got on it again?). Here's the AllScans log as well.

 Thanks for you patience, btw

Offline argus

  • Anti Malware Fighter _ ASAP_
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1602
Re: Help: COOL.vbs infected flash drive
« Reply #9 on: December 12, 2013, 09:12:20 AM »
fixlist must be on your desktop, start FRST and click the Fix


 My help is free, however, if you want to support my fight against malware, click here ->

Offline argus

  • Anti Malware Fighter _ ASAP_
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1602
Re: Help: COOL.vbs infected flash drive
« Reply #10 on: December 12, 2013, 09:27:34 AM »
I'm on the forum for two hours, but I think everything will be OK.


 My help is free, however, if you want to support my fight against malware, click here ->

Offline JuliaGB

  • Newbie
  • *
  • Posts: 15
Re: Help: COOL.vbs infected flash drive
« Reply #11 on: December 12, 2013, 09:29:19 AM »
Ok, here's the Fixlog. It still says it couldn't delete one thing...

Offline argus

  • Anti Malware Fighter _ ASAP_
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1602
Re: Help: COOL.vbs infected flash drive
« Reply #12 on: December 12, 2013, 11:49:08 AM »
done wrong i'm, no problem  ;D



Scan with Combofix:
  • Please download ComboFix by sUBs and save it to your Desktop.
    You may read how Combofix works here.

  • Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

  • Run ComboFix. Click on I Agree! & follow the prompts.
    Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

  • When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
    (typical log location: C:\ComboFix.txt )
« Last Edit: December 12, 2013, 12:14:44 PM by argus »


 My help is free, however, if you want to support my fight against malware, click here ->

Offline JuliaGB

  • Newbie
  • *
  • Posts: 15
Re: Help: COOL.vbs infected flash drive
« Reply #13 on: December 12, 2013, 05:20:21 PM »
Here goes!

Offline argus

  • Anti Malware Fighter _ ASAP_
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1602
Re: Help: COOL.vbs infected flash drive
« Reply #14 on: December 12, 2013, 08:47:55 PM »
Open notepad and copy/paste the text present inside the code box below:


Code: [Select]

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COOL"=-

File::
c:\users\Julia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs

Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )


 My help is free, however, if you want to support my fight against malware, click here ->