Help: COOL.vbs infected flash drive

[JuliaGB]

Hello,

I've been infected by this COOL.vbs virus when I gave a friend my flash drive to copy a file. Right after I got it back I noticed all my files were suddenly shortcuts! I tried to make them reappear by un-hiding them like I read somewhere, and although they appeared for a few seconds, that was clearly not the issue. I know this thing copies itself to my user files (I can see it when I look at the files through the command prompt but not Explorer), but I can't delete it, so I'd be very grateful if someone could help me kill it once and for all, because I'm clearly in over my head here. I checked the other threads to see if there was a tool or something that would take care of it but nothing has worked. I've tried Malwarebytes Anti-Malware (full scan, didn't find anything) and AVG (nothing). So I installed MCShield, and formatted my flash drive. Here are the logs from FRST. Please let me know if you need anything else.

Thanks in advance! :)

[Pondus]

if you installed MCShield, then it was no need to wipe your usb stick as mcshield would have cleared it

ok time to check your machine......
attach OTL diagnostic log.  http://forum.avast.com/index.php?topic=53253.0

 

[argus]

Monitoring

[JuliaGB]

Oh, well... I guess I was just angry at it for causing me so many problems!  Thankfully, there wasn't anything too important in there.

Ok, here it is.

[argus]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

HKCU\...\Run: [COOL] - C:\Users\Julia\AppData\Roaming\COOL.vbs [150749 2013-11-14] ()
C:\Users\Julia\AppData\Roaming\COOL.vbs
Startup: C:\Users\Julia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs ()
2013-12-11 19:45 - 2013-11-14 21:51 - 00150749 ___SH C:\Users\Julia\AppData\Roaming\COOL.vbs
2013-11-14 21:51 - 2013-12-11 19:45 - 00150749 ___SH C:\Users\Julia\AppData\Roaming\COOL.vbs
C:\Users\Julia\AppData\Local\Temp\.gbas.dll
C:\Users\Julia\AppData\Local\Temp\arh5gdfr.dll
C:\Users\Julia\AppData\Local\Temp\COIOSHelper.dll
C:\Users\Julia\AppData\Local\Temp\Execute2App.exe
C:\Users\Julia\AppData\Local\Temp\hdsaujkb.dll
C:\Users\Julia\AppData\Local\Temp\i4jdel0.exe
C:\Users\Julia\AppData\Local\Temp\jijjnrzs.dll
C:\Users\Julia\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Julia\AppData\Local\Temp\lowproc.exe
C:\Users\Julia\AppData\Local\Temp\msvcp90.dll
C:\Users\Julia\AppData\Local\Temp\msvcr90.dll
C:\Users\Julia\AppData\Local\Temp\SAV2RemoveAll.exe
C:\Users\Julia\AppData\Local\Temp\ShellLink.dll
C:\Users\Julia\AppData\Local\Temp\stubhelper.dll
C:\Users\Julia\AppData\Local\Temp\utt2E8.tmp.exe
C:\Users\Julia\AppData\Local\Temp\vyub4t5e.dll

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.







> Check USB storage devices / removable drives


Download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

• Double click MCShield-Setup to install the application.
  
• Wait a few seconds to MCShield finish initial scan.

Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.

• Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start -> All Programs -> MCShield -> Logs

Attach here -> AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

[JuliaGB]

Ok, here's the log. And I haven't used any other usb sticks other than the one I formatted

[JuliaGB]

This might be a stupid question, but there's a file with no extension with some Chinese characters in the same directory as FRST... is that normal?

[argus]

is that normal?

isn't 


whether this set?







Run again FRST.



Edit.


Attach here -> AllScans.txt (MCShield).

[JuliaGB]

Allright, I'm a little confused now, but lets see...

I opened a new txt file to check that ANSI was selected there, and it was. Was that what you meant?

Then I ran FRST again, here are the two logs. The file with the chinese characters is still there, should I delete it?

Then I decided to stick the flash drive in just in case, and surprise surprise, that stupid COOL.vbs was there, visible. Then MCShield worked and it was gone... but when I put it back in, COOL.vbs was still on it (or maybe it got on it again?). Here's the AllScans log as well.

 Thanks for you patience, btw

[argus]

fixlist must be on your desktop, start FRST and click the Fix

[argus]

I'm on the forum for two hours, but I think everything will be OK.

[JuliaGB]

Ok, here's the Fixlog. It still says it couldn't delete one thing...

[argus]

done wrong i'm, no problem 



Scan with Combofix:

• Please download ComboFix by sUBs and save it to your Desktop.
  You may read how Combofix works here.
  
  
• Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
  If you are unsure how to do this please read this or this Instruction.
  
  
• Run ComboFix. Click on I Agree! & follow the prompts.
  Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
  
  
• When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
  (typical log location: C:\ComboFix.txt )

[JuliaGB]

Here goes!

[argus]

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COOL"=-

File::
c:\users\Julia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COOL.vbs

Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )