Author Topic: wscript/shortcut virus  (Read 7132 times)

0 Members and 1 Guest are viewing this topic.

ZosoPage

  • Guest
wscript/shortcut virus
« on: February 10, 2014, 11:51:59 PM »
Hi everyone!,

Recently I've been experimenting some troubles with this virus: both my USB drive and my smartphone got infected by this annoying malware.

Any help would be really appreciated, thanks!  :)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript/shortcut virus
« Reply #1 on: February 11, 2014, 03:32:15 PM »
Hi there, lets clean the usb up first and then search for other bad boys

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

THEN

Download OTL  to your Desktop
Secondary link
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.


  • Select All Users
  • Select LOP and Purity
  • Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Attach  both logs

ZosoPage

  • Guest
Re: wscript/shortcut virus
« Reply #2 on: February 11, 2014, 10:15:10 PM »
Hi again!

Sorry for the late reply, should I plug both the USB drive and the phone or just the USB drive for the moment?

Thanks for your time, sir!  ;)


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript/shortcut virus
« Reply #3 on: February 11, 2014, 10:18:12 PM »
Do both one after the other, although I am not sure that MCShield works on a phone...  Is the phone Android or Apple ?

ZosoPage

  • Guest
Re: wscript/shortcut virus
« Reply #4 on: February 11, 2014, 10:31:35 PM »
It's an Android phone.

So, if I undestood it right, I have to do two different MCShield scans: one for the USB drive and another one for the phone, right?

Concerning to the OTL scan: should I scan with the USB and the phone plugged or it is not necessary?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37614
  • Not a avast user
Re: wscript/shortcut virus
« Reply #5 on: February 11, 2014, 11:05:33 PM »
Quote
Concerning to the OTL scan: should I scan with the USB and the phone plugged or it is not necessary?
disconnected

MCShield will do a auto scan evrytime you plug in a usb drive....you may try the phone also

then as requested attach the allscan log




Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript/shortcut virus
« Reply #6 on: February 11, 2014, 11:14:41 PM »

ZosoPage

  • Guest
Re: wscript/shortcut virus
« Reply #7 on: February 12, 2014, 04:00:20 PM »
Hello!

Alright, thank you both, here are the logs. The problem is, in the folder where I saved OTL I couldn't find any file called Extras.txt, just the OTL.txt

And no, essexboy, I don't have any AV on my phone, so thanks for the suggestion! :)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37614
  • Not a avast user
Re: wscript/shortcut virus
« Reply #8 on: February 12, 2014, 04:14:50 PM »
Quote
I couldn't find any file called Extras.txt, just the OTL.txt
it is only created first time you run OTL ..... run it before?
anyway it is not important, and usually not needed..... just extra tech info

Essexboy will be online later and continue.      ;)


ZosoPage

  • Guest
Re: wscript/shortcut virus
« Reply #9 on: February 12, 2014, 04:28:39 PM »
Haha yeah, I have run it before changing it to another folder, but I couldn't find it anyway...

Oh, and I plugged in my phone again and got a new (better) scan, where some new items were found  :o

Thanks Pondus, have a nice day!



Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript/shortcut virus
« Reply #10 on: February 12, 2014, 04:51:34 PM »
OK it is a mess the main problem is the VBE file on the phone

Run this programme with the phone connected

Download  Anti VBS/VBE to your desktop

  • download the appropriate version (32 bit or 64 bit) and double click the file to run it.
  • After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
  • Post that report
Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=hp&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1000\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
IE - HKU\S-1-5-21-2104657585-1371390912-4140370265-1001\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&q={searchTerms}&installDate=18/09/2013
FF - prefs.js..keyword.URL: "http://feed.snapdo.com/?publisher=TightropeYB&dpid=TightropeYB&co=ES&userid=c3d7b72b-02db-73ce-110a-1283139a1138&searchtype=ds&installDate=18/09/2013&q="
FF - prefs.js..network.proxy.http: "213.0.88.86"
FF - prefs.js..network.proxy.http_port: 8080
O3:64bit: - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [iTunesHelper] wscript.exe //B "C:\Users\Usuario\AppData\Local\Temp\iTunesHelper.vbe" File not found
O4 - HKU\S-1-5-21-2104657585-1371390912-4140370265-1001..\Run: [iTunesHelper] wscript.exe //B "C:\Users\Usuario\AppData\Local\Temp\iTunesHelper.vbe" File not found
O4 - Startup: C:\Users\Usuario\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iTunesHelper.vbe ()
[2014/02/02 17:45:54 | 033,349,632 | -HS- | C] () -- C:\Users\Usuario\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iTunesHelper.vbe
(C:\ProgramData\Microsoft\Windows\Start Menu\Programs\?????) -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\?????

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
FINALLY

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

ZosoPage

  • Guest
Re: wscript/shortcut virus
« Reply #11 on: February 13, 2014, 02:14:56 PM »
Good morning!

Finally I had some time and here are the logs. The thing is after running AdwCleaner I got two logs, AdwCleaner[S0].txt and AdwCleaner[R0].txt, but there's no AdwCleaner[S1].txt.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript/shortcut virus
« Reply #12 on: February 13, 2014, 03:24:56 PM »
How is the computer behaving now, any problems ?

ZosoPage

  • Guest
Re: wscript/shortcut virus
« Reply #13 on: February 14, 2014, 02:13:44 PM »
How is the computer behaving now, any problems ?

Hello! Computer is behaving normal (just like before), but my phone is still infected, as well as my USB drive :(

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript/shortcut virus
« Reply #14 on: February 14, 2014, 02:16:24 PM »
OK for the phone could you download and install the Avast antivirus and then run a full scan

For the USB I would recommend that you reformat it