shortcut virus

[emilica]

Hi. I'd appreciate it if you could help me with a malware that is creating shortcuts on my usb. The shortcuts are from System32. On the internet I only found some hints how to remove the virus from the usb but I would like to get it out of my laptop too. I am running windows 7 ultimate. Please help and thank you

[Pondus]

attach Malwarebytes and OTL logs.   http://forum.avast.com/index.php?topic=53253.0

[emilica]

There you go.
Note: In the otl program the option "Include 64bit scans" did not appear. I followed the rest of the instructions.

[Pondus]

malware experts are notified .... it may take some time before they are online

[magna86]

I'm looking at posted logs ...be right back ...

[magna86]

Hi,

Do NOT use any USB memory device untill we clean host mashine.


Please download zoek by smeenk () from here or here and save it to your Desktop.
Unpack the archive...

• Close any open browsers
• Temporarily disable your AntiVirus program. (If necessary)
  If you are unsure how to do this please read this or this Instruction.
  
  
• Double click on zoek.exe to run the tool .
  Please wait while the tool does not start...
  
  
• Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]

uwldapow;s
taskkill /F /IM wscript.exe;b
EmptyAllTemp;
C:\Users\emi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tihlgokflt..vbs;f
StartUpAll;


• Click on button.
  Please wait until a logreport will open (this can be after reboot)
  
  
• Save notepad to your Desktop and attach here zoek-results.log
  Note: It will also create a log in the C:\ directory named "zoek-results.log"
  

[emilica]

Ty Pondus and magna for helping me solve this.

Here is the zoek-results

[magna86]

=> Please download Anti-VBSVBE and save it to your desktop.

Note: There are two versions, 32bit and 64bit. You need to run the version compatible with your system.

• Double click to run the tool and wait until it finishes.
• It will make a log named Anti-VBSVBE.txt. Please post it to your reply.
  

.



=> Re-run Zoek tool as you did before ...
Please wait while the tool does not start...

• Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]

EmptyCLSID;
[HKEY_USERS\S-1-5-21-1215436295-3838858105-3426281895-1000\Software\Microsoft\Windows\CurrentVersion\Run];r
"tihlgokflt"=-;r
[HKEY_USERS\S-1-5-21-1215436295-3838858105-3426281895-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Run];r
"tihlgokflt"=-;r
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run];r
"tihlgokflt"=-;r
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\tihlgokflt];r
AutoClean;

• Click on button.
  Please wait until a logreport will open (this can be after reboot)
  
  
• Save notepad to your Desktop and attach here zoek-results.log
  Note: It will also create a log in the C:\ directory named "zoek-results.log"
  

.



=> Now we will check USB memory device on malware. MCShield shall remove all USB related malware ...


Please download MCShield from one of the following links:

MCShield -Official download link

• Double click on MCShield-Setup to install the application.
  Next => I Agree => Next => Install ... per installation click on Run! button.
  
• Wait a few seconds to MCShield finish initial HDD scan...
• Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
• When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt


Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

[emilica]

I am attaching here the next files:

[Pondus]

this is one of the files found by MCShield
https://www.virustotal.com/en-gb/file/eb551bfdc64cdf7a7b7d83d3c70e89caa5e493dc43ae36b3c5ef8dba970d6068/analysis/


magna86 will be back and remove the tools used when all is ok..

[magna86]

Ok emilica, this looks clean. As malware is removed, would you please tell me how is the computer behavior now?

[emilica]

The computer seems to be running faster now that's for sure... And when I copy documents on the usb it doesn't appear as a shortcut anymore. Thank you very much for all the help, I appreciate it (especially since I am not really good with computers I know that your work is difficult). Which of the programs I have installed I remove and how (control panel, just delete)?

[magna86]

Hi and Yes, we will remove the tools using anather one named as DelFix. 


• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

[emilica]

Just a notice before I start using the last program: when I checked the processes in Task Manager I noticed 2 rundll32.exe running each with different memory occupation. Should I be concerned with it?

[Pondus]

i dont think that is a problem..... magna will be back an tell you

MCshield program you keep, it will protect you from USB infections