Author Topic: Shortcut virus - location: cmd (C:\Windows\System32) ????  (Read 15960 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #30 on: September 08, 2014, 08:47:57 AM »
Step1



Please download Anti-VBSVBEx86.exe on your Desktop
  • Double click to run the tool and wait until it finishes.
  • It will make a log named Anti-VBSVBE.txt. Please attach it to your reply.
.






Step2






Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Post logfile will also be saved in the C:\AdwCleaner folder.
.







Step3







1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Start
Task: {D80A6CFD-33D8-41C1-8154-74647AFF21B0} - \EPUpdater No Task File <==== ATTENTION
HKU\S-1-5-21-243076342-1454535561-2724800007-1000\...\MountPoints2: {15c632a0-d7b2-11dd-96b1-8c89a50159ac} - E:\AutoRun.exe
HKU\S-1-5-21-243076342-1454535561-2724800007-1000\...\MountPoints2: {6297d694-90f7-11e2-b4d3-8c89a50159ac} - E:\AutoRun.exe
HKU\S-1-5-21-243076342-1454535561-2724800007-1000\...\MountPoints2: {cbe44750-ea1b-11e2-83c5-b803059b2836} - E:\autorun.exe
HKU\S-1-5-21-243076342-1454535561-2724800007-1000\...\MountPoints2: {f2656dca-8d14-11e2-9086-806e6f6e6963} - E:\AutoRun.exe
HKU\S-1-5-21-243076342-1454535561-2724800007-1000\...\MountPoints2: {f2656e0b-8d14-11e2-9086-8c89a50159ac} - E:\AutoRun.exe
Ask Toolbar (HKLM\...\Ask Toolbar_is1) (Version: 4.1.0.5 - Ask.com) <==== ATTENTION
Torch (HKCU\...\Torch) (Version: 25.0.0.3359 - Torch Media Inc.) <==== ATTENTION
Reboot:
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #31 on: September 09, 2014, 03:26:17 AM »
Here are the logs:

« Last Edit: September 09, 2014, 04:07:49 AM by RichardGonzaga »

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #32 on: September 09, 2014, 07:38:56 AM »


Please download MCShield from one of the following links:

MCShield -Official download link
  • Double click on MCShield-Setup to install the application.
    Next => I Agree => Next => Install ... per installation click on Run! button.
  • Wait a few seconds to MCShield finish initial HDD scan...
  • Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
  • When all scanning is done, you need to post a logreport that MCShield has created.
Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt


Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

.



Re-run FRST and click scan. Attach here report.

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #33 on: September 09, 2014, 04:51:20 PM »
Hey guys, can we postpone in fixing the second laptop and turn into the 3rd laptop ?  Because some important matters came up. If its okay to you guys ? But we can continue the second laptop tomorrow or the next other days ?

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #34 on: September 09, 2014, 05:40:38 PM »
I will attach the logs MBAM, Adwcleaner, MCShield, Aswmbr, FRST and Combofix
tomorrow okay ?  ;D  ;D  ;D but please tell me what is not necessary.

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #35 on: September 09, 2014, 06:20:51 PM »
Second laptop is clean.


Combofix  is needless

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #36 on: September 09, 2014, 06:25:12 PM »
For the 3rd one ^_^

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #37 on: September 09, 2014, 06:26:25 PM »
For MCShield->

>>> MCShield AllScans.txt <<<

-----------------------------




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2014.9.6.1 / Windows 8 <<<


9/9/2014 11:15:05 PM > Drive C: - scan started (no label ~231 GB, NTFS HDD )...



=> The drive is clean.


9/9/2014 11:15:10 PM > Drive D: - scan started (no label ~234 GB, NTFS HDD )...



=> The drive is clean.


9/9/2014 11:15:11 PM > Drive H: - scan started (no label ~120 MB, FAT flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2014.9.6.1 / Windows 8 <<<


9/10/2014 12:17:20 AM > Drive C: - scan started (no label ~231 GB, NTFS HDD )...



=> The drive is clean.


9/10/2014 12:17:22 AM > Drive D: - scan started (no label ~234 GB, NTFS HDD )...



=> The drive is clean.




REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #38 on: September 09, 2014, 06:27:23 PM »
For the 2nd laptop. Thankyou bro.
« Last Edit: September 09, 2014, 06:29:57 PM by RichardGonzaga »

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #39 on: September 09, 2014, 07:18:54 PM »
Uninstall USB Security.




1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Start
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll (Internet Download Manager, Tonec Inc.)
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter-x32: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
CHR StartupUrls: Default -> "hxxp://www.sweet-page.com/?type=hp&ts=1409102478&from=cor&uid=ST9500325AS_S2WFRLH3XXXXS2WFRLH3", "", "hxxp://start.pcfaster.com?_bid=fc227c5c700bbd6e3260db1f7c1ef5e0&_t=hpsf", "about:blank"
C:\ProgramData\FileSplitUpLoad.dll
HKU\S-1-5-21-2700310972-707006990-2831406632-1001\...\MountPoints2: {27465cfd-3693-11e4-bedc-685d43c01335} - "E:\AutoRun.exe"
EmptyTemp:
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version..






****************************






Please download Malwarebytes Anti-Malware ver. 2.0 and install the application.

Double-click on mbam-setup.exe and follow the prompts to install the program. Upon installation, click Finish
Note: A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish..
On the first launch, you'll get an "Update" notification. Click the 'Update Now >>' link or button to complete update.

• Configure the scanner. On the Settings tab, Detection and Protection adjust the following options:
- subtab Detection Options, tick the box 'Scan for rootkits'.
- subtab Non-Malware Protection, for PUP detections, from 'Warn user abaut detecion' select 'Threat detections as malware'.


• Preform the Scan. Click on the Scan tab, then click on Scan Now >> for Threat Scan.
If an update is available, click the 'Update Now' button, then continue to Scan.
Note: only with some infections, you may see this message box 'Could not load DDA driver'
In this case, click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.


When the scan is complete, click Apply Actions. Wait for the prompt to restart the computer to appear, then click on Yes.

• Post the logs. Click on the History tab > Application Logs. Double click on the Scan Log which shows the date and time of just performed scan.
- Click Export button at the bottom, and then select the 'Text file (*.txt)'
- In the Save File dialog box which appears, click on Desktop.
- In the File name: box type "mbam" (without quotes) for your scan log name and click Save.
- A message box "Your file has been successfully exported" should appear, click Ok and close the windows.



Please attach the exported/saved log named as mbam.txt to your next reply.

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #40 on: September 10, 2014, 04:29:11 AM »
Here.


REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #41 on: September 10, 2014, 09:12:48 AM »
How is the situation now?

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #42 on: September 11, 2014, 08:00:30 AM »
It seems okay now.  ;D Thank you for the help . For the last laptop i will attach the logs tomorrow :)

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #43 on: September 12, 2014, 07:25:29 AM »
Hey guys. I think the 3rd laptop has a problem. Because i transfer adwcleaner, frst, combofix, mcshield, awbr in a memory card and i put it on to the 4th laptop the files was turned into shortcuts.  :-\

REDACTED

  • Guest
Re: Shortcut virus - location: cmd (C:\Windows\System32) ????
« Reply #44 on: September 13, 2014, 08:46:24 PM »
@RichardGonzaga

Downloaded directly from the internet programs. You have 4 laptpop?

Do not use pendrive until I say