Shortcut virus - location: cmd (C:\Windows\System32) ????

[REDACTED]

hi all!
my USB drive picked up a virus from an Internet cafe, and now every time that I've inserted an USB in the laptop my files turned into shortcuts. I right-clicked one of the shortcuts, and looked at where its target location is, and it's somewhere in System32. When I open its target location, it takes me to System32, and the file in System32 that it highlights is cmd.exe

plzz help  me:(

[Eddy]

https://forum.avast.com/index.php?topic=53253.0

[REDACTED]

i found some old topic, and maby you can help me here? i need code for  fixlist.txt

[Pondus]

see here  https://forum.avast.com/index.php?topic=53253.0
 scroll down to  SPECIFIC INFECTIONS LOGS  run MCShield as instructed, this log you copy and paste in next reply

essexboy will be online later today and help you

[REDACTED]

ok thanks,  im waiting him,

here log file from MCShield,  its show me program deleted virus but after some seconds its back:(

[Eddy]

Please attach the log again, this time saved as plain text (UTF-8)

[REDACTED]

again problem with log,



MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.2.15.1 / Windows 8.1 <<<


17.02.2015 13:56:00 > Drive F: - scan started (no label ~1912 MB, FAT flash drive )...



---> Executing generic S&D routine... Searching for files hidden by malware...


---> Items to process: 1

---> F:\Sexy.jpg > unhidden.



>>> F:\Sexy.lnk - Malware > Deleted. (15.02.17. 13.56 Sexy.lnk.650097; MD5: fde45e6ed202ee88663341bfffa68f27)

>>> F:\MerciJacquieMichel.vbe - Malware > Deleted. (15.02.17. 13.56 MerciJacquieMichel.vbe.139808; MD5: 08efa9b636991a80da1a6fd09fccce5e)

>>> F:\System Volume Information.lnk - Malware > Deleted. (15.02.17. 13.56 System Volume Information.lnk.912023; MD5: 866f6d8cd08f0d5f7d6c2aaad05421c6)

> Resetting attributes: F:\System Volume Information < Successful.


=> Malicious files   : 3/3 deleted.
=> Hidden folders    : 1/1 unhidden.
=> Hidden files      : 1/1 unhidden.

____________________________________________

::::: Scan duration: (Interactive mode) ::::
____________________________________________

[REDACTED]

nobody cant help me?

[Asyn]

Be patient, it might take a while...

[REDACTED]

in task manager im kill process lssass  and Microsoft ® Windows Based Script Host,
after disable thise programs in autorun,
flash usb shows me file sexy( size 50 mg) im deleted ,  after reconect usb and it was empty no virus!  im enable autorun process again  and after restarting pc  shortcut of sexy file ''virus'' again in my  flash usb:((((


p.s.  sory for my bad english 

[essexboy]

Run MCShield on completion of the FRST fix please

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-2651378886-156977901-1411103180-1001\...\Run: [MerciJacquieMichel] => wscript.exe //B "C:\Users\anzori\AppData\Local\Temp\MerciJacquieMichel.vbe" <===== ATTENTION
HKU\S-1-5-21-2651378886-156977901-1411103180-1001\...\Run: [Microsoft] => C:\Users\anzori\AppData\Roaming\lssass.exe [52428800 2012-12-10] ()
HKU\S-1-5-21-2651378886-156977901-1411103180-1001\...\Run: [HKCU] => C:\Users\anzori\AppData\Roaming\windir\svchost.exe [52428800 2012-12-10] ()
Startup: C:\Users\anzori\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MerciJacquieMichel.vbe ()
U3 pxldrpog; \??\C:\Users\anzori\AppData\Local\Temp\pxldrpog.sys [X]
2015-02-16 21:34 - 2012-12-10 15:48 - 52428800 ___SH () C:\Users\anzori\AppData\Roaming\lssass.exe
C:\Users\anzori\AppData\Local\Temp\MerciJacquieMichel.vbe
C:\Users\anzori\AppData\Roaming\lssass.exe
C:\Users\anzori\AppData\Roaming\windir
C:\Users\anzori\AppData\Local\Temp\pxldrpog.sys
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

i did it,  i think its over!  thank you very very! 

how i can make thise fixlist.txt  for my other pc?

[Pondus]

  how i can make thise fixlist.txt  for my other pc? 

by attaching logs from that computer as you did with this one.... But dont start before essexboy say so, he is not finish with this one yet

[REDACTED]

i cant do it without ataching files here?

[Pondus]

i cant do it without ataching files here?

the fix made is based on the logs that comes from that specific computer  ...... read the red txt in essexboys post