Shortcut pendrive virus

[REDACTED]

Hello. My computer is infected with the shortcut virus. 2 of my usb sticks are full of shortcuts that send to CMD, and none of the original folders. I willattach the logs requested on this link:
https://forum.avast.com/index.php?topic=194892.0

malware bytes, farbar recovery and mcshield

Any help is appreciated.

[Pondus]

Log from MCShield must be copy / paste ... a forum bug makes it unreadable when attached

[REDACTED]

ok. once more, onto the breach:



MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<


4/11/2018 10:26:19 PM > Drive G: - scan started (KINGSTON ~3815 MB, FAT32 flash drive )...



---> Executing generic S&D routine... Searching for files hidden by malware...


---> Items to process: 9

---> G:\DATE SCOALA.docx > unhidden.

---> G:\Structura an scolar -calendar.pdf > unhidden.

---> G:\rofuip_2018.pdf > unhidden.

---> G:\antet scoala 2017.docx > unhidden.

---> G:\cerere naveta prof..pdf > unhidden.

---> G:\Notificare MECS la inv tehnic si profesional.pdf > unhidden.

---> G:\TEZE___2017-2018.pdf > unhidden.

---> G:\E. LEITOIU.zip > unhidden.

---> G:\Legea_nr._1-2011.pdf > unhidden.




---> Note: paranoid mode is enabled.


>>> G:\DATE SCOALA.lnk - Malware > Deleted. (18.04.11. 22.27 DATE SCOALA.lnk.212048; MD5: 7fc8c8efa57adc4c88c393bf17ddbaff)

>>> G:\Structura an scolar -calendar.lnk - Malware > Deleted. (18.04.11. 22.27 Structura an scolar -calendar.lnk.473396; MD5: 8307fe180446b209d92506184290027a)

>>> G:\rofuip_2018.lnk - Malware > Deleted. (18.04.11. 22.27 rofuip_2018.lnk.12655; MD5: 266b7bc4e4f7d6551ddd8938f28f7f39)

>>> G:\antet scoala 2017.lnk - Malware > Deleted. (18.04.11. 22.27 antet scoala 2017.lnk.142285; MD5: 2f1527a7219bdcb6bad427a0ce5aae37)

>>> G:\cerere naveta prof.lnk - Malware > Deleted. (18.04.11. 22.27 cerere naveta prof.lnk.832023; MD5: 5165776b3ebd3b1014e8db8cd20ec0b2)

>>> G:\Notificare MECS la inv tehnic si profesional.lnk - Malware > Deleted. (18.04.11. 22.27 Notificare MECS la inv tehnic si profesional.lnk.733114; MD5: 2843062d98810ffa5e1e36084933e46d)

>>> G:\TEZE___2017-2018.lnk - Malware > Deleted. (18.04.11. 22.27 TEZE___2017-2018.lnk.138163; MD5: fb6b41cf46737115b3417fec5942fb22)

>>> G:\E.lnk - Malware > Deleted. (18.04.11. 22.27 E.lnk.540326; MD5: 03eb10e79e4375ca1c6e4ff53b7687b9)

>>> G:\Legea_nr.lnk - Malware > Deleted. (18.04.11. 22.27 Legea_nr.lnk.818991; MD5: 76be4f877709c56d3d21481db1200766)

>>> G:\PROIECT ROSE.lnk - Malware > Deleted. (18.04.11. 22.27 PROIECT ROSE.lnk.15617; MD5: 8bb83113ed5af1ed91648f58371389be)

>>> G:\doc catedra.lnk - Malware > Deleted. (18.04.11. 22.27 doc catedra.lnk.910892; MD5: f37de8c8a82adb8e25245e8eea61c1e4)

>>> G:\doc diriginte.lnk - Malware > Deleted. (18.04.11. 22.27 doc diriginte.lnk.723603; MD5: a1765cfee3635de259d3028bb859cfea)

>>> G:\doc profesor.lnk - Malware > Deleted. (18.04.11. 22.27 doc profesor.lnk.387934; MD5: 09d16eb7b9a6961a2a7ea1e1fe13f4e9)

>>> G:\comisia de etica si integritate.lnk - Malware > Deleted. (18.04.11. 22.27 comisia de etica si integritate.lnk.489882; MD5: ba21dd9aa1ed98b0d3060dc5cbc98913)

>>> G:\EDUCATIE TEHNOLOGICA.lnk - Malware > Deleted. (18.04.11. 22.27 EDUCATIE TEHNOLOGICA.lnk.669190; MD5: b094c1b36ee12fb84530140f25a4ebe5)

>>> G:\informari 2017-2018.lnk - Malware > Deleted. (18.04.11. 22.27 informari 2017-2018.lnk.678735; MD5: 19b37e54cba3def2c56c6386d0139c04)

>>> G:\comisia CEAC.lnk - Malware > Deleted. (18.04.11. 22.27 comisia CEAC.lnk.666413; MD5: db05b6f46cb085c72f974a2995891686)

>>> G:\EXAMENE.lnk - Malware > Deleted. (18.04.11. 22.27 EXAMENE.lnk.201913; MD5: d5558d739c1b406014619bc90437eb1d)

>>> G:\comisia curriculum.lnk - Malware > Deleted. (18.04.11. 22.27 comisia curriculum.lnk.478304; MD5: 88a79c2164c8447886e9f4b6643b0b8a)

>>> G:\CONCURS MESERII.lnk - Malware > Deleted. (18.04.11. 22.27 CONCURS MESERII.lnk.760381; MD5: 40d639e9aeab5ebb788199cd3b7c4098)

>>> G:\Acrobat.lnk - Malware > Deleted. (18.04.11. 22.27 Acrobat.lnk.399304; MD5: d4a73a76f18b665cfeac261e9efd5a14)

>>> G:\OMEN 2017-2018.lnk - Malware > Deleted. (18.04.11. 22.27 OMEN 2017-2018.lnk.55106; MD5: af7c1ee4c2385251fe556d7df15f8d13)

>>> G:\System Volume Information.lnk - Malware > Deleted. (18.04.11. 22.27 System Volume Information.lnk.881111; MD5: 1a3a340e0128f022258d7ba9a5b598eb)

>>> G:\Microsoft Excel.WsF - Malware > Deleted. (18.04.11. 22.27 Microsoft Excel.WsF.842245; MD5: bb70089db80ea6afb5d5a12271591df2)

> Resetting attributes: G:\PROIECT ROSE < Successful.

> Resetting attributes: G:\doc catedra < Successful.

> Resetting attributes: G:\doc diriginte < Successful.

> Resetting attributes: G:\doc profesor < Successful.

> Resetting attributes: G:\comisia de etica si integritate < Successful.

> Resetting attributes: G:\EDUCATIE TEHNOLOGICA < Successful.

> Resetting attributes: G:\informari 2017-2018 < Successful.

> Resetting attributes: G:\comisia CEAC < Successful.

> Resetting attributes: G:\EXAMENE < Successful.

> Resetting attributes: G:\comisia curriculum < Successful.

> Resetting attributes: G:\CONCURS MESERII < Successful.

> Resetting attributes: G:\Acrobat < Successful.

> Resetting attributes: G:\OMEN 2017-2018 < Successful.

> Resetting attributes: G:\System Volume Information < Successful.


=> Malicious files   : 24/24 deleted.
=> Hidden folders    : 14/14 unhidden.
=> Hidden files      : 9/9 unhidden.

____________________________________________

::::: Scan duration: 46sec :::::::::::::::::
____________________________________________

[Michael (alan1998)]

I'll pull Sass Drake or another expert to assist you

[REDACTED]

Thank you!

[Sass Drake]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

HKU\S-1-5-21-3433359063-1357698818-1656963194-1000\...\Run: [Microsoft Excel] => wscript.exe //B "C:\Users\Andrei\AppData\Roaming\Microsoft Office\\Microsoft Excel.WsF"
VirusTotal: C:\Users\Andrei\AppData\Roaming\Microsoft Office\Microsoft Excel.WsF;
C:\Users\Andrei\AppData\Roaming\Microsoft Office

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[REDACTED]

Attaching fixlog.

[Sass Drake]

What is pendrive status now?

[REDACTED]

I have inserted on of the potentially infected usb-drives. mcshield detected malware. This happened:

4/15/2018 1:52:54 AM > Drive F: - scan started (stick ~14778 MB, NTFS flash drive )...


>>> F:\Microsoft Excel.WsF - Malware > Deleted. (18.04.15. 01.53 Microsoft Excel.WsF.46536; MD5: bb70089db80ea6afb5d5a12271591df2)


=> Malicious files   : 1/1 deleted.

And no shortcuts appeared. I have repeated this with a few more usb-drives and mcshield deleted another Microsoft Excel.WsF.
It seems that my computer is clean! YAY!

But, um, could someone please explain what happened? what did excel have to do with anything?

[Michael (alan1998)]

Hi,

I'll pop in to explain this one.

What did Excel have to do with this? Nothing. The name of the file was Microsoft Excel - that named can be very easily manipulated, much like you name a document when you're saving it. *.WsF stands for Windows Script File. One of the things I asked Sass Drake to do when he removed the file was to send it to VirusTotal - one of the nice things about this website is it allows the right people to download the file, and tells me what it is. In this case, it was a VBS Script file. An extremely common way to infect via USB.

If you visit the link from your fixlog (see below) Sass Drake has actually commented on it.

How did you become infected? Something common. An internet cafe, library computer, email with an attachment, even someone visiting your place with a USB. Someone, somewhere didn't use some form of Anti-USB protection and spread it. The only way to prevent it is something like MCShield that will stop the auto-run sequence until it's finished scanning it.

VirusTotal: C:\Users\Andrei\AppData\Roaming\Microsoft Office\Microsoft Excel.WsF => https://www.virustotal.com/file/d98509a855d077f9012c510061f56f0a52d6dc3cb63d6501da65908f492b82c6/analysis/1521532251/

[Sass Drake]

Your PC is clean now.

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

[REDACTED]

Done, and done. Many thanks to you, kind sirs! I hope i won't be returning with yet another similar request.