flash drive infection

[jeremydw]

I have the same problem as this users post. please help. I've done step 2 GMER.

http://forum.avast.com/index.php?topic=138715.0

[jeremydw]

 

[TwinHeadedEagle]

Then, follow instructions for other two tools and attach reports...

[jeremydw]

how do I attach? I tried copying and pasting, didnt work.

[TwinHeadedEagle]

Click Attachments and other options below type field...

[jeremydw]

thanks.

[TwinHeadedEagle]

Ok, do not use USB until we clean system. Unplug it, and do not use it!


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

() C:\Users\Administrator\AppData\Local\Temp\Livemocha.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
HKLM\...\Run: [bsrcifwdwj] - C:\Users\Administrator\AppData\Local\Temp\bsrcifwdwj..vbs [73993 2013-08-09] () <===== ATTENTION
HKLM\...\Run: [83202a340eb5a597bdd6a5a7999d30e7] - C:\Users\Administrator\AppData\Local\Temp\Livemocha.exe [120320 2013-11-24] () <===== ATTENTION
C:\Users\Administrator\AppData\Local\Temp\bsrcifwdwj..vbs
C:\Users\Administrator\AppData\Local\Temp\Livemocha.exe
HKLM\...\Run: [uyhhjfselh] - C:\Users\Administrator\AppData\Local\Temp\uyhhjfselh.vbs [128757 2013-12-13] () <===== ATTENTION
C:\Users\Administrator\AppData\Local\Temp\uyhhjfselh.vbs
HKCU\...\Run: [bsrcifwdwj] - C:\Users\Administrator\AppData\Local\Temp\bsrcifwdwj..vbs [73993 2013-08-09] () <===== ATTENTION
HKCU\...\Run: [83202a340eb5a597bdd6a5a7999d30e7] - C:\Users\Administrator\AppData\Local\Temp\Livemocha.exe [120320 2013-11-24] () <===== ATTENTION
HKCU\...\Run: [uyhhjfselh] - C:\Users\Administrator\AppData\Local\Temp\uyhhjfselh.vbs [128757 2013-12-13] () <===== ATTENTION
MountPoints2: {37b685a8-2d35-11e3-9bd4-001fc65f6dab} - J:\HTC_Sync_Manager_PC.exe
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\83202a340eb5a597bdd6a5a7999d30e7.exe ()
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bsrcifwdwj..vbs ()
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uyhhjfselh.vbs ()
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldmsd&cd=2XzuyEtN2Y1L1QzutDtDtC0F0CyCyD0FyC0D0A0B0EtC0DzytN0D0Tzu0CyCtBtAtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=1885743359&ir=
C:\Users\Administrator\AppData\Local\Temp
cmd: ipconfig /flushdns
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

[jeremydw]

Done.

[jeremydw]

shall I move on to step MCShield?

[TwinHeadedEagle]

Re-run FRST, press Scan and attach fresh report.

[jeremydw]

ok. Rescanned.

[TwinHeadedEagle]

Good, PC is clean, procede with MCShield step...

[jeremydw]

Great! Thanks. You are the man.

[TwinHeadedEagle]

Great! Thanks. You are the man.

We're not yet done, follow my instructions...