How to remove shortcut virus - 'Baoewo.exe'

[redburns28]

I have come across a virus that has infected a computer and now infects every flash drive used on the system. I've done both a full scan and boot scan with AVAST, but nothing seems to come up. I noticed when I tried to use a locked flash drive on the system that the program 'Baoewo.exe' is trying to access that locked drive, but can not. I've checked the start-up programs and have found it there, but can't seem to find where the actual program is hiding. There is also another program with similar letters as the one listed above as well as a program that's just a bunch of random characters - Any ideas on how to remove this virus?  

[Pondus]

Follow this guide and attach all logs in next reply

http://forum.avast.com/index.php?topic=53253.0

[redburns28]

I followed the guide for both the admin account and the main user account. I believe the admin account isn't infected because the flash drives are not harmed when logged onto that particular account. I'll post the Main use account logs first and then re-reply with the admin logs next.

[redburns28]

And here are the scan logs for the admin account.

Thanks!!

[essexboy]

Avast has it's doubts about user32  so I will remove the bit I can see and then use a bigger hammer

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O4 - HKU\S-1-5-21-216074569-3003746500-884372839-1000..\Run: [baoewo] C:\Users\user\baoewo.exe ()
  
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[redburns28]

Here are the latest two scans.
-m

[essexboy]

Hi could you allow Combofix to update please as it is old

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

File::

FCopy::
c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll|c:\windows\System32\user32.dll

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[redburns28]

I'm unable to update Combofix becuase the computer I'm working on is unable to connect to the Internet due to it's location. Is there any other way to update the program - maybe a site where I can get the update? I've checked the site where I originally got the program, but didn't see any links for updates.

Any ideas?
-m

[essexboy]

Download a fresh copy as the links I gave are updated daily

[redburns28]

Good news is that the computer no longer changes the flash drive's files into shortcuts, so I think we may have fixed the problem if not real close

Here is the latest scan.
-m

[essexboy]

Yep the userinit was not kosher 

Could you now run MBAM and let me know of any remaining problems please

Please download Malwarebytes' Anti-Malware[/b]
 
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.[/b]