[JSntgRvr]

I am glad it worked. Download and run DelFix to remove the quarantine folder.

Be safe.

[Advertisements]

Hi! I'm back to tell you that I found the cause of these malicious shortcuts and folders.

 

When I plug my Android tablet, it displays an error that I can't skip or restart, I can only cancel : "wscript.exe - No Disk There is no disk in the drive. Please insert a disk into drive \Device\Harddisk2\DR5".

 

And in my local disk C:, the old folders and files are created instantly, like the folder C:\security, the file C:\config.dat etc.

 

I hope you can help me solve this problem permanently .

[Saliom]

Hi! I'm back to tell you that I found the cause of these malicious shortcuts and folders.

 

When I plug my Android tablet, it displays an error that I can't skip or restart, I can only cancel : "wscript.exe - No Disk There is no disk in the drive. Please insert a disk into drive \Device\Harddisk2\DR5".

 

And in my local disk C:, the old folders and files are created instantly, like the folder C:\security, the file C:\config.dat etc.

 

I hope you can help me solve this problem permanently .

[JSntgRvr]

Have you used a USB flash drive?

Lets take a look. Wonder if the tablet is infected.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Make sure that under Optional Scans, there is a checkmark on Addition.txt and Shortcut.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another two logs (Addition.txt and Shortcut.txt). Please attach these to your reply.

[Saliom]

Yes I have an USB flash drive.
 
Here is the  FRST.txt   30.71KB   407 downloads.
 
I noticed an other thing, every restart, the key "IsShortcut" in "HKEY_CLASSES_ROOT\lnkfile" in the Windows Registry is removed. So, I can't extend my list of favorites in the File Browser and I can't pin any program in the taskbar of Windows.

 

I do not understand where this another problem came.

[JSntgRvr]

The IsShortcut value has no data. Lets refresh that file association:

• Copy the entire contents of the Quote Box below to Notepad. (except the word quote) 
• Leave an empty line at the end of the script
• Name the file as fix.reg
• Change the Save as Type to All Files
• and Save it on the desktop
• Once saved, double click on the fix.reg file and merge it into the Registry.

Windows Registry Editor Version 5.00
 
[HKEY_CLASSES_ROOT\.LNK]
@="lnkfile"
 
[HKEY_CLASSES_ROOT\.LNK\ShellEx\{000214EE-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
 
[HKEY_CLASSES_ROOT\.LNK\ShellEx\{000214F9-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
 
[HKEY_CLASSES_ROOT\.LNK\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"
 
[HKEY_CLASSES_ROOT\.LNK\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{00021401-0000-0000-C000-000000000046}"
 
[HKEY_CLASSES_ROOT\.LNK\ShellNew]
"Handler"="{ceefea1b-3e29-4ef1-b34c-fec79c4f70af}"
"IconPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,\
  31,00,36,00,37,00,36,00,39,00,00,00
"ItemName"="@shell32.dll,-30397"
"MenuText"="@shell32.dll,-30318"
"NullFile"=""
 
[HKEY_CLASSES_ROOT\.LNK\ShellNew\Config]
"DontRename"=""
 
[HKEY_CLASSES_ROOT\lnkfile]
@="Shortcut"
"EditFlags"=dword:00000001
"FriendlyTypeName"="@shell32.dll,-4153"
"IsShortcut"=""
"NeverShowExt"=""
 
[HKEY_CLASSES_ROOT\lnkfile\CLSID]
@="{00021401-0000-0000-C000-000000000046}"
 
[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\Compatibility]
@="{1d27f844-3a1f-4410-85ac-14651078412d}"
 
[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu]
@="{37ea3a21-7493-4208-a011-7f9ea79ce9f5}"
 
[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}]
@=""
 
[HKEY_CLASSES_ROOT\lnkfile\shellex\DropHandler]
@="{00021401-0000-0000-C000-000000000046}"
 
[HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler]
@="{00021401-0000-0000-C000-000000000046}"
 
[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
 
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.LNK\UserChoice]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.LNK\OpenWithProgids]
"lnkfile"=hex(0):

 

Download the enclosed file. 
 
Save it in the same location FRST is saved.
 
Launch FRST and click on the Fix button.

The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.

It should also produce a folder on the desktop, tosubmit. Zip that folder and upload the zipped folder here.

[Saliom]

The import with the .reg was as error : "The specified file is not a registry script" like the screenshot below.

 

 

I think I have a problem with my windows registry .

[JSntgRvr]

The import with the .reg was as error : "The specified file is not a registry script" like the screenshot below.

 

 

I think I have a problem with my windows registry .

 

Download the enclosed folder. 

 

Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, Regfix.reg . Once extracted, open the folder and double click on the Regfix.reg file and select Yes when prompted to merge it into the registry. Let me know if the same error is returned.

 

Proceed with the second request on the previous post. 

[Saliom]

Now I have the following error message :

 

Cannot import D:\Bureau\RegFix.reg: Not all data was successfully written to the registry. Some keys are open by the system or other processes.

Edited by Saliom, 26 May 2014 - 06:54 AM.

[JSntgRvr]

Now I have the following error message :

 

Cannot import D:\Bureau\RegFix.reg: Not all data was successfully written to the registry. Some keys are open by the system or other processes.

Did you perform the rest of the instructions on Post #20?

[Saliom]

Yes, here is my  Fixlog.txt   9.65KB   456 downloads, but it doesn't created any folder.

 

Thanks .

[JSntgRvr]

Check your desktop. According to the fixlog the folder tosubmit was created.
 
Please download ComboFix from Here to your Desktop.
 
**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

-----------------------------------------------------------

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
  • **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

[Saliom]

Yes it's true, I did not find because I had changed the location of my desktop to "D:\Bureau" (Bureau = Desktop in french ).

 

Here is my  tosubmit.zip   1.63KB   429 downloads.

 

And here is my  ComboFix.txt   23.87KB   404 downloads.

 

I did not say that I had not plugged my tablet, it doesn't matter no? If yes, I have to redo the steps from the beginning?

 

Ah yes, I also noticed another problem, the file extensions are no longer tied to their software as extensions .zip (7-zip) and .html (firefox). I don't know if it is related but it's weird.

 

Thanks !

 

[JSntgRvr]

I would recommend you install an antivirus such as AVAST

 

Please run a free online scan with the ESET Online Scanner
 
Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.
 
Note: This scan works with Internet Explorer or Mozilla FireFox.
 
If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
 
Click the green ESET Online Scanner box

• Tick the box next to YES, I accept the Terms of Use then click on: Start
• You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
• Make sure that the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

• Click on Start
• The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically. The scan may take several hours.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close, make sure you copy the logfile first!
• Then click on: Finish
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

[Saliom]

I'm so sorry but I forgot to save my text file, and after the restart of my computer, I lost it . But ESET Online Scanner  found more then 60 infected files when scanning. I installed Avast too, but the folders "Kernel", "Kernel\lpt1", "security", "security\lpt1" and "security\svchost.exe" are still here. when open the Task Manager, it shows so many (13) process svchost.exe : 6 by the system, 4 by the local service, and 3 by the network service.

 

Thanks for all your help. Can we hope one day to remove this virus from the tablet?

Edited by Saliom, 04 June 2014 - 04:10 PM.

[JSntgRvr]

Download the enclosed file.

Save it in the same location FRST is saved.

Launch FRST and click on the Fix button.

The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.

Re-scan with FRST and also post its report.