Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[Solved]Complicated shortcut virus issue [Solved]

Started by yongsua , Nov 02 2014 03:44 AM

  • This topic is locked This topic is locked

#1
yongsua
Posted 02 November 2014 - 03:44 AM

yongsua

    Member

  • Member
  • PipPip
  • 43 posts

Hi, I have problem with my pendrive and laptop now. Both of them are infected with shortcut virus. At first, I only realized one of my pendrives is infected with shortcut virus from a printing shop computer after I plugged it in my laptop. However, when I plugged in another pendrive to my laptop, it is also infected with the shortcut virus now. It seems that my laptop and my pendrives are infected with this shortcut virus now.Besides, my pendrives are also vaccinated with Panda USB vaccine and it really makes my removal process more complicated one. I tried command prompt removal process and I got the message "Access is denied" autorun.inf.......  I tried to surf the web and find for solution, did virus scanning but failed..... I asked for help from Bleeping Computer forum few days ago but no one replies yet. :(
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.7600.17267
Run by user at 13:10:51 on 2014-10-31
Microsoft Windows 7 Professional   6.1.7600.0.1252.1.1033.18.953.282 [GMT 8:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Windows\System32\wscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Runxia Electronics\Virtual Router Plus\VirtualRouterPlus.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\System32\alg.exe
C:\Program Files\Sandboxie\SandboxieCrypto.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
uDefault_Page_URL = hxxp://www.google.com
mStart Page = www.google.com
 
 

Attached Files


Edited by yongsua, 04 November 2014 - 09:51 AM.

  • 0

Advertisements

#2
Essexboy
Posted 02 November 2014 - 05:40 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there I will need to use a different programme to analyse the system

But first we will clean the pen drive

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
mcshield%20unhide.JPG
Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

THEN

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Select additions at the bottom
  • Press Scan button.
    frst.JPG
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach both logs generated.

  • 0

#3
yongsua
Posted 02 November 2014 - 08:25 AM

yongsua

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

Oh, finally! Thanks to your reply, Essexboy. Unfortunately, I am away from my home now, the laptop is not with me. I will do it tomorrow and post back to you after reaching home tomorrow. Thanks.


  • 0

#4
Essexboy
Posted 02 November 2014 - 08:32 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
In that case I would not use the pen drive as it is infected
  • 0

#5
yongsua
Posted 02 November 2014 - 10:40 AM

yongsua

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
It's too late. :( I only realized that when I plugged the originally infected pen drive to my laptop. I also found out that the virus spread to my computer and now it can infect any other pen drive even though the pen drive is vaccinated. It seems that Panda USB Vaccine is not that effective, would replace with MCShield after I have done with the removal. Will provide update to you tomorrow.

Edited by yongsua, 02 November 2014 - 10:41 AM.

  • 0

#6
Essexboy
Posted 02 November 2014 - 10:52 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

OK so we will have two systems to clean :)   No problem, we will do the priority one first, your choice as to which  


  • 0

#7
yongsua
Posted 03 November 2014 - 12:27 AM

yongsua

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
>>> MCShield AllScans.txt <<<
 
-----------------------------
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.10.27.1 / Windows 7 <<<
 
 
11/3/2014 2:14:51 PM > Drive C: - scan started (no label ~39 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
11/3/2014 2:14:52 PM > Drive D: - scan started (DATA ~194 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
11/3/2014 2:14:52 PM > Drive F: - scan started (System Reserved ~unknown size, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.10.27.1 / Windows 7 <<<
 
 
11/3/2014 2:16:09 PM > Drive G: - scan started (KUGAN ~14747 MB, FAT32 flash drive )...
 
 
 
---> Executing generic S&D routine... Searching for files hidden by malware...
 
 
---> Items to process: 4
 
---> G:\CT-02-Science.ppt > unhidden.
 
---> G:\CT-03-_Recognizing_Arguments.ppt > unhidden.
 
---> G:\CT-01-Intro.ppt > unhidden.
 
---> G:\~$PBU0035 Presentation slide show.pptx > unhidden.
 
 
 
 
=> Hidden files      : 4/4 unhidden.
 
____________________________________________
 
::::: Scan duration: 3min 32sec ::::::::::::
____________________________________________
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.10.27.1 / Windows 7 <<<
 
 
11/3/2014 2:16:47 PM > Drive I: - scan started (USB DISK ~7439 MB, FAT32 flash drive )...
 
 
 
---> Executing generic S&D routine... Searching for files hidden by malware...
 
 
---> Items to process: 64
 
---> I:\Past Participle list.docx > unhidden.
 
---> I:\Quadratic-functions-exercises.pdf > unhidden.
 
---> I:\Question32232.pdf > unhidden.
 
---> I:\Question32246.pdf > unhidden.
 
---> I:\Simple, Compound, and Complex Sentences in(1).ppt > unhidden.
 
---> I:\Small Group Discussion_PHY1121_AUG_2013.pdf > unhidden.
 
---> I:\Subject Verb agreement Notes - Complete.docx > unhidden.
 
---> I:\The Passive Voice examples.docx > unhidden.
 
---> I:\The security.docx > unhidden.
 
---> I:\C3-MAT1131.docx > unhidden.
 
---> I:\C4-MAT1131.docx > unhidden.
 
---> I:\000001933827.pdf > unhidden.
 
---> I:\A2-MAT1131-0813.docx > unhidden.
 
---> I:\A1-MAT1131-0813.docx > unhidden.
 
---> I:\Partial fraction law.docx > unhidden.
 
---> I:\Newton.docx > unhidden.
 
---> I:\PHY 1121 SGD.docx > unhidden.
 
---> I:\physics exercise 1.docx > unhidden.
 
---> I:\PHY1121_Vectors_Rev_04Sep_2013.pdf > unhidden.
 
---> I:\PHY1121_Newton's Laws_Part 2_SEP2013.pdf > unhidden.
 
---> I:\Pronouns table.docx > unhidden.
 
---> I:\Projectile Motion_StrobePhoto.ppt > unhidden.
 
---> I:\Projectile Motion_Part-2_2013.pdf > unhidden.
 
---> I:\Projectile Motion_Part-1_2013.pdf > unhidden.
 
---> I:\Possessive Pronouns.notes(1).docx > unhidden.
 
---> I:\Physics report exp 5.docx > unhidden.
 
---> I:\Physics Lab Report 3.docx > unhidden.
 
---> I:\PHY1121_Kinematics_1D_Aug2013.pdf > unhidden.
 
---> I:\PHY1121_Gravitation_May_2013.pdf > unhidden.
 
---> I:\PHY1121_Friction.pdf > unhidden.
 
---> I:\PHY1121_Circular Motion.pdf > unhidden.
 
---> I:\web-inequalities-john.pdf > unhidden.
 
---> I:\web-partialfractions.pdf > unhidden.
 
---> I:\Physics exercise 1a.docx > unhidden.
 
---> I:\Physics Formula Booklet.pdf > unhidden.
 
---> I:\Physics lab report 1.docx > unhidden.
 
---> I:\PHY1121_Newton's Laws_Part1_2013.pdf > unhidden.
 
---> I:\PHY1121 _Assignment 1_AUG_2013.pdf > unhidden.
 
---> I:\Experiment 3 report.docx > unhidden.
 
---> I:\Coursework - August 2013 - 8C.xlsx > unhidden.
 
---> I:\LAB_Micrometer Screw Gauge.pdf > unhidden.
 
---> I:\Correct and updated one.docx > unhidden.
 
---> I:\STUDENT_PHY1121_Laboratory_6_2013.xlsx > unhidden.
 
---> I:\My Physics Lab Report 4.docx > unhidden.
 
---> I:\Physics Lab Report 4.docx > unhidden.
 
---> I:\Exercise 1-1142702453.docx > unhidden.
 
---> I:\Laboratory10_May_2013_STUDENT.xls > unhidden.
 
---> I:\PHY1121_Thermal Physics_MAY_2013.pdf > unhidden.
 
---> I:\You Send Me (2012-04-02).mp3 > unhidden.
 
---> I:\Playing Around (2012-02-11).mp3 > unhidden.
 
---> I:\rec0001_edit.mp3 > unhidden.
 
---> I:\Appoggio singing.docx > unhidden.
 
---> I:\PHY1121 _Assignment 2_AUG_2013.pdf > unhidden.
 
---> I:\ICT1101 PLF AUG2013.doc > unhidden.
 
---> I:\iPhone4,1_7.1.1_11D201_Restore.ipsw > unhidden.
 
---> I:\Tutorial for reading captured packet data.odt > unhidden.
 
---> I:\mbam-setup-1.75.0.1300.exe > unhidden.
 
---> I:\md_setup_en.exe > unhidden.
 
---> I:\USA VISA FEE DEPOSIT SLIP.docx > unhidden.
 
---> I:\plot.log > unhidden.
 
---> I:\CEACAA004AEP7K.PDF > unhidden.
 
---> I:\What causes Google to be the most popular search engine.docx > unhidden.
 
---> I:\PEN0045_Essay Topics for Assessment_Topics_Cover_Outline_Full Essay_Tri 1 201415 (Email to all).docx > unhidden.
 
---> I:\Financial Accounting.xlsx > unhidden.
 
 
 
>>> I:\Past Participle list.lnk - Malware > Deleted. (14.11.03. 14.21 Past Participle list.lnk.878445; MD5: ceba3f8d00a6207051e961847e391e8f)
 
>>> I:\Quadratic-functions-exercises.lnk - Malware > Deleted. (14.11.03. 14.21 Quadratic-functions-exercises.lnk.371086; MD5: 5265b564543cd93c2305337bb42b7aba)
 
>>> I:\Question32232.lnk - Malware > Deleted. (14.11.03. 14.21 Question32232.lnk.462407; MD5: 7e8f1cdb2e82ed78d44de145e5cdab05)
 
>>> I:\Question32246.lnk - Malware > Deleted. (14.11.03. 14.21 Question32246.lnk.225659; MD5: 7854d152ac6b9982825020aac4d19e2d)
 
>>> I:\Simple, Compound, and Complex Sentences in(1).lnk - Malware > Deleted. (14.11.03. 14.21 Simple, Compound, and Complex Sentences in(1).lnk.743095; MD5: 15c62545d70fbbc8c53afec34fb40912)
 
>>> I:\Small Group Discussion_PHY1121_AUG_2013.lnk - Malware > Deleted. (14.11.03. 14.21 Small Group Discussion_PHY1121_AUG_2013.lnk.440924; MD5: 3feb48fb43127932d60fed1b9842d3fe)
 
>>> I:\Subject Verb agreement Notes - Complete.lnk - Malware > Deleted. (14.11.03. 14.21 Subject Verb agreement Notes - Complete.lnk.150034; MD5: 4d8ff25f86153c26d8792e1edfeee361)
 
>>> I:\The Passive Voice examples.lnk - Malware > Deleted. (14.11.03. 14.21 The Passive Voice examples.lnk.231823; MD5: 00eafcacfdfa59f348f70a4aa571ce5f)
 
>>> I:\The security.lnk - Malware > Deleted. (14.11.03. 14.21 The security.lnk.776068; MD5: 4f1526d31b820185dee4152970c11aae)
 
>>> I:\C3-MAT1131.lnk - Malware > Deleted. (14.11.03. 14.21 C3-MAT1131.lnk.35729; MD5: d0984b69f85b27ee778109b03359993f)
 
>>> I:\C4-MAT1131.lnk - Malware > Deleted. (14.11.03. 14.21 C4-MAT1131.lnk.977009; MD5: 72474e700d18c0a044ba0a1e4ab8037e)
 
>>> I:\000001933827.lnk - Malware > Deleted. (14.11.03. 14.21 000001933827.lnk.651704; MD5: fe28a352e9714b3510b677ef3df2ca52)
 
>>> I:\A2-MAT1131-0813.lnk - Malware > Deleted. (14.11.03. 14.21 A2-MAT1131-0813.lnk.548990; MD5: 15b491c337b6d23a8b972bf9cd0a082f)
 
>>> I:\A1-MAT1131-0813.lnk - Malware > Deleted. (14.11.03. 14.21 A1-MAT1131-0813.lnk.165785; MD5: 980ecaa0eb52c74c6f5e39b963079677)
 
>>> I:\Partial fraction law.lnk - Malware > Deleted. (14.11.03. 14.21 Partial fraction law.lnk.345094; MD5: ec4d8b4b536dc3e69afb3897ca7257ce)
 
>>> I:\Newton.lnk - Malware > Deleted. (14.11.03. 14.21 Newton.lnk.999978; MD5: ae2b6bd8a51e61bc3e77eaa922f13da3)
 
>>> I:\PHY 1121 SGD.lnk - Malware > Deleted. (14.11.03. 14.21 PHY 1121 SGD.lnk.518815; MD5: e2f9c2263d395f9c835b53360ecdf76a)
 
>>> I:\physics exercise 1.lnk - Malware > Deleted. (14.11.03. 14.21 physics exercise 1.lnk.40932; MD5: c5813166a3fd1e107efe91a360727fe5)
 
>>> I:\PHY1121_Vectors_Rev_04Sep_2013.lnk - Malware > Deleted. (14.11.03. 14.21 PHY1121_Vectors_Rev_04Sep_2013.lnk.143755; MD5: d06d1738f5883f3859509de8c048cdbb)
 
>>> I:\PHY1121_Newton's Laws_Part 2_SEP2013.lnk - Malware > Deleted. (14.11.03. 14.21 PHY1121_Newton's Laws_Part 2_SEP2013.lnk.160253; MD5: e8a621a61be362fffb6f26300fb7c23b)
 
>>> I:\Pronouns table.lnk - Malware > Deleted. (14.11.03. 14.21 Pronouns table.lnk.32132; MD5: 1379ab45dd0f85fd74a646f93531a4b6)
 
>>> I:\Projectile Motion_StrobePhoto.lnk - Malware > Deleted. (14.11.03. 14.21 Projectile Motion_StrobePhoto.lnk.682074; MD5: 3d3116f094faa5aa2ce01f78e2604b5c)
 
>>> I:\Projectile Motion_Part-2_2013.lnk - Malware > Deleted. (14.11.03. 14.21 Projectile Motion_Part-2_2013.lnk.853553; MD5: 26d5806ecbc4f7a66e046fa6d2b8f411)
 
>>> I:\Projectile Motion_Part-1_2013.lnk - Malware > Deleted. (14.11.03. 14.21 Projectile Motion_Part-1_2013.lnk.115819; MD5: 3f78fd5e2d264fc4d6d285633e82b95e)
 
>>> I:\Possessive Pronouns.lnk - Malware > Deleted. (14.11.03. 14.21 Possessive Pronouns.lnk.405986; MD5: 9b5036edab0cd4e6a3b2aedd47dfb838)
 
>>> I:\Physics report exp 5.lnk - Malware > Deleted. (14.11.03. 14.21 Physics report exp 5.lnk.722436; MD5: 63fa0de4bd1d73ea4ec27f5e1dd20638)
 
>>> I:\Physics Lab Report 3.lnk - Malware > Deleted. (14.11.03. 14.21 Physics Lab Report 3.lnk.347321; MD5: 7611f32e0cb8fb0bc18da073ba132656)
 
>>> I:\PHY1121_Kinematics_1D_Aug2013.lnk - Malware > Deleted. (14.11.03. 14.21 PHY1121_Kinematics_1D_Aug2013.lnk.643305; MD5: 9f810f47c69edea9e8f66657a8e59d2d)
 
>>> I:\PHY1121_Gravitation_May_2013.lnk - Malware > Deleted. (14.11.03. 14.21 PHY1121_Gravitation_May_2013.lnk.489776; MD5: 6e63b281a8bbf65ef2fde76b979aa792)
 
>>> I:\PHY1121_Friction.lnk - Malware > Deleted. (14.11.03. 14.21 PHY1121_Friction.lnk.540908; MD5: 7c83eb43894bd7b54ffac212bff37d95)
 
>>> I:\PHY1121_Circular Motion.lnk - Malware > Deleted. (14.11.03. 14.21 PHY1121_Circular Motion.lnk.834181; MD5: 94f4d67b649277166ca40d50f4e48ac5)
 
>>> I:\web-inequalities-john.lnk - Malware > Deleted. (14.11.03. 14.21 web-inequalities-john.lnk.245440; MD5: 4bac21461e44546782d8e3a5ba02393c)
 
>>> I:\web-partialfractions.lnk - Malware > Deleted. (14.11.03. 14.21 web-partialfractions.lnk.556204; MD5: 0d01cf731459585f0f44a1281fed2cf3)
 
>>> I:\Physics exercise 1a.lnk - Malware > Deleted. (14.11.03. 14.21 Physics exercise 1a.lnk.656534; MD5: 18188c860491f5576ffb90219913983a)
 
>>> I:\Physics Formula Booklet.lnk - Malware > Deleted. (14.11.03. 14.21 Physics Formula Booklet.lnk.256011; MD5: a7c35f802d069c19649f27c4c4e59033)
 
>>> I:\Physics lab report 1.lnk - Malware > Deleted. (14.11.03. 14.21 Physics lab report 1.lnk.159376; MD5: dbecd6f7593302c8b1a915c2a495c84b)
 
>>> I:\PHY1121_Newton's Laws_Part1_2013.lnk - Malware > Deleted. (14.11.03. 14.21 PHY1121_Newton's Laws_Part1_2013.lnk.777177; MD5: 14d8316f0a1491c128646685ac9731bc)
 
>>> I:\PHY1121 _Assignment 1_AUG_2013.lnk - Malware > Deleted. (14.11.03. 14.21 PHY1121 _Assignment 1_AUG_2013.lnk.171379; MD5: ca29daff1a69280546a29fbad5ea8e9f)
 
>>> I:\Experiment 3 report.lnk - Malware > Deleted. (14.11.03. 14.21 Experiment 3 report.lnk.946568; MD5: d3e3c44c825d1b5428a01275b443465d)
 
>>> I:\Coursework - August 2013 - 8C.lnk - Malware > Deleted. (14.11.03. 14.21 Coursework - August 2013 - 8C.lnk.761946; MD5: 6e15ee14c63fd9d58435624828fcc228)
 
>>> I:\LAB_Micrometer Screw Gauge.lnk - Malware > Deleted. (14.11.03. 14.21 LAB_Micrometer Screw Gauge.lnk.499833; MD5: 1c8837749185eb2dd6797dac14a3109b)
 
>>> I:\Correct and updated one.lnk - Malware > Deleted. (14.11.03. 14.21 Correct and updated one.lnk.47358; MD5: 20fe613d975ae1d87b4800364ab61e77)
 
>>> I:\STUDENT_PHY1121_Laboratory_6_2013.lnk - Malware > Deleted. (14.11.03. 14.21 STUDENT_PHY1121_Laboratory_6_2013.lnk.309843; MD5: 05a276b465680bc7ecc805964ff39230)
 
>>> I:\My Physics Lab Report 4.lnk - Malware > Deleted. (14.11.03. 14.21 My Physics Lab Report 4.lnk.997088; MD5: be5bb6da935daf875f228b2f851d06b2)
 
>>> I:\Physics Lab Report 4.lnk - Malware > Deleted. (14.11.03. 14.21 Physics Lab Report 4.lnk.635487; MD5: 29b31cfdf64bb7b24bcec257e5178ebb)
 
>>> I:\Exercise 1-1142702453.lnk - Malware > Deleted. (14.11.03. 14.21 Exercise 1-1142702453.lnk.987534; MD5: 640d46d3ab3a1ff1c45659139ee2e62e)
 
>>> I:\Laboratory10_May_2013_STUDENT.lnk - Malware > Deleted. (14.11.03. 14.21 Laboratory10_May_2013_STUDENT.lnk.783320; MD5: b3037463df65cd2da697ab8f46990e3f)
 
>>> I:\PHY1121_Thermal Physics_MAY_2013.lnk - Malware > Deleted. (14.11.03. 14.21 PHY1121_Thermal Physics_MAY_2013.lnk.143764; MD5: 9ad299594a0687347392a600820c6308)
 
>>> I:\You Send Me (2012-04-02).lnk - Malware > Deleted. (14.11.03. 14.21 You Send Me (2012-04-02).lnk.596523; MD5: 5503f4a466f0444b16d8e2b351f0034e)
 
>>> I:\Playing Around (2012-02-11).lnk - Malware > Deleted. (14.11.03. 14.21 Playing Around (2012-02-11).lnk.439845; MD5: 1e69ed85c3ddbb82a2e6c5a43853cd33)
 
>>> I:\rec0001_edit.lnk - Malware > Deleted. (14.11.03. 14.21 rec0001_edit.lnk.722927; MD5: ec11291b4bddb527ed0b2b03ea99f010)
 
>>> I:\Appoggio singing.lnk - Malware > Deleted. (14.11.03. 14.21 Appoggio singing.lnk.870750; MD5: 365ebff22d53b6e32e2968009dcbc643)
 
>>> I:\PHY1121 _Assignment 2_AUG_2013.lnk - Malware > Deleted. (14.11.03. 14.21 PHY1121 _Assignment 2_AUG_2013.lnk.625952; MD5: c2acc679ca1c2a454355dd19a7ed2da7)
 
>>> I:\ICT1101 PLF AUG2013.lnk - Malware > Deleted. (14.11.03. 14.21 ICT1101 PLF AUG2013.lnk.341973; MD5: ea51a60fdde4f6b022c38236ca29be2b)
 
>>> I:\iPhone4,1_7.lnk - Malware > Deleted. (14.11.03. 14.21 iPhone4,1_7.lnk.977266; MD5: f40c5e3f5dae7ef8a7a6c877dcadf957)
 
>>> I:\Tutorial for reading captured packet data.lnk - Malware > Deleted. (14.11.03. 14.21 Tutorial for reading captured packet data.lnk.148353; MD5: d9fcdae09ca8b7ff2c17f8067f581246)
 
>>> I:\mbam-setup-1.lnk - Malware > Deleted. (14.11.03. 14.21 mbam-setup-1.lnk.805731; MD5: 0471d88c3416d0a05772f21e1547beb2)
 
>>> I:\md_setup_en.lnk - Malware > Deleted. (14.11.03. 14.21 md_setup_en.lnk.754970; MD5: 84b1e9cc1fc17d3fcac7864a89e9a80c)
 
>>> I:\USA VISA FEE DEPOSIT SLIP.lnk - Malware > Deleted. (14.11.03. 14.21 USA VISA FEE DEPOSIT SLIP.lnk.232219; MD5: c54bcd9baacec8c2018cfe86b995f366)
 
>>> I:\plot.lnk - Malware > Deleted. (14.11.03. 14.21 plot.lnk.715984; MD5: 2794e3ce6fe0fcf77dcedc88284e15a3)
 
>>> I:\CEACAA004AEP7K.lnk - Malware > Deleted. (14.11.03. 14.21 CEACAA004AEP7K.lnk.365884; MD5: 39a1cbc927eb81fa34eb36bf103d0728)
 
>>> I:\What causes Google to be the most popular search engine.lnk - Malware > Deleted. (14.11.03. 14.21 What causes Google to be the most popular search engine.lnk.430833; MD5: f3f0d5508ad98d40e5df807b07c3fcd5)
 
>>> I:\PEN0045_Essay Topics for Assessment_Topics_Cover_Outline_Full Essay_Tri 1 201415 (Email to all).lnk - Malware > Deleted. (14.11.03. 14.21 PEN0045_Essay Topics for Assessment_Topics_Cover_Outline_Full Essay_Tri 1 201415 (Email to all).lnk.129799; MD5: 5b55f5cd4f4c8f8bdc847ba39caca34a)
 
>>> I:\Financial Accounting.lnk - Malware > Deleted. (14.11.03. 14.21 Financial Accounting.lnk.891956; MD5: 3689a27e499d3ce5efbac6acdaf3ada9)
 
>>> I:\wlxfyyhtlz..vbe - Malware > Deleted. (14.11.03. 14.21 wlxfyyhtlz..vbe.773194; MD5: cc645c60cca2e9194b1432eb96f87349)
 
>>> I:\Doraemon Expo.lnk - Malware > Deleted. (14.11.03. 14.21 Doraemon Expo.lnk.730480; MD5: 9f23ace701d0d101ee794861600df27b)
 
>>> I:\New folder.lnk - Malware > Deleted. (14.11.03. 14.21 New folder.lnk.228326; MD5: 8b8b36c8e2d15d26706c90513d50f763)
 
>>> I:\PLF.lnk - Malware > Deleted. (14.11.03. 14.21 PLF.lnk.233322; MD5: 523d371ac54aa9483ca07b441cf61807)
 
>>> I:\PLF Assignment.lnk - Malware > Deleted. (14.11.03. 14.21 PLF Assignment.lnk.687175; MD5: 3254d0fa9b49958e0be0088aa4b1e9f0)
 
>>> I:\Ah Ma.lnk - Malware > Deleted. (14.11.03. 14.21 Ah Ma.lnk.61304; MD5: 7d62a702da28addb8820f4a1c798e651)
 
>>> I:\testdisk-6.14.win.lnk - Malware > Deleted. (14.11.03. 14.21 testdisk-6.14.win.lnk.203703; MD5: 14f5bcf60cbaaef7a5893dcaf335f532)
 
>>> I:\All about Snort.lnk - Malware > Deleted. (14.11.03. 14.21 All about Snort.lnk.589554; MD5: f1120c344b4138befe6a03ceb557c345)
 
>>> I:\System Volume Information.lnk - Malware > Deleted. (14.11.03. 14.21 System Volume Information.lnk.485530; MD5: e03ff2cb2307563e41735aecb1a51e0c)
 
>>> I:\$5 COMPLETE.lnk - Malware > Deleted. (14.11.03. 14.21 $5 COMPLETE.lnk.993740; MD5: 9f0da7324c567291a6d14a2a8d8ecdbd)
 
>>> I:\All about Malwarebytes.lnk - Malware > Deleted. (14.11.03. 14.21 All about Malwarebytes.lnk.142479; MD5: 60c82a13201236730bceeefd7c5cee44)
 
>>> I:\Business Plan.lnk - Malware > Deleted. (14.11.03. 14.21 Business Plan.lnk.683751; MD5: b0d9aa5d2eb3f8ab5c004e8f20ee80f4)
 
> Resetting attributes: I:\Doraemon Expo < Successful.
 
> Resetting attributes: I:\New folder < Successful.
 
> Resetting attributes: I:\PLF < Successful.
 
> Resetting attributes: I:\PLF Assignment < Successful.
 
> Resetting attributes: I:\Ah Ma < Successful.
 
> Resetting attributes: I:\testdisk-6.14.win < Successful.
 
> Resetting attributes: I:\All about Snort < Successful.
 
> Resetting attributes: I:\System Volume Information < Successful.
 
> Resetting attributes: I:\$5 COMPLETE < Successful.
 
> Resetting attributes: I:\All about Malwarebytes < Successful.
 
> Resetting attributes: I:\Business Plan < Successful.
 
 
=> Malicious files   : 76/76 deleted.
=> Hidden folders    : 11/11 unhidden.
=> Hidden files      : 64/64 unhidden.
 
____________________________________________
 
::::: Scan duration: 4min 28sec ::::::::::::
____________________________________________
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.10.27.1 / Windows 7 <<<
 
 
11/3/2014 2:20:30 PM > Drive G: - scan started (KUGANR ~1918 MB, FAT32 flash drive )...
 
 
 
---> Executing generic S&D routine... Searching for files hidden by malware...
 
 
---> Items to process: 12
 
---> G:\Kugandran A.doc > unhidden.
 
---> G:\peta FELDA (SEJARAH FORM 3).doc > unhidden.
 
---> G:\Sejarah FELDA dari wikipedia.doc > unhidden.
 
---> G:\Gd presentation video.wmv > unhidden.
 
---> G:\n2449_exco_application_form_2014 (1).docx > unhidden.
 
---> G:\Assignment cover page.docx > unhidden.
 
---> G:\PRODUCT OVERVIEW.pptx > unhidden.
 
---> G:\product pictures.docx > unhidden.
 
---> G:\MACHINES.docx > unhidden.
 
---> G:\information.docx > unhidden.
 
---> G:\.~lock.Science (Support Systems In Animals).ppt# > unhidden.
 
---> G:\qdziucrxql.vbs > unhidden.
 
 
 
>>> G:\Kugandran A.lnk - Malware > Deleted. (14.11.03. 14.23 Kugandran A.lnk.93548; MD5: 07664428d41ec228f9d567364779985d)
 
>>> G:\peta FELDA (SEJARAH FORM 3).lnk - Malware > Deleted. (14.11.03. 14.23 peta FELDA (SEJARAH FORM 3).lnk.322273; MD5: 0e22af4a413b4107baa236da741b60e6)
 
>>> G:\Sejarah FELDA dari wikipedia.lnk - Malware > Deleted. (14.11.03. 14.23 Sejarah FELDA dari wikipedia.lnk.164327; MD5: 9b63367ffea1c2f25c3a30a1315fb93e)
 
>>> G:\Gd presentation video.lnk - Malware > Deleted. (14.11.03. 14.23 Gd presentation video.lnk.372586; MD5: b4028847f7601e9b0f8bfaffcab18ba0)
 
>>> G:\n2449_exco_application_form_2014 (1).lnk - Malware > Deleted. (14.11.03. 14.23 n2449_exco_application_form_2014 (1).lnk.65254; MD5: 252221730fe5fe9b65f867438b8cc698)
 
>>> G:\Assignment cover page.lnk - Malware > Deleted. (14.11.03. 14.23 Assignment cover page.lnk.950033; MD5: 3e70cfa082136e745af0889b18733628)
 
>>> G:\PRODUCT OVERVIEW.lnk - Malware > Deleted. (14.11.03. 14.23 PRODUCT OVERVIEW.lnk.92433; MD5: f31491e23b08036e920fd0d591210936)
 
>>> G:\product pictures.lnk - Malware > Deleted. (14.11.03. 14.23 product pictures.lnk.602917; MD5: 171633d2e70a563f92f4af0bd5aca154)
 
>>> G:\MACHINES.lnk - Malware > Deleted. (14.11.03. 14.23 MACHINES.lnk.334113; MD5: d1ffd76df593ebb8e35ee6534029ae78)
 
>>> G:\information.lnk - Malware > Deleted. (14.11.03. 14.23 information.lnk.140526; MD5: a7c627eafd4bb03f6d7063bd6a4ed4ed)
 
>>> G:\.lnk - Malware > Deleted. (14.11.03. 14.23 .lnk.957172; MD5: a034d6bf363b80a96f60ec7f5f7bac29)
 
>>> G:\qdziucrxql.lnk - Malware > Deleted. (14.11.03. 14.23 qdziucrxql.lnk.23347; MD5: 89372050276d37cb520f314526543240)
 
>>> G:\wlxfyyhtlz..vbe - Malware > Deleted. (14.11.03. 14.23 wlxfyyhtlz..vbe.422098; MD5: cc645c60cca2e9194b1432eb96f87349)
 
>>> G:\accounts.lnk - Malware > Deleted. (14.11.03. 14.23 accounts.lnk.288161; MD5: 6e4178976856a31f5022d86645ebf136)
 
>>> G:\UTHM.lnk - Malware > Deleted. (14.11.03. 14.23 UTHM.lnk.342835; MD5: 013734730b6618d00c918c1756cc5f4c)
 
>>> G:\RECYCLER.lnk - Malware > Deleted. (14.11.03. 14.23 RECYCLER.lnk.680276; MD5: 92aaf00ad5c4caeb3fba4f78e282e7e3)
 
>>> G:\fakerica.lnk - Malware > Deleted. (14.11.03. 14.23 fakerica.lnk.635331; MD5: 81589742fd0fb3556df1e015c23b8c6f)
 
>>> G:\eds.lnk - Malware > Deleted. (14.11.03. 14.23 eds.lnk.32815; MD5: 09c31eb4e8e1e384873932b305848851)
 
>>> G:\BUSSINESS PLAN.lnk - Malware > Deleted. (14.11.03. 14.23 BUSSINESS PLAN.lnk.886370; MD5: 11e6de4d70a3f211b3c61f7dcd9059e5)
 
>>> G:\System Volume Information.lnk - Malware > Deleted. (14.11.03. 14.23 System Volume Information.lnk.344945; MD5: e03ff2cb2307563e41735aecb1a51e0c)
 
>>> G:\qdziucrxql.vbs - Malware > Deleted. (14.11.03. 14.23 qdziucrxql.vbs.905240; MD5: aba35b524c797465e13ca0461fceb61e)
 
> G:\RECYCLER
> G:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665
 
>>> G:\Recycler - Malware (folder) > Deleted. (14.11.03. 14.23 Recycler.717032)
 
> Resetting attributes: G:\accounts < Successful.
 
> Resetting attributes: G:\UTHM < Successful.
 
> Resetting attributes: G:\fakerica < Successful.
 
> Resetting attributes: G:\eds < Successful.
 
> Resetting attributes: G:\BUSSINESS PLAN < Successful.
 
> Resetting attributes: G:\System Volume Information < Successful.
 
 
=> Malicious files   : 21/21 deleted.
=> Malicious folders : 2/2 deleted.
=> Hidden folders    : 6/6 unhidden.
=> Hidden files      : 12/12 unhidden.
 
____________________________________________
 
::::: Scan duration: 2min 49sec ::::::::::::
____________________________________________
 
 
 
 
 
Note: I realize that MCShield did not see any traces of malware in the originally infected pendrive....I would like to plug in again and scan....

  • 0

#8
yongsua
Posted 03 November 2014 - 12:39 AM

yongsua

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 3.0.5.28 / DB: 2014.10.27.1 / Windows 7 <<<
 
 
11/3/2014 2:28:47 PM > Drive G: - scan started (KUGAN ~14747 MB, FAT32 flash drive )...
 
 
>>> G:\RMT_Core.lnk - Malware > Deleted. (14.11.03. 14.31 RMT_Core.lnk.641049; MD5: 3a121a4a12d845be36edfc94cec7e31d)
 
>>> G:\RMT_UserData.lnk - Malware > Deleted. (14.11.03. 14.31 RMT_UserData.lnk.932090; MD5: 488da948a858ab15ca30a920dc05c5ba)
 
>>> G:\System Volume Information.lnk - Malware > Deleted. (14.11.03. 14.31 System Volume Information.lnk.587194; MD5: 634dff9f4720f4f09c33ed31bf5783c5)
 
>>> G:\FAMILY.lnk - Malware > Deleted. (14.11.03. 14.31 FAMILY.lnk.356304; MD5: 3ef6ebc5e860d4f822a8e10e2149b810)
 
>>> G:\KUGAN.lnk - Malware > Deleted. (14.11.03. 14.31 KUGAN.lnk.108360; MD5: 4f5f167c0c1991307bd4a3b199fa00aa)
 
>>> G:\wlxfyyhtlz..vbe - Malware > Deleted. (14.11.03. 14.31 wlxfyyhtlz..vbe.304724; MD5: cc645c60cca2e9194b1432eb96f87349)
 
> Resetting attributes: G:\RMT_Core < Successful.
 
> Resetting attributes: G:\RMT_UserData < Successful.
 
> Resetting attributes: G:\System Volume Information < Successful.
 
> Resetting attributes: G:\FAMILY < Successful.
 
> Resetting attributes: G:\KUGAN < Successful.
 
 
=> Malicious files   : 6/6 deleted.
=> Hidden folders    : 5/5 unhidden.
 
____________________________________________
 
::::: Scan duration: 2min 27sec ::::::::::::
 
This "KUGAN" is the pendrive that was originally infected, MCShield cleaned the virus and it states that my this pendrive is clean. However, I still can see the shortcut in this pendrive. In "USB DISK" and "KUGANR" pendrives, the shortcut has gone away.

  • 0

#9
yongsua
Posted 03 November 2014 - 12:46 AM

yongsua

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

FRST logs

Attached Files


  • 0

#10
Essexboy
Posted 03 November 2014 - 09:24 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Is this the laptop or the desktop ?

Have all the shortcuts been deleted and the original files restored now ?

What other problems is this one experiencing

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
  • 0

Advertisements

#11
yongsua
Posted 03 November 2014 - 09:50 AM

yongsua

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

Sorry for my confusing statement. Actually, there is only ONE LAPTOP that is infected with this shortcut virus now. For the originally infected pen drive which is "Kugan", some shortcuts are still there however all files are already fully recovered. For the other two pen drives, the shortcuts have totally gone away and all files are fully recovered. :) Thank You so much. Will send you the log as you requested


Edited by yongsua, 03 November 2014 - 09:51 AM.

  • 0

#12
Essexboy
Posted 03 November 2014 - 10:17 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Grand, also let me know if you are having any other problems
  • 0

#13
yongsua
Posted 03 November 2014 - 10:32 AM

yongsua

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

And honestly it is not my laptop but my friend's laptop. I could only meet him again tomorrow but will submit the fix log and follow all the subsequent steps in one time tomorrow since I am staying in my uni hostel tomorrow, it will be much convenient for me and you. Sorry for the delay. 


Edited by yongsua, 03 November 2014 - 10:44 AM.

  • 0

#14
Essexboy
Posted 03 November 2014 - 11:46 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Delay is not a problem as I monitor all threads :)
  • 0

#15
yongsua
Posted 04 November 2014 - 04:12 AM

yongsua

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

Here is the fixlog as you requested.

Attached Files


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP