Help! All files from any USB turns into shorcuts. What should I do? :(

You could try this

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Please have all your removable storage devices ready for disinfection.

Download Flash Disinfector by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it.
• Your desktop and icons may disappear. This is normal.
• It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
• Follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• There will be no GUI interface or log file produced.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

However you should consider following through with the below.
READ & RUN ME FIRST. Malware Removal Guide

 

Continue on with the Read and Run me First instructions then if you are able.

 

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 3 detections:

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.



Please re run Hitman and have it delete Malware and Potential Unwanted Programs.


MGTools did not run to completion. Please try again, this time ensuring that you disabled antivirus, that you did indeed run as admin, and that you had UAC disabled.


Re run RogueKiller once more (just a scan) and attach log.

 

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

 

Uninstall the below

• Search Assistant WebSearch 1.74
• ContinueToSave 1.74

We need to run an OTL Fix

• Right-click OTL.exe to run it. If Windows UAC prompts you, please allow it.
• Copy and Paste the following code into the textbox. Do not include the word Code

Code:

:otl
IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.a-searchpage.info/?l=1&q={searchTerms}&pid=658&r=2013/06/03&hid=856691592&lg=EN&cc=BH&unqvl=18
IE - HKCU\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.a-searchpage.info/?l=1&q={searchTerms}&pid=658&r=2013/06/03&hid=856691592&lg=EN&cc=BH&unqvl=18
FF - prefs.js..browser.search.defaultenginename,S: S", "WebSearch"
FF - prefs.js..browser.search.defaultthis.engineName: ""
FF - prefs.js..browser.search.defaulturl: "http://websearch.a-searchpage.info/?pid=658&r=2013/06/03&hid=856691592&lg=EN&cc=BH&unqvl=18&l=1&q="
FF - prefs.js..browser.search.order.1: "WebSearch"
FF - prefs.js..browser.search.order.1,S: S", "WebSearch"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.selectedEngine,S: S", "WebSearch"
FF - prefs.js..browser.search.defaultenginename: "WebSearch"
FF - prefs.js..sweetim.toolbar.previous.browser.search.defaultenginename: ""
FF - prefs.js..sweetim.toolbar.previous.browser.search.selectedEngine: ""
FF - prefs.js..sweetim.toolbar.previous.keyword.URL: ""
FF - prefs.js..browser.search.defaultenginename: "WebSearch"
[2013-05-16 20:05:41 | 000,000,000 | ---D | M] (SSeaRRch-NewTuaab) -- C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gxxn3hy2.default\extensions\iauysdb@dbqueahlw.edu
[2013-06-03 17:25:14 | 000,000,000 | ---D | M] (coonTinuetosAAvee) -- C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gxxn3hy2.default\extensions\ri4t@bj-xho.edu
[2013-05-16 20:05:41 | 000,000,000 | ---D | M] (continuetosave) -- C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gxxn3hy2.default\extensions\t5hcfg@pdyyiiyi.org
[2012-09-18 20:29:35 | 000,002,342 | ---- | M] () -- C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gxxn3hy2.default\searchplugins\askcom.xml
[2012-12-16 22:45:27 | 000,002,432 | ---- | M] () -- C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gxxn3hy2.default\searchplugins\babylon1.xml
[2013-10-26 14:18:17 | 000,001,401 | ---- | M] () -- C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gxxn3hy2.default\searchplugins\ividi.xml
[2013-06-03 17:25:18 | 000,007,846 | ---- | M] () -- C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gxxn3hy2.default\searchplugins\WebSearch.xml
CHR - Extension: coonTinuetosAAvee = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilhlbenelhopiikffklflfibappfojfe\1\
CHR - Extension: continuetosave = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlkiphjgaigcngjfpmaopfdnffipfepe\1\
CHR - Extension: iVidi Chrome Toolbar = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpdhgpkkloealnjnmepfhanpcleldbef\1.0_1\
O4:[b]64bit:[/b] - HKLM..\Run: [gzueombvnx] wscript.exe //B "C:\Users\user\AppData\Roaming\gzueombvnx..vbs" File not found
O4 - HKCU..\Run: [gzueombvnx] wscript.exe //B "C:\Users\user\AppData\Roaming\gzueombvnx..vbs" File not found
O4 - Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gzueombvnx..vbs ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O20 - AppInit_DLLs: (c:\progra~2\contin~1\sprote~1.dll) -  File not found
[2013-10-26 12:16:44 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\AI_RecycleBin
[2013-10-14 17:42:26 | 000,371,213 | -H-- | C] () -- C:\Users\user\AppData\Roaming\gzueombvnx..vbs
@Alternate Data Stream - 146 bytes -> C:\ProgramData\Temp:CB0AACC9
@Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:D1B5B4F1

:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click Image.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

What is this? :confused

C:\Windows\expstart.exe.vir


With the flashdrive plugged in, run Malware Bytes on a complete scan, ensuring you opt to include your flashdrive in scan.

Now run OTL again again normally (no fix) and attach log.

 

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

Also, you never answered me about what this is:

We need to run an OTL Fix

• Right-click OTL.exe to run it. If Windows UAC prompts you, please allow it.
• Copy and Paste the following code into the textbox. Do not include the word Code

Code:

:otl
O4:[b]64bit:[/b] - HKLM..\Run: [gzueombvnx] wscript.exe //B "C:\Users\user\AppData\Roaming\gzueombvnx..vbs" File not found
O4 - HKCU..\Run: [gzueombvnx] wscript.exe //B "C:\Users\user\AppData\Roaming\gzueombvnx..vbs" File not found

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"gzueombvnx"=-
"5f2c91bf1b61edb8693d6d80dd0d1a71"=-
[HKEY_USERS\S-1-5-21-2872056898-3766787645-1739451266-1000\Software\Microsoft\Windows\CurrentVersion\run]
"gzueombvnx"=-
"5f2c91bf1b61edb8693d6d80dd0d1a71"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="" 
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]

  
:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click Image.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

Do you see this file?

C:\Users\user\AppData\Roaming\gzueombvnx.vbs

If so please delete it.



Now re run OTL please, just a scan and attach log.


Please re run RogueKiller and attach log.


Next, please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

• cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
• nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
• GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
• SN64 <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

Please attach the MGlogs.zip now also.

 

Where is the MGlogs.zip?

 

Yes.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the area. Do not include the word Code.

Code:

:Processes
explorer.exe

:files
C:\ProgramData\BetterSoft
C:\ProgramData\coonTinuetosAAvee
C:\Windows\expstart.exe.vir
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gzueombvnx..vbs

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  gzueombvnx

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Hi. Can you run OTL for me, (just a scan) and attach the log.

 

How is everything currently running?

 

You are most welcome. safe surfing!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
   
7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
   
   
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!