.lnk / vbs infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by Ekibyogami, Jun 24, 2010.

Page 1 of 2
  1. Ekibyogami

    Ekibyogami Private E-2

    Introduce Problem: I plugged in a friend's usb memory stick and after reboot, all of my files and folders have become .Lnk files which are acting as shortcuts to all of my programs and folders within the hard drive.

    Before your "Read and Run Me First" solution:
    - I could not see any hidden files/folders.
    - Everything was turned to the .lnk files.
    - The location for my files through the .lnk shortcuts are not said to be located directly on the hard-drive like before but rather (E:\340231785.vbs "E:\Games\Dir"). This goes for both my main hard drive and partitioned side, not to mention my other external hard drive which was plugged in at the time but is now currently unplugged.

    After your "Read and Run Me First" solution:
    - I can now see those hidden files/folders.
    - I have an smss.exe.###.vbs error when windows start that you can see in the attached picture.
    - For certain programs, even when trying to open the malwarebytes log, and also when trying to open My Computer directly from it's Start Menu shortcut, I get another .exe:###.vbs error which is in another attached picture.
    - The location for the files is still the same.

    I have searched long and hard for solutions to this but each similar solution still leave my end of the problems unsolved.

    I am attaching the SuperAntiSpyware log + MGlog + the 2 pictures I have mentioned. I cannot attach the Malwarebytes log due to the error in picture 2 I mentioned. Unless there is another solution to open that log, I cannot do as you have asked.

    Thank you for any future help that you can give me.
     

    Attached Files:

    Ekibyogami, Jun 24, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.
     
    Kestrel13!, Jun 24, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Let's see how things are running after you complete the below:

    Be aware that I can certainly help with malware removal, but sometimes damage has been done to the operating system by the malware and these issues might have to be addressed in the software forum, after we have finished here.

    1. Try again if you can, to attach the log from MalwareBytes.

    2. Please go to Add/Remove programs and uninstall the following software:

    • Java(TM) 6 Update 6
    • ShopAtHome SelectRebates

    3. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.


    4. Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\1004299937.vbs
C:\Windows\TEMP\Tmp45E8.tmp
C:\Windows\TEMP\Tmp4B44.tmp
C:\Windows\TEMP\Tmp4B54.tmp
C:\Windows\TEMP\Tmp704.tmp
C:\Windows\TEMP\Tmp714.tmp
C:\Windows\TEMP\TmpA20A.tmp
C:\Windows\TEMP\TmpA20B.tmp
C:\Windows\TEMP\TmpDB8.tmp
C:\Windows\TEMP\TmpDB9.tmp
C:\Users\Aleigh\AppData\Local\Temp\36983913212605785.tmp
C:\Users\Aleigh\AppData\Local\Temp\523164.od
C:\Users\Aleigh\AppData\Local\Temp\Aleigh.bmp
C:\Users\Aleigh\AppData\Local\Temp\CVRFB7D.tmp.cvr
C:\Users\Aleigh\AppData\Local\Temp\FFToolbar_Cache
C:\Users\Aleigh\AppData\Local\Temp\HssInstaller
C:\Users\Aleigh\AppData\Local\Temp\IpAdrSet.log
C:\Users\Aleigh\AppData\Local\Temp\Low
C:\Users\Aleigh\AppData\Local\Temp\tmp2043.tmp
C:\Users\Aleigh\AppData\Local\Temp\tmp2043_files
C:\Users\Aleigh\AppData\Local\Temp\Tmp3DFD.tmp
C:\Users\Aleigh\AppData\Local\Temp\Tmp3DFE.tmp
C:\Users\Aleigh\AppData\Local\Temp\tmp3FE6.tmp
C:\Users\Aleigh\AppData\Local\Temp\tmp3FE6_files

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\ASKUpgrade]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCAD"=-

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    5. Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

    6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also the log from OTM.

    7. Let me know how the machine is running now?
     
    Kestrel13!, Jun 24, 2010
    #3
  4. Ekibyogami

    Ekibyogami Private E-2

    Report:

    - After posting my initial log, the arrow symbols on all the files that indicate them as shortcuts were gone, but after another reboot, they came back.

    After your instructions:

    - The error message upon restarting my computer is gone (Thank you)
    - The error message while trying to open some files or My Computer is still there.
    - Everything else still seems the same too


    On the plus side, I found a script to put into run to find the MalwareBytes Log.
    I am attaching all three files requested.

    Also, if the logs did not show this, I am running Windows Vista 64bit.
     

    Attached Files:

    Ekibyogami, Jun 25, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    As I said, some problems that remain may have to be worked out in the software forum, I am not seeing any malware in your newest logs.

    But let me just ask, what is this?

     
    Kestrel13!, Jun 26, 2010
    #5
  6. Ekibyogami

    Ekibyogami Private E-2

    Your guess is as good as mine. I do not know as much as I would like to about everything that goes on in a computer and everything I have on here.

    I will post this in the software forum.

    Thank you very much for your time helping me. At least one error is currently gone. =)
     
    Ekibyogami, Jun 26, 2010
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member


    Code:
    :Files
C:\Windows\System32\drivers\bc.sys

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Jun 28, 2010
    #7
  8. Ekibyogami

    Ekibyogami Private E-2

    Sorry for the late reply.

    Deleted file as asked and here are the logs.
     

    Attached Files:

    Ekibyogami, Jul 10, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member


    Code:
    :Files
C:\Windows\S4ED2C299.tmp
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Jul 10, 2010
    #9
  10. Ekibyogami

    Ekibyogami Private E-2

    As you will read, it could not move it.

    I am also back to having the problem when the computer starts, I get that "smss" error and also I cannot view hidden files anymore.

    I tried deleting a desktop.ini file and the .vbs script which I probably should have left alone but though since that makes a difference on the files that are in there, maybe it could help partially clear it. I can still find the folders needed though for what you are helping with through searching.

    Should I rerun one of the programs that might help bring it back? I do not think it is necessary at the moment though since that is not the initial cause and it is not effecting anything else really.
     

    Attached Files:

    Ekibyogami, Jul 10, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue you need to put this machine into NORMAL start up mode by using MSCONFIG.

    I strongly advise that you uninstall Tencent QQ and Tencent QQ2009 This program has been the cause of many many people coming here with malware problems. It is also considered to be adware

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.


    C:\Windows\S4ED2C299.tmp <--- rename this folder to S4ED2C299.tmp.old if it let's you. Try in safe mode if necessary.



    Code:
    :Files
C:\Windows\S4ED2C299.tmp
C:\Windows\S4ED2C299.tmp.old
C:\1004299937.vbs
C:\Windows\System32\1004299937.vbs

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Also delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know how things are now?
     
    Kestrel13!, Jul 12, 2010
    #11
  12. Ekibyogami

    Ekibyogami Private E-2

    The computer is still running the same way as before though without the error in the beginning of the computer.

    I am currently in normal.

    C:\Windows\S4ED2C299.tmp <--- rename this folder to S4ED2C299.tmp.old

    In normal mode, I could not do this due to the file being in use.
    In safe mode, I could change it and I then ran OTM.exe while in safe mode.
    I also ran OTM.exe after rebooting back in normal mode.
    I attached both OTM files and also the MGlogs.zip

    Perhaps at this point, even though I prefer not doing this, it is better to reinstall Windows. Though the only other problem I foresee is that my external hard-drive will still be infected.

    I am currently going to be on a trip for 3 weeks so if there is something more to do within the next 4 hours of this post, I can keep up with it. Other than that, I will have to postpone any further fixing until then.

    Thank you for all your time thus far. It is really appreciated.
     
    Ekibyogami, Jul 13, 2010
    #12
  13. Ekibyogami

    Ekibyogami Private E-2

    Here are the attachments as I oh so joyfully forgot to put them in the last post.

    The first OTM log is from the Safe Mode.
    The second OTM log is naturally from the Normal Mode
     

    Attached Files:

    Ekibyogami, Jul 13, 2010
    #13
  14. Ekibyogami

    Ekibyogami Private E-2

    Just rebooted again and the error is back. This will be all I can do for the next 3 weeks as I mentioned. Thanks so far. =)
     
    Ekibyogami, Jul 13, 2010
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply. :)
     
    Kestrel13!, Jul 14, 2010
    #15
  16. Ekibyogami

    Ekibyogami Private E-2

    Here are both of the attachments.
     

    Attached Files:

    Ekibyogami, Aug 2, 2010
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Run OTL Script

    • Double-click OTL.exe to start the program.
    • Copy and Paste the following code into the Image textbox. Do not include the word Code

    Code:
    :otl
:FILES
@C:\Windows\System32\smss.exe:1004299937.vbs
F3:[b]64bit:[/b] - HKCU WinNT: Load - ("C:\Windows\System32\smss.exe:1004299937.vbs") - C:\Windows\SysNative\smss.exe ()
F3 - HKCU WinNT: Load - ("C:\Windows\System32\smss.exe:1004299937.vbs") - C:\Windows\SysWow64\smss.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
:commands
[EMPTYTEMP]
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Attach that report in your next reply.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    How are things running now?
     
    Last edited: Aug 3, 2010
    Kestrel13!, Aug 3, 2010
    #17
  18. Ekibyogami

    Ekibyogami Private E-2

    All that happened was I was not able to see my hidden files after running the OTL script and then could not find the MGTools folder anymore to run GetLogs.bat. So I had to reinstall that to run it and after another restart, I can see my hidden files again.

    Seeing the hidden files and not seeing them, I have no idea what actually is changing them but it is completely random from what it seems like. (Though I know the possibility of that being random is low).

    The text file will open for OTL automatically which was weird since malewarebytes did not let me. Still, if I try to double click any .txt file, I get that error. I always have to use 'open with' to get it to work.
     

    Attached Files:

    Ekibyogami, Aug 5, 2010
    #18
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I apologise, I had an error in my script, let's try again.

    Run OTL Script

    • Double-click OTL.exe to start the program.
    • Copy and Paste the following code into the Image textbox. Do not include the word Code

    Code:
    :otl
F3:64bit: - HKCU WinNT: Load - ("C:\Windows\System32\smss.exe:1004299937.vbs") - C:\Windows\SysNative\smss.exe ()
F3 - HKCU WinNT: Load - ("C:\Windows\System32\smss.exe:1004299937.vbs") - C:\Windows\SysWow64\smss.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
 
:files
@C:\Windows\System32\smss.exe:1004299937.vbs
 
:commands
[EMPTYTEMP]
[REBOOT]

    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Attach that report in your next reply.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    How are things running now?
     
    Kestrel13!, Aug 5, 2010
    #19
  20. Ekibyogami

    Ekibyogami Private E-2

    No problem =)

    The opening error message is once again gone. So that is a plus at least.
    As for the rest, still the same. The '.vbs' error still occurs when trying to directly open my computer or any .txt file. I am not sure if there are other items which will give me the same error but I have not tried going through every last type of file. Just what is normally used.

    Things though keep steadily improving so I am staying positive about this.
     

    Attached Files:

    Ekibyogami, Aug 6, 2010
    #20
  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Use MSCONFIG to put this computer into normal start up mode before we continue.

    Run OTL Script

    • Double-click OTL.exe to start the program.
    • Copy and Paste the following code into the Image textbox. Do not include the word Code

    Code:
    :otl
:files
@C:\Windows\explorer.exe:1004299937.vbs
@C:\Windows\explorer.exe:1004299937.vbs
@C:\Windows\explorer.exe:1004299937.vbs
C:\Program Files (x86)\SelectRebates
C:\Program Files (x86)\AskBarDis

:Services
ASKService
ASKUpgrade

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SelectRebates]
 
:commands
[EMPTYTEMP]
[REBOOT]

    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Attach that report in your next reply.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    How are things running now?
     
    Kestrel13!, Aug 7, 2010
    #21
  22. Ekibyogami

    Ekibyogami Private E-2

    Shall I just keep the computer running in normal start up for the duration of this? There are just minor regular programs taken off of start up but I assume that that does not make a difference. Background processes perhaps?

    Nothing has changed so far after that code.

    I await further instructions =)
     
    Ekibyogami, Aug 8, 2010
    #22
  23. Ekibyogami

    Ekibyogami Private E-2

    Pardon the missing logs in the last reply. Here they are.
     

    Attached Files:

    Ekibyogami, Aug 8, 2010
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should always be in normal startup mode unless you are doing temporary debugging.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 8, 2010
    #24
  25. Ekibyogami

    Ekibyogami Private E-2

    Successfully added.

    Here are the logs.
     

    Attached Files:

    Ekibyogami, Aug 9, 2010
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not tell us how things are working.
     
    chaslang, Aug 9, 2010
    #26
  27. Ekibyogami

    Ekibyogami Private E-2

    Sorry about that. I just took the assumption I suppose that saying nothing meant no change.

    Though I am glad it went this way because there is a small change and I may have not noticed it otherwise.

    I can now open up my notepad files without getting that error.
    I still cannot open "Computer" through the start button section.
    All the files are still the same shortcuts.
     
    Ekibyogami, Aug 10, 2010
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ah but there was a change as you have stated we fix some problems with three file associations that were caused by the infection.

    I'm not exactly sure what you mean by you cannot open "Computer" through start button. Also what do you mean all the files are still the same shortcuts?

    Do you mean that when you click the Start button nothing happens? Or do you mean when you click the Start button all the items you see in the Start menu ( these are not files these are links to files ) are not showing properly or that they do not work when you click on them?
     
    chaslang, Aug 10, 2010
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It appears there are a few more registry entries to fix and I see that UAC is not disabled which is required. Let's try the below registry patch.


    Copy the bold text below to notepad. Save it as fixme2.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 10, 2010
    #29
  30. Ekibyogami

    Ekibyogami Private E-2

    I meant by the no change that I saw no current change at first.

    As for the not being able to open "Computer" from the start menu, or 'My Computer' as it would be if seen on the desktop, I just mean simply as I stated. Clicking "Computer" from the start menu still gives me that .vbs error.
    The picture with the "Computer" error is in one of my first posts. I would upload it again but the thread already recognizes the original so I do not want to violate and rules you might have on that. =)

    The rest of the start menu items are working normally though.

    As for the shortcut issue I mentioned, that is the problem we are working on. I was just saying there has been no changes to that issue. Every shortcut and folder still becomes the .lnk file.

    _____________________________________________________________

    After the registry update, which worked, I do not see any visible changes. I tried creating another folder and shortcut and they both turned into the .lnk shortcut file.
    UAC is disabled as well.
    Here are the logs too.
     

    Attached Files:

    Last edited: Aug 11, 2010
    Ekibyogami, Aug 11, 2010
    #30
  31. Ekibyogami

    Ekibyogami Private E-2

    I was just going through all the small problems I had with this infection to see if anything else changed and came across how the virus gets itself going. (At least for every drive excluding the C: drive)

    Sadly I did not really pay much attention to this before but it is only when I open a folder that already has the .lnk shortcut infection that any other non infected ones will be infected. I created new folders and there was no change to the new folders until I opened an existing infected folder.

    I am not totally sure on about the C: drive just yet. Though things like the MGtools folder gets put to hidden though there is no shortcut created for it, along with some other folders too.

    As for my external HD (In this case the H: drive), there is still a .vbs file ("678635397.vbs") and all the folders in there have that shortcut that needs this file to be there so I can access the original folders. In more detail, every folder that is a shortcut has the name of the original folder on there like it was the original, but it's location is "678635397 (H:)". The original folders are hidden. I cannot change the original folders to normal (Non-hidden) even if I try to change the name of the folder.

    As of right now, I can view all of the original folders. So, is it possible for at least my external HD to be saved that I can simply delete the .vbs file, delete all the folders that are shortcuts and remake all the folders, copy all the files over and then delete the original folders?

    For my partitioned E: drive, the .vbs file is "340231785.vbs". You already know what the C: drive has though I do not see the .vbs file in the C drive root folder anymore which I assume from the scripts before that it was deleted by that.

    I am trying to give as much detail as possible now instead of just hoping for a quick fix since I doubt that is possible at the moment. I am sorry if this could have been much more helpful before. If there is anything more I can figure out I will post it later. Feel free to ask any and all questions and I will do whatever I can.
     
    Ekibyogami, Aug 11, 2010
    #31
  32. Ekibyogami

    Ekibyogami Private E-2

    Making another addition.

    1. This part might already be known by you, but since the .vbs file in the C: drive is gone, I cannot use the .lnk shortcuts anymore to get to the folders. (This was quite awhile ago since the .vbs file was deleted) So I can only access the original folders which are hidden. Should I just begin deleting all the shortcuts? I attached a picture about it. Just showing that those files seem useless at the moment.

    2. In the C: drive, the "Documents and Settings" folder is of course just a shortcut but the hidden folder of that one is also a shortcut. I get an "Access Denied" message when trying to open the hidden folder. I attached a picture of that too.
     

    Attached Files:

    Ekibyogami, Aug 11, 2010
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The Documents and Settings folder is not accessible on Vista or Windows 7 by design. Vista and Win 7 use the C:\Users folder.

    Based on additional info you have been providing, I started taking a more detailed look at some of your logs and I see the below on your C drive in the root folder
    Code:
                                                                                  
----a-w               538 2010-06-24 03:13:07  C:\$RECYCLE.BIN.lnk
----a-w               532 2010-06-24 03:13:07  C:\AdobeTemp.lnk
--sh--w               250 2010-06-24 03:13:07  C:\AutoRun.inf
----a-w               522 2010-06-24 03:13:07  C:\Boot.lnk
----a-w               558 2010-06-24 03:13:07  C:\Documents and Settings.lnk
----a-w               524 2010-06-24 03:13:07  C:\Games.lnk
--sha-w     4,258,144,256 2010-08-11 09:40:48  C:\hiberfil.sys
d-sh--w                 0 2010-06-24 02:43:57  C:\Hotspot Shield
----a-w               542 2010-06-24 03:13:07  C:\Hotspot Shield.lnk
----a-w               524 2010-06-24 03:13:07  C:\Intel.lnk
----a-w            47,692 2010-08-11 09:49:24  C:\MGlogs.zip
d-sh--w                 0 2010-08-11 09:49:25  C:\MGtools
----a-w         2,396,925 2010-08-11 09:45:50  C:\MGtools.exe
----a-w               530 2010-06-24 03:13:07  C:\MSOCache.lnk
----a-w               526 2010-06-24 03:13:07  C:\NVIDIA.lnk
--sha-w     4,571,742,208 2010-08-11 09:40:47  C:\pagefile.sys
----a-w               530 2010-06-24 03:13:07  C:\PerfLogs.lnk
d-sh--w                 0 2010-06-24 02:57:10  C:\Program Files
d-sh--w                 0 2010-08-09 12:00:38  C:\Program Files (x86)
----a-w               552 2010-06-24 03:13:07  C:\Program Files (x86).lnk
----a-w               540 2010-06-24 03:13:07  C:\Program Files.lnk
d-sh--w                 0 2010-07-13 09:34:03  C:\ProgramData
----a-w               536 2010-06-24 03:13:07  C:\ProgramData.lnk
d-sh--w                 0 2010-08-11 04:42:11  C:\System Volume Information
----a-w               564 2010-06-24 03:13:07  C:\System Volume Information.lnk
----a-w               522 2010-06-24 03:13:07  C:\Temp.lnk
----a-w               528 2010-06-24 03:13:07  C:\Toshiba.lnk
d-sh--w                 0 2010-08-09 05:26:15  C:\Windows
----a-w               528 2010-06-24 03:13:07  C:\Windows.lnk
----a-w               524 2010-06-24 03:13:07  C:\Works.lnk
d-----w                 0 2010-08-04 09:38:50  C:\_OTL
d-sh--w                 0 2010-06-25 14:26:07  C:\_OTM
    You can see some of the problems from this where .lnk file names have been created with the same name as some folders (like C:\Program Files (x86).lnk, C:\Program Files.lnk, C:\System Volume Information.lnk,... etc )

    Let's take a look at some of these and also clean some up. Please see if you can put a few of the below files into a ZIP file and attach it. You don't need to include all of these, just 4 or 5 should do.
    C:\$RECYCLE.BIN.lnk
    C:\AdobeTemp.lnk
    C:\Boot.lnk
    C:\Documents and Settings.lnk
    C:\Games.lnk
    C:\Hotspot Shield.lnk
    C:\MSOCache.lnk
    C:\NVIDIA.lnk
    C:\PerfLogs.lnk
    C:\Program Files (x86).lnk
    C:\Program Files.lnk
    C:\ProgramData.lnk
    C:\System Volume Information.lnk
    C:\Temp.lnk
    C:\Toshiba.lnk
    C:\Windows.lnk
    C:\Works.lnk
     
    chaslang, Aug 11, 2010
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    One more thing I want you to do.

    • Plug in your H drive
    • Download the below and save it to your Desktop
    • Now run the FindLnk.bat file by right clicking on it and selecting Run As Administrator
    • Be patient since this has to scan all files/folders on drives C, E, and H.
    • When it finishes, there should be a C:\findlnk.txt file. Attach this file to your next message.
     
    Last edited: Aug 12, 2010
    chaslang, Aug 11, 2010
    #34
  35. Ekibyogami

    Ekibyogami Private E-2

    I have not downloaded your file yet but just making a quick message while I can that when I try to put the .lnk files into a zip file, I get an error message each time. Perhaps if I tried deleting them first and then putting them into a zip?
    I will give more detail and get your file before my next post. Just been a bit busy.
     
    Ekibyogami, Aug 12, 2010
    #35
  36. Ekibyogami

    Ekibyogami Private E-2

    -Continuing the post from before.-

    I have attached 2 pictures.
    1. If I try to 'right click' the files to make them into a zip file, it will ask me if I want to delete the shortcut since the .vbs file for the script is missing. The shortcut it asks me to delete is the same '104299937.vbs' for every file.
    2. When I try to use winrar itself to make the zip file, I get the error as shown.

    I suppose I could try deleting them as mentioned since they seem to be invalid now anyways but I do not know if that will cause any risks. I figure that might be the only way of getting them out of their original spot so I can zip them.

    Now that I have meddled with them though, I again have that .sms desktop error when I start up my computer. Should I just refer back to the post by Kestrel13! and use the script that fixed it before?

    I ran your scan as well and am attaching the file.

    Thanks too for the quick info on the Documents and Settings folder.
     

    Attached Files:

    Ekibyogami, Aug 12, 2010
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is looking pretty bad. It may be very difficult to cleanup what this infection has down since it is very hard for me to remotely determine which lnk files are valid and which are bad. Let's try a shot at a small cleanup and see what results we get. Make sure the H drive is connected while doing all of the below.


    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Files
C:\$RECYCLE.BIN.lnk
C:\AdobeTemp.lnk
C:\AutoRun.inf
C:\Boot.lnk
C:\Documents and Settings.lnk
C:\Games.lnk
C:\Hotspot Shield.lnk
C:\Intel.lnk
C:\MSOCache.lnk
C:\NVIDIA.lnk
C:\PerfLogs.lnk
C:\Program Files (x86).lnk
C:\Program Files.lnk
C:\ProgramData.lnk
C:\System Volume Information.lnk
C:\Temp.lnk
C:\Toshiba.lnk
C:\Windows.lnk
C:\Works.lnk
C:\$RECYCLE.BIN\S-1-5-21-3364228254-1038585381-1803340498-1000\$IFD17DH.lnk
C:\$RECYCLE.BIN\S-1-5-21-3364228254-1038585381-1803340498-1000\$IM5L4AG.lnk
C:\$RECYCLE.BIN\S-1-5-21-3364228254-1038585381-1803340498-1000\$INC232Q.lnk
C:\$RECYCLE.BIN\S-1-5-21-3364228254-1038585381-1803340498-1000\$IOHL0WQ.lnk
C:\$RECYCLE.BIN\S-1-5-21-3364228254-1038585381-1803340498-1000\$R6OJ1F5.lnk
C:\$RECYCLE.BIN\S-1-5-21-3364228254-1038585381-1803340498-1000\$RNC232Q.lnk
C:\$RECYCLE.BIN\S-1-5-21-3364228254-1038585381-1803340498-1000\$ROHL0WQ.lnk
C:\Users\Aleigh\Desktop\Broadband Connection - Shortcut.lnk
C:\Users\Aleigh\Desktop\DAEMON Tools Pro.lnk
C:\Users\Aleigh\Desktop\HijackThis.lnk
C:\Users\Aleigh\Desktop\MGtools - Shortcut.lnk
C:\Users\Aleigh\Desktop\Soulseek (2).lnk
E:\$RECYCLE.BIN.lnk
E:\Anime.lnk
E:\Azuerus Downloads.lnk
E:\Games.lnk
E:\HDDRecovery.lnk
E:\movie and subtitles.lnk
E:\Program Files (x86).lnk
E:\Setups.lnk
E:\Soulseek.lnk
E:\System Volume Information.lnk
E:\Videos from computer.lnk
E:\Azuerus Downloads\Emulators Pack February 2010\Emulators Pack February 2010\PS2\Pcsx2-r2593\pcsx2 - Shortcut.lnk
E:\Games\StepMania\StepMania (2).lnk
E:\Program Files (x86)\DAEMON Tools Pro\DTPro - Shortcut.lnk
H:\autorun.lnk
H:\Documentation.lnk
H:\Anime 2.lnk
H:\MioNet.lnk
H:\WD_Mac_Tools.lnk
H:\WD_Windows_Tools.lnk
H:\Food Inc.lnk
H:\System Volume Information.lnk
H:\Elise - Yantai - Shanghai - Hangzhou.lnk
H:\WD Sync Data.lnk
H:\$RECYCLE.BIN.lnk
H:\Pictures.lnk
H:\Dirty Dancing 1987 20th Anniversary Edition DvDrip[Eng]-greenbud1969.lnk
H:\Recycled.lnk
H:\5af3368b07f62852abaa3b.lnk
H:\Application setups.lnk
H:\Programming.lnk
H:\TV Series.lnk
H:\Games.lnk
H:\Manga.lnk
H:\China.lnk
H:\Stuff.lnk
H:\Japanese.lnk
H:\Learning.lnk
H:\Movies.lnk
H:\My Music.lnk
H:\msdownld.tmp.lnk
H:\System Volume Information\_restore{DA552559-C825-48D2-8899-638AE6EFBDF6}\RP250\A0036998.lnk
H:\$RECYCLE.BIN\$I08C230.lnk
H:\$RECYCLE.BIN\$R08C230.lnk
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now rerun the FindLnk.bat program like I previously requested.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the C:\findlnk.txt log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 14, 2010
    #37
  38. Ekibyogami

    Ekibyogami Private E-2

    Deleting the files seemed to have cause no effect on any running programs. I figured as much since they files in the C: drive were just useless shortcuts without the .vbs file.
    Everything else is still the same. The error while starting the computer, trying to open "Computer" through the start menu etc. No further issues created basically.

    Most .lnk files are just Vista's version of shortcuts in general right?

    So are we to assume that there has just been a change in the system, creating both system errors and all major folders to shortcuts? If I then take some time to go through all of those left over .lnk files and find which ones are folders versus actual program shortcuts, could I then delete those then we just need to fix the system error and get the folders back off of hidden?

    I would also like to add that (before this change too), my personal folder, (The one with your computers name (the one where you can go to "Music", "Documents", "Videos" etc), the folders also have .lnk files but the issue is reversed. What I mean is the .lnk files are hidden and the normal folders are still visible. I do not know if this means much but I figured I would mention it.

    Also, my H: drive is always connected and will further be until the issue is fixed.

    I have one other question. Since there does not seem to be a spread of the virus from running programs or using files, do you think it is safe to send files via email or plug in another USB stick to transfer files normally? I prefer not testing this theory without some of your input as infecting another computer is not one of my hopes through this process =)
     

    Attached Files:

    Ekibyogami, Aug 15, 2010
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm still not clear on exactly what you are doing here and what the problem is. I need to know you exact steps including whether you are using right clicks or left clicks. If you mean that you Right Click Start, and then Right Click Computer and it does not open the View basic information about your computer screen ( i.e, My Computer ) then you may just not have the Properties set properly. You need to right click Start and select Properties. Then select the Start Menu tab, then click the Customize button. Make sure that the option under Computer is set to Display as a link

    Shortcuts are lnk files!

    Yes but I don't see any problems anymore with important folders being shown as lnk files.

    Exactly what folders do you think are hidden? Just like Documents and Setting, Microsoft has many other folders that are not accessible.



    Sounds normal to me. I think you are just looking in the wrong place. Those folder in C:\users\Aleigh are supposed to be lnk files and you are not allowed to access them. This is not Windows XP. It is Vista. All of your accessible folders are under folders with the below names
    • C:\users\Aleigh\Documents
    • C:\users\Aleigh\Music
    • C:\users\Aleigh\Pictures
    • C:\users\Aleigh\Save Games
    • C:\users\Aleigh\Videos
    • ...etc
    It should be fine since it really appears that your infection is gone. However let's cleanup the Windows\Recent folder too which contains some residuals from the infection.

    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    C:\Users\Aleigh\AppData\Roaming\Microsoft\Office\Recent\Cards.xlsx.LNK
C:\Users\Aleigh\AppData\Roaming\Microsoft\Office\Recent\My cards.LNK
C:\Users\Aleigh\AppData\Roaming\Microsoft\Office\Recent\My cards.xlsx.LNK
C:\Users\Aleigh\AppData\Roaming\Microsoft\Office\Recent\Normal.dotm.LNK
C:\Users\Aleigh\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK
C:\Users\Aleigh\AppData\Roaming\Microsoft\Office\Recent\TTE Cards.LNK
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\06252010_222607.log.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\07102010_114537.log.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\07112010_083833.log.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\07132010_172709.log.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\07132010_173346.log.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\1.jpg.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\25 lvl 10s.txt (2).lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\25 lvl 10s.txt (3).lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\25 lvl 10s.txt.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\340231785.vbs (2).lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\340231785.vbs.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\678635397.vbs.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\After BC delete MGlogs.zip.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\anime deck.txt.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Azuerus Downloads.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\b281deadfed1a6d58fea8808b394d33cc6e3b.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Bleach.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Cards.xlsx.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Data (E).lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\delete shorcut.jpg.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\documents and settings access denied.jpg.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Downloads.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\emails.txt.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\exefix_vista.zip.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Extras.Txt.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\findlnk.txt.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Fix Computer.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Ga-Rei-Zero.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\history.txt.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Holding vbs.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\image (3242).jpg.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Instant Immersion Japanese.pdf.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Japanese.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\kavudisk.rar.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\LauraShigihara-Uraniwa_ni_Zombies_ga.zip.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Let's Learn Japanese Basic I - Lesson 02 - What's That.avi.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Let's Learn Japanese Basic I [Lessons 1-10] AVI.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\lnkfix_vista.zip.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Logs.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\mbam-log-2010-06-24 (17-37-44).txt.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\MGlogs (2).zip.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\MGlogs (3).zip.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\MGlogs (4).zip.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\MGlogs.zip.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\MGtools.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Movies.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\My cards (2).lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\My cards (3).lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\My cards (4).lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\My cards (5).lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\My cards (6).lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\My cards.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\My cards.xlsx.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\My Passport (H).lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\My Received Files.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Normal.dotm.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\nps_map99[1].pdf.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Opening My Computer and certain files error.jpg.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Opening My Computer and certain files error1.jpg.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\OTL 08042010_173850.txt.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\OTL 08062010_152247.log.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\OTL 08082010_205833.log.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\OTL.Txt.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Pictures.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\shortcut problem.jpg.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Soulseek.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\SUPERAntiSpyware Scan Log - 06-24-2010 - 12-44-06.log (2).lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\SUPERAntiSpyware Scan Log - 06-24-2010 - 12-44-06.log.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Teaching Pictures.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Templates.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\TTE Cards.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\vbsfix_vista.zip.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Vexille_(2007)_[1080p,HDDVD,x264,DTS]_-_THORA.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Vexille_(2007)_[1080p,HDDVD,x264,DTS]_-_THORA.mkv.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Vista (C).lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\what to do.jpg.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\whip it.rmvb.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\Window Opening Message.jpg.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\WinRAR.chm.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\WinRAR.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\WoW molten.txt.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\zip file error.jpg.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[ANIME-PLUS.COM]_[AniYoshi]_Ga-Rei_Zero_-_09_[15E913F0].lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[ANIME-PLUS.COM]_[AniYoshi]_Ga-Rei_Zero_-_10_[5A0DE419].lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[DB]_Bleach_267_[9362E180].avi.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[DB]_Bleach_268_[78DA76C6].avi.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[DB]_Bleach_269_[FD6CF682].avi.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[DB]_Bleach_270_[7A022130].avi.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[DB]_Bleach_271_[5FF99426].avi.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[DB]_Bleach_272_[DF83DA74].avi.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[DB]_Bleach_273_[9E733693].avi.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[DB]_Bleach_274_[FA8E827E].avi.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[gg]_HIGHSCHOOL_OF_THE_DEAD_-_01_[723FC3A4].mkv.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[gg]_HIGHSCHOOL_OF_THE_DEAD_-_03_[F5860691].mkv.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[HorribleSubs] Bleach - 278 [720p].mkv.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[HorribleSubs] Bleach - 279 [720p].mkv.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[HorribleSubs] Bleach - 280 [720p].mkv.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[HorribleSubs] Bleach - 281 [720p].mkv.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[HorribleSubs] Bleach - 282 [720p].mkv.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[HorribleSubs] HIGHSCHOOL OF THE DEAD - 02 [360p].mkv.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[HorribleSubs] HIGHSCHOOL OF THE DEAD - 04 [720p].mkv.lnk
C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent\[HorribleSubs] HIGHSCHOOL OF THE DEAD - 05_(XviD_AnimeSenshi).avi.lnk
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 16, 2010
    #39
  40. Ekibyogami

    Ekibyogami Private E-2

    Everything is the same.
    No reboot was needed and none of the files could be moved.

    I attached pictures for
    1. Where I am talking about for the Computer button from the Start Menu
    2. The current C: Drive
    3. Checking the properties of a folder in the H: drive which is hidden and if you look at the 'hidden' option, you can see that I cannot change it.

    For picture 1. - It is from simply left clicking it. Please check my first post for the picture of the error.
    For picture 2. and 3. - As you can see, all the folders are hidden right now and I cannot make them unhidden. This goes for the C: E: and H: drive.
    For picture 3. again - If you look at from the "attributes" part of the properties window, you will see the .vbs file which was needed for the .lnk files (that we just recently deleted) to work.
    -Kestrel13! had the one .vbs file deleted in the C: drive before. It never came back.
    For picture 3. again - Just above the properties window, you will see the folder "another another trial" and that one was created after my attempts to make the zip file with the .lnk folder shortcuts. There is no change to it and it is not hidden as you can see.

    So, in short I suppose, I still have the .smss error during the start up, the error when clicking "Computer" in the start menu, most of my main folders in each drive still being hidden and whatever system/registry changes have been made from the virus.
     

    Attached Files:

    Ekibyogami, Aug 17, 2010
    #40
  41. Ekibyogami

    Ekibyogami Private E-2

    These are the logs as requested.
     

    Attached Files:

    Ekibyogami, Aug 17, 2010
    #41
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try the below
    • Right Click Start and select Explore.
    • Navigate to the below folder
      • C:\Users\Aleigh\AppData\Roaming\Microsoft\Windows\Recent
    • Once you have the Recent folder selected, right click on it and select Clear Recent Items List
    Did that work?
     
    chaslang, Aug 18, 2010
    #42
  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First let's talk about two files on your H drive that we should be concerned about. The AutoRun.inf and the 678635397.vbs files. Can you right click on these and select delete? If yes then delete them. Then reboot.




    Try the below example to see if we can unhide one folder manually. We will try the Games folder from your example.
    1. Click Start, Run and enter cmd and click OK to open a command prompt window.
    2. Type the following commands and press enter after each (Note: Assumes your external drive is still drive H):
    H:
    attrib -H -S "Games" /D


    Did that unhide the Games folder?
     
    chaslang, Aug 18, 2010
    #43
  44. Ekibyogami

    Ekibyogami Private E-2

    I was able to delete the two files. Then when trying the code, I got a message
    "The /D switch is only valid with the /S switch."
    So nothing changed.

    Yes, this did work.
     
    Ekibyogami, Aug 19, 2010
    #44
  45. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try leaving off the /D and see if that works for the Games folder
     
    chaslang, Aug 20, 2010
    #45
  46. Ekibyogami

    Ekibyogami Private E-2

    This worked =)

    The folder can be moved back to hidden too if wanted so that part is not blocked anymore.

    I also wanted to ask, do you think there would be any problems with me running the script from Kel to get rid of the smss error on the computers start-up like before? I have no problem waiting since there might be other issues at hand but I figured I would ask. (Hate errors)
     
    Ekibyogami, Aug 21, 2010
    #46
  47. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then try similar for your other folders. ;)

    Do the below.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    F3 - REG:win.ini: load="C:\Windows\System32\smss.exe:1004299937.vbs"
    O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
    O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home (file missing)

    After clicking Fix, exit HJT.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 22, 2010
    #47
  48. Ekibyogami

    Ekibyogami Private E-2

    After restart, the error is gone. Thank you again for that.

    Next part:
    I tried going to the folder options and under "Hidden Files and Folders", nothing was selected. So I selected to show the hidden folders. Once again, all the folders became hidden and I cannot change it back. So that one fix was just temporary. Can I re-run that fixme2.reg for now though so I can continue changing my folders back?

    I got rid of the .vbs and autorun.inf in the the E: drive just like the C: and H: drives. (Just letting you know)
     

    Attached Files:

    Last edited: Aug 22, 2010
    Ekibyogami, Aug 22, 2010
    #48
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you can run that same patch even though some of it is no longer necessary. You only have a few of the registry keys problems that need to be fixed, but it will not hurt anything to run the full patch.
     
    chaslang, Aug 22, 2010
    #49
  50. Ekibyogami

    Ekibyogami Private E-2

    This time the registry fix did not allow me to view my hidden folders and the setting shows it as "Show hidden Files and Folders" just as before.

    So the only other thing besides that I think is the "Computer" shortcut in the start menu as shown in the first post as mentioned before. Other than that, it looks like whatever would cause the infection to spread is gone because of those .vbs and .lnk files have been removed. (So I hope anyways.)

    Even though I know there is more work to be done, I just want to say thank you both for helping me up to this point especially because it has been quite a lot of work I am sure. Thank You.
     
    Ekibyogami, Aug 24, 2010
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds