Jump to content

USB shortcut virus; plus repeated Malwarebytes "Website blocked" pop-ups


Recommended Posts

Hi,

I am having several problems on my PC laptop, which is running Windows 8.1. FYI, I have Malwarebytes Premium 3.0.6.1469, and I have run recent threat and custom scans on my laptop, and it is now showing up clear (Trojan Agents were quarantined and have now been removed). But the problems persist.

(1) My laptop seems to have the "USB shortcut virus," which hides all files/folders on any USB stick that I insert into my USB drives and replaces them with a shortcut. See attached jpeg. Following instructions I found on the Internet, I have been able to unhide the files/folders and recover them, and I've reformatted my USB sticks so they are okay when I insert them into a different laptop. But the virus seems to still be on my laptop, and I haven't figured out how to remove it (so, if I put my reformatted USB stick into a USB drive, the shortcut again appears on the USB stick, Malwarebytes detects and quarantines something, and I have to repeat the process to unhide any files and reformat the USB stick).

(2) Malwarebytes is constantly showing me "Website blocked" pop-ups. I've attached 3 jpegs of pop-up variants (showing some of the different domain names that have appeared). I have also exported and attached 3 recent Malwarebytes reports - see those 3 txt files.

And I have run the Farbar Recovery Scan Tool and attached the FRST.txt and Addition.txt files.

Thank you in advance!

Vivien

 

USB shortcut virus.JPG

Malwarebytes - Website blocked msg1 - domain 76236osm1.jpg

Malwarebytes - Website blocked msg2 - domain differentia.jpg

Malwarebytes - Website blocked msg3 - domain 118 112 82 50.jpg

FRST.txt

Addition.txt

Website blocked - export of recent report - May 27 2017, 9-23pm.txt

Website blocked - export of recent report - May 27 2017, 9-22pm.txt

Website blocked - export of recent report - May 27 2017, 9-21pm.txt

Link to post
Share on other sites

Hello @vleong

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

 

 

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

Can you please open Malwarebytes 3 and check for updates. Then do a Threat Scan and post back that log.

If the infection or redirection or popup continues then please run the following.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Unfortunately, the "Website blocked" pop-ups started again this morning - fast and furiously non-stop! And the USB shortcut virus also seems to be back - I also put in a USB key today and my files are hidden again. Should I follow the rest of your previous instructions, as I've quoted below?

FYI, I've done another Malwarebytes 3 threat scan. It again came up clear - see attached log.

Note: I also did get a potentially phishing email yesterday - I opened the email as it was about an upcoming meeting, and did click on one link; soonafter, the person it came from said he didn't send it and it was likely a phishing scam.

Thanks,

Vivien

 

Quote

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

 

 

Malwarebytes threat scan - June 7 2017.txt

Link to post
Share on other sites

Well, that was not a good idea clicking on links in mail these days. We'll probably need to scan and clean again. Normally when reading an email if you look closely at the FROM field it will often show the entire name and often (not always) it will show names or servers or companies that have nothing to do with the real person. In my case I got 2 of them today, but looking I could see that they were not really from my Apple as the name and company did not match apple.com so I just deleted them.

Please open Malwarebytes and click on the Custom Scan and make sure you select to run the rootkit scan and select your C: drive and then click run the scan.

When done, post back the results of that scan please.

Thanks

Ron

 

Link to post
Share on other sites

Yes, I know, it was stupid to click on the email link - the link said "See replies . . . " and I thought I'd check who had accepted the meeting invitation. And b/c I attend meetings of this committee as an alternate only, I don't actually know the names of the people on the committee, much less their "real" email addresses. Sigh.

In any case, I've done the Custom Scan, including rootkits, and the logfile is attached. Note: I'd closed down my email, so didn't see you'd said to select just C: drive. I selected both C: and D: drive. If that's a problem, let me know and I'll re-run the scan. But the scan came up clear. Though I did see something in the Quarantine, which definitely relates to the USB shortcut virus - see image.

5938bb7491b91_Quarantine-USBshortcutvirus.thumb.JPG.1b68d2f006796c8e26669462b2d6ae27.JPG

Thanks,

Vivien

Malwarebytes custom scan, incl rootkits - June 7 2017.txt

Link to post
Share on other sites

Thanks, looks good. Let me get a new set of FRST logs. Make sure you place a checkmark in the Additions.txt check box and then attach both new logs, please.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

Link to post
Share on other sites

Hi Vivien,

There is a file on your computer that does not look to be valid. Can you please zip up that file for me and attach it to your next post. If you need help on how to create a zip file please let me know.

C:\Users\Vivien\AppData\Roaming\eeyU0Z8hGm.exe

Thank you

Ron

 

Link to post
Share on other sites

Hi, Ron,

I searched several times for that exe file, but it didn't turn up in the search results. I searched both in that specific subdirectory (C:\Users\Vivien\AppData\Roaming\) and in the root directory (C:\). I also tried an advanced search that included non-indexed locations. I've attached & pasted below a jpeg of one of my search results.

593a282a8012b_searchforeeyU0Z8hgm.thumb.jpg.b6075e48c1b2c7d882dddbbefd6e9400.jpg

Looking at the FRST.txt log, I tried searching for - and found - the A shortcut link, whose target is that EXE file. See screen capture below. I didn't dare to click on the shortcut link.

593a282180061_StartupfolderAshortcutlink.thumb.JPG.ec4dba21c3afffd6e78339625687254d.JPG

But I did look at the shortcut's properties, and the target is the same as was indicated by you and in the FRST.txt log.

593a2a5607bd9_Ashortcutlinkproperties.thumb.JPG.8155f577c78fc343f0160d4e512a3a6d.JPGN

What next?

Vivien

 

 

Link to post
Share on other sites

Please try the following @vleong

Click START and type in CMD.EXE and when it shows on the menu right-click over it and select "Run as administrator"

Then type the following exactly and tell me what it says.

DIR  /A  C:\Users\Vivien\AppData\Roaming\*.EXE

Thanks

 

Edited by AdvancedSetup
Link to post
Share on other sites

Result below (also attached as jpeg of screen capture):
 

Quote

 

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>DIR /A C:\Users\Vivien\AppData\Roaming\*.EXE
 Volume in drive C is TI80156300B
 Volume Serial Number is 36A3-644D

 Directory of C:\Users\Vivien\AppData\Roaming

2017-05-12  07:21 AM        67,915,618 eeyU0Z8hGm.exe
               1 File(s)     67,915,618 bytes
               0 Dir(s)  838,591,688,704 bytes free

C:\Windows\system32>

 

Note: I need to go to sleep now. So, if you reply to this now and don't hear back from me, that's why.

Thanks,

Vivien

CMD results - Fri June 9 - 2 am.JPG

Link to post
Share on other sites

Yes, I know how to zip/unzip files. But the link was a good verification that I'm doing it right. Thanks!

But I can't get the file to show up in Explorer. All I get is the same C:\Windows\System32> prompt again. I've tried many times, using different methods in case I was doing it wrong, e.g., typing in CMD vs. CMD.exe in the START BOX, typing the entire "attrib . . . " line in the START box; using upper- vs. lowercasing, double-checking spelling, etc. I've attached a jpeg of one of my attempts.

Vivien

593ac1cfc8bda_searchinCMDexepromptwithattrib-FriJune9-10am.JPG.7573cafd84c281999c46914ddb568486.JPG

Link to post
Share on other sites

Okay, let's go ahead then and manually remove it so we don't waste anymore of your time on this @vleong

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

Link to post
Share on other sites

Hi, Ron,

Fixlog.txt is attached.

FYI, my computer seemed stuck, for a very long time, at "10%" complete scanning & fixing C: drive. I left it for several hours, and finally came back to see it in sleep mode. And I've just revived it. Fingers crossed.

Thanks as ever,

Vivien

Fixlog.txt

Link to post
Share on other sites

Okay, that looks good too. Let's run the same other scans we ran before to double-check all is gone.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

 

 

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

Ron,

I was able to get through only steps 1 and 2: Junkware Removal Tool & AdwCleaner. I've attached those logfiles.

I downloaded the Sophos Virus Removal Tool (step 3), but when I've tried to run it, I always get an error message. See below (and attached). I've tried about 5-8 times, including after shutting down my computer overnight (during which time updates were installed on my computer). I'm now re-downloading the program, in case that might help, but not holding my breath. Suggestions for what to do next? (And I did NOT do step 4 - FRST scan - at this point.)

Vivien

JRT.txt

AdwCleaner[S1].txt

AdwCleaner[C2].txt

Sophos error msg.JPG

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.