How do i remove shortcut virus ?

[mohamed_zezo 0]

Hi,

I have Eset Version 7.0.317.4 installed , Recently a new virus has hide all files and folders in USB flash drives and  turns the flash drive icon into a shortcut folder.

 

 Eset does not seem to block nor remove the virus.

 

~removed Sysinspector Log~

Edited December 30, 2014 by foneil
removed Sysinspector Log

[rugk 397]

So the screenshot you took is from the flash drive? But you can access the "folder"?

 

So the first thing I would do is to run the following CMD command so it will show all hidden files:

attrib -SH I: /S /D

where "I:" is the drive letter of the drive.

 

And BTW it is a normal folder and not a shortcut according to the screenshot you posted.

[mohamed_zezo 0]

not work, and virus still active 
2014-12-30_13-50-09.mp4

2014-12-30_13-50-09.mp4

Edited December 30, 2014 by mohamed_zezo

[mohamed_zezo 0]

please i need help with this problem

[foneil 342]

please i need help with this problem

 

mohamed_zezo, per Marcos, you should submit your SysInspector log per the instructions in SOLN141 along with a link to this topic.

[mohamed_zezo 0]

mohamed_zezo, per Marcos, you should submit your SysInspector log per the instructions in SOLN141 along with a link to this topic.

my SysInspector log

~removed~

Edited December 30, 2014 by foneil
removed attached SysInspector Log

[Arakasi 549]

Hello,

 

In-case you were unable to submit the log per instructions.

I took the opportunity to go through it really quick.

My response following will detail everything i would double check on my own machine if found.

 

I advise against solely taking my advice, and wait for an ESET moderator or employee to review as well, and make sure there is not more.

They are the experts, they are the ones who developed Sysinspector. I defer to them on any questions related.

Edited December 30, 2014 by Arakasi

[Arakasi 549]

Hello again

reviewed below:

 

Running processes

"Module" = "c:\windows\system32\crypserv.exe" ( 5: Unknown ) ; CrypKey NT Service ; Kenonic Controls Ltd. ;
See the following links related to this service:

hxxp://www.isthisfilesafe.com/company/Kenonic%20Controls%20Ltd._details.aspx

hxxp://www.isthisfilesafe.com/product/CrypKey%20Software%20Licensing%20System_details.aspx

So please make sure this process is legitimate

 

Network connections

I advise with removing your sysinspector log from this public forum as it contains information that normally would not be shared with the public.

"admin.exe" = "192.168.1.2 shows a connection to a server and the port number to connect on. This should be kept private.

Programsshop/account/admin.exe

 

Important Registry Entries

I can also see your AutoKMS , please understand that piracy is forbidden as a discussion here and no links or info etc regarding should be discussed.

However keep in mind that searching and downloading cracks and torrents for software that should be paid for will certainly lead to viruses and malware on your hunt, this may have been where your problem came from.

Not necessary AutoKMS, but maybe similar.

 

The following key loads a vbscript, that sits in Appdata, i have no clue what is coded in that VBS file, but it would be worth a look to see if it is causing problems.

"Key" = "HKU\S-1-5-21-619436963-3875522305-764751383-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ( 5: Unknown ) ;

It resides in a folder labeled "1" , which is a pattern that malware has used in the past. However i noticed your username is 1 or the PC at least is 1-PC.

"iexplore" = "wscript.exe //B "C:\Users\1\AppData\Roaming\Internet Explorer\\iexplore.vbs"" ( 5: Unknown ) ;  ;  ;

 

You have several BHO's listed in the registry as well, one that also says redirect:

"Default" = "URLRedirectionBHO" ( 5: Unknown ) ;
Might want to reset your browser to default and clear out any BHO's you might find in the registry

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

 

This is a suspicious Shell Open Command

"Default" = ""C:\Program Files\AutoRun Maker\AutoRun Maker.exe" "%1"" ( 5: Unknown ) ; AutoRun Maker ; Abhishek ;

 

Under this key :

"Key" = "HKLM\SOFTWARE\Classes\BB FlashBack Player.Document\shell\open\command" ( 5: Unknown ) ;

I find the following :

"Default" = "㩃停潲牧浡䘠汩獥䉜畬扥牥祲匠景睴牡履䉂䘠慬桳慂正䔠灸敲獳㔠䙜慬桳慂正倠慬敹⹲硥⁥┢∱" ( 5: Unknown ) ;
This needs to be removed ^

 

Is Kelk 2000 a good program ? I also see that in the registry.

 

Look for a DllDirectory in your system32

"DllDirectory" = "%SystemRoot%\system32" ( 5: Unknown ) ;
Not sure if that is good or bad.

 

Have to also question this entry, Is this the Hyena Tool for AD ? hxxp://www.systemtools.com/HyenaHelp/introduction.htm

"Key" = "HKLM\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}" ( 5: Unknown ) ;

"DriveMask" = "0x20 (32)" ( 5: Unknown ) ;

 

Here is the Crypkey not only as a process but a service as well :

"Crypkey License" = "crypserv.exe" Automatic ; Running ; ( 5: Unknown ) ; CrypKey NT Service ; Kenonic Controls Ltd. ;
 

Drivers

The following driver is suspicious, do you know what it is for ?

"NetworkX" = "c:\windows\system32\ckldrv.sys" System ; Running ; ( 5: Unknown ) ;  ;  ;

 

EVENT LOGS

I found these two entries to be suspicious:

"Entry" = "Network Request Error. Error: 0x80072ee7. Http status code: 0. Url=https://www.facebook.com/omaha/update.php Trying config: source=IE, direct connection. trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0. trying WinHTTP. Send request returned 0x80072ee7. Http status code 0.  trying CUP:iexplore. Send request returned 0x80004005. Http status code 0.
Trying config: source=auto, wpad=1, script=. trying CUP:WinHTTP. Send request returned 0x80072ee7. Http status code 0. trying WinHTTP. Send request returned 0x80072ee7. Http status code 0.trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0. Trying config: source=IE, direct connection. trying CUP:WinHTTP. Send request returned 0x80072ee7. Http status code 0.trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.trying CUP:iexplore.Send request returned 0x80004005. Http status code 0.Trying config: source=auto, wpad=1, script=.trying CUP:WinHTTP.
Send request returned 0x80072ee7" 27/12/2014 13:02:52 ;

 

"Entry" = "Product: ESET NOD32 Antivirus -- Error 1922. Service 'ESET Service' (ekrn) could not be deleted.  Verify that you have sufficient privileges to remove system services." 25/12/2014 13:25:26 ;

Were you trying to uninstall ESET ? Or was this an outside source trying to remove the service or attack ESET?

 

Your system logs have thrown the following error :

"Entry" = "The driver detected a controller error on \Device\Harddisk1\DR1." 11/12/2014 11:52:06 ;

 

Files

"Linked to" = "Important Registry Entries -> Shell Open Commands -> HKLM\SOFTWARE\Classes\.amsf\shell\open\command -> "C:\Program Files\AutoRun Maker\AutoRun Maker.exe" "%1""

hxxp://www.isthisfilesafe.com/company/Abhishek_details.aspx

Abhishek has several files floating around that are harmful. They even have a couple file extension changers, which sounds like a probably cause of the issue you are facing.

 

"Linked to" = "Important Registry Entries -> TypeLibs -> HKLM\SOFTWARE\Classes\TypeLib\{4F9C41AB-1074-4AE8-992F-1C856F676877}\2.0\0\win32 -> C:\Users\1\AppData\Local\Temp\Excel8.0\MSForms.exd"

MSForms.exd Not sure if this file is safe or not, as ESET lists it as unknown. The location is strange.... appdata

 

"Linked to" = "Important Registry Entries -> Standard Autostart -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Windows\AutoKMS.exe"

 

"Linked to" = "Important Registry Entries -> TypeLibs -> HKLM\SOFTWARE\Classes\TypeLib\{ADD29A64-3096-4E72-AD8E-12EB238A6D2A}\1.2\0\win32 -> C:\Users\1\AppData\Local\Temp\VBE\RefEdit.exd"

"Linked to" = "Running processes -> admin.exe -> c:\program files\programsshop\accountant\admin.exe"

The accountant program that we discussed previous which listed connections and showed server ip and port etc.

 

"Linked to" = "Running processes -> admin.exe -> c:\program files\programsshop\accountant\psptf.dll"

 

"Linked to" = "Important Registry Entries -> Standard Autostart -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> wscript.exe //B "C:\Users\1\AppData\Roaming\Internet Explorer\\iexplore.vbs""

 

Edited December 30, 2014 by Arakasi

[foneil 342]

Once again, as Arakasi stated, you shouldn't rely on a detailed SI analysis on the forum and should follow the instructions in SOLN141 to submit your log to ESET. Also, as shown in Arakasi's reply, SI's can contain personally identifiable information that you may not have intended to share with everyone on a public forum. 

 

As such, I have removed the attached SI from the previous post. 

[Arakasi 549]

Thanks foneil !!

[julialloyds45 0]

For Removing the shortcut virus:

 

• Go to Start -> Run -> cmd.
• Go to your pen drive, memory cards or mobile phone directory.
• Type del *.lnk (to delete all link files in the directory)
• Type attrib -h -r -s /s /d e:*.*
• Replace e with your drive letter.
• And then press a gentle Enter.

 

 

For More Information: hxxp://www.combatpcviruses.com

[stephenjohn 0]

Yes, i also faced this problem.
I have lost all my important data but anyway you have to use best antiviruses to protect them.
There is virus named as "shortcut virus", sometime this virus cant be removed by antiviruses also.
On the web i found the solution of this problem. Link of solution - remove shortcut virus from pendrive

I hope this will work for you.
Some important tips for you to prevent shortcut virus
1. Avoid exchanging of data with the computer has shortcut virus.
2. Use good antiviruses.
3. Stay safe.

I hope you like my solution.
Thanks.