mohamed_zezo 0 Posted December 29, 2014 Share Posted December 29, 2014 (edited) Hi,I have Eset Version 7.0.317.4 installed , Recently a new virus has hide all files and folders in USB flash drives and turns the flash drive icon into a shortcut folder. Eset does not seem to block nor remove the virus. ~removed Sysinspector Log~ Edited December 30, 2014 by foneil removed Sysinspector Log Link to comment Share on other sites More sharing options...
rugk 397 Posted December 29, 2014 Share Posted December 29, 2014 So the screenshot you took is from the flash drive? But you can access the "folder"? So the first thing I would do is to run the following CMD command so it will show all hidden files: attrib -SH I: /S /D where "I:" is the drive letter of the drive. And BTW it is a normal folder and not a shortcut according to the screenshot you posted. Link to comment Share on other sites More sharing options...
mohamed_zezo 0 Posted December 30, 2014 Author Share Posted December 30, 2014 (edited) not work, and virus still active 2014-12-30_13-50-09.mp4 2014-12-30_13-50-09.mp4 Edited December 30, 2014 by mohamed_zezo Link to comment Share on other sites More sharing options...
mohamed_zezo 0 Posted December 30, 2014 Author Share Posted December 30, 2014 please i need help with this problem Link to comment Share on other sites More sharing options...
ESET Moderators foneil 342 Posted December 30, 2014 ESET Moderators Share Posted December 30, 2014 please i need help with this problem mohamed_zezo, per Marcos, you should submit your SysInspector log per the instructions in SOLN141 along with a link to this topic. Link to comment Share on other sites More sharing options...
mohamed_zezo 0 Posted December 30, 2014 Author Share Posted December 30, 2014 (edited) mohamed_zezo, per Marcos, you should submit your SysInspector log per the instructions in SOLN141 along with a link to this topic. my SysInspector log ~removed~ Edited December 30, 2014 by foneil removed attached SysInspector Log Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 30, 2014 Share Posted December 30, 2014 (edited) Hello, In-case you were unable to submit the log per instructions. I took the opportunity to go through it really quick. My response following will detail everything i would double check on my own machine if found. I advise against solely taking my advice, and wait for an ESET moderator or employee to review as well, and make sure there is not more. They are the experts, they are the ones who developed Sysinspector. I defer to them on any questions related. Edited December 30, 2014 by Arakasi Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 30, 2014 Share Posted December 30, 2014 (edited) Hello again reviewed below: Running processes "Module" = "c:\windows\system32\crypserv.exe" ( 5: Unknown ) ; CrypKey NT Service ; Kenonic Controls Ltd. ;See the following links related to this service: hxxp://www.isthisfilesafe.com/company/Kenonic%20Controls%20Ltd._details.aspx hxxp://www.isthisfilesafe.com/product/CrypKey%20Software%20Licensing%20System_details.aspx So please make sure this process is legitimate Network connections I advise with removing your sysinspector log from this public forum as it contains information that normally would not be shared with the public. "admin.exe" = "192.168.1.2 shows a connection to a server and the port number to connect on. This should be kept private. Programsshop/account/admin.exe Important Registry Entries I can also see your AutoKMS , please understand that piracy is forbidden as a discussion here and no links or info etc regarding should be discussed. However keep in mind that searching and downloading cracks and torrents for software that should be paid for will certainly lead to viruses and malware on your hunt, this may have been where your problem came from. Not necessary AutoKMS, but maybe similar. The following key loads a vbscript, that sits in Appdata, i have no clue what is coded in that VBS file, but it would be worth a look to see if it is causing problems. "Key" = "HKU\S-1-5-21-619436963-3875522305-764751383-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ( 5: Unknown ) ; It resides in a folder labeled "1" , which is a pattern that malware has used in the past. However i noticed your username is 1 or the PC at least is 1-PC. "iexplore" = "wscript.exe //B "C:\Users\1\AppData\Roaming\Internet Explorer\\iexplore.vbs"" ( 5: Unknown ) ; ; ; You have several BHO's listed in the registry as well, one that also says redirect: "Default" = "URLRedirectionBHO" ( 5: Unknown ) ;Might want to reset your browser to default and clear out any BHO's you might find in the registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects This is a suspicious Shell Open Command "Default" = ""C:\Program Files\AutoRun Maker\AutoRun Maker.exe" "%1"" ( 5: Unknown ) ; AutoRun Maker ; Abhishek ; Under this key : "Key" = "HKLM\SOFTWARE\Classes\BB FlashBack Player.Document\shell\open\command" ( 5: Unknown ) ; I find the following : "Default" = "㩃停潲牧浡䘠汩獥䉜畬扥牥祲匠景睴牡履䉂䘠慬桳慂正䔠灸敲獳㔠䙜慬桳慂正倠慬敹硥┢∱" ( 5: Unknown ) ;This needs to be removed ^ Is Kelk 2000 a good program ? I also see that in the registry. Look for a DllDirectory in your system32 "DllDirectory" = "%SystemRoot%\system32" ( 5: Unknown ) ;Not sure if that is good or bad. Have to also question this entry, Is this the Hyena Tool for AD ? hxxp://www.systemtools.com/HyenaHelp/introduction.htm "Key" = "HKLM\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}" ( 5: Unknown ) ; "DriveMask" = "0x20 (32)" ( 5: Unknown ) ; Here is the Crypkey not only as a process but a service as well : "Crypkey License" = "crypserv.exe" Automatic ; Running ; ( 5: Unknown ) ; CrypKey NT Service ; Kenonic Controls Ltd. ; Drivers The following driver is suspicious, do you know what it is for ? "NetworkX" = "c:\windows\system32\ckldrv.sys" System ; Running ; ( 5: Unknown ) ; ; ; EVENT LOGS I found these two entries to be suspicious: "Entry" = "Network Request Error. Error: 0x80072ee7. Http status code: 0. Url=https://www.facebook.com/omaha/update.php Trying config: source=IE, direct connection. trying CUP:WinHTTP.Send request returned 0x80072ee7. Http status code 0. trying WinHTTP. Send request returned 0x80072ee7. Http status code 0. trying CUP:iexplore. Send request returned 0x80004005. Http status code 0.Trying config: source=auto, wpad=1, script=. trying CUP:WinHTTP. Send request returned 0x80072ee7. Http status code 0. trying WinHTTP. Send request returned 0x80072ee7. Http status code 0.trying CUP:iexplore.Send request returned 0x80004005. Http status code 0. Trying config: source=IE, direct connection. trying CUP:WinHTTP. Send request returned 0x80072ee7. Http status code 0.trying WinHTTP.Send request returned 0x80072ee7. Http status code 0.trying CUP:iexplore.Send request returned 0x80004005. Http status code 0.Trying config: source=auto, wpad=1, script=.trying CUP:WinHTTP.Send request returned 0x80072ee7" 27/12/2014 13:02:52 ; "Entry" = "Product: ESET NOD32 Antivirus -- Error 1922. Service 'ESET Service' (ekrn) could not be deleted. Verify that you have sufficient privileges to remove system services." 25/12/2014 13:25:26 ; Were you trying to uninstall ESET ? Or was this an outside source trying to remove the service or attack ESET? Your system logs have thrown the following error : "Entry" = "The driver detected a controller error on \Device\Harddisk1\DR1." 11/12/2014 11:52:06 ; Files "Linked to" = "Important Registry Entries -> Shell Open Commands -> HKLM\SOFTWARE\Classes\.amsf\shell\open\command -> "C:\Program Files\AutoRun Maker\AutoRun Maker.exe" "%1"" hxxp://www.isthisfilesafe.com/company/Abhishek_details.aspx Abhishek has several files floating around that are harmful. They even have a couple file extension changers, which sounds like a probably cause of the issue you are facing. "Linked to" = "Important Registry Entries -> TypeLibs -> HKLM\SOFTWARE\Classes\TypeLib\{4F9C41AB-1074-4AE8-992F-1C856F676877}\2.0\0\win32 -> C:\Users\1\AppData\Local\Temp\Excel8.0\MSForms.exd" MSForms.exd Not sure if this file is safe or not, as ESET lists it as unknown. The location is strange.... appdata "Linked to" = "Important Registry Entries -> Standard Autostart -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Windows\AutoKMS.exe" "Linked to" = "Important Registry Entries -> TypeLibs -> HKLM\SOFTWARE\Classes\TypeLib\{ADD29A64-3096-4E72-AD8E-12EB238A6D2A}\1.2\0\win32 -> C:\Users\1\AppData\Local\Temp\VBE\RefEdit.exd""Linked to" = "Running processes -> admin.exe -> c:\program files\programsshop\accountant\admin.exe" The accountant program that we discussed previous which listed connections and showed server ip and port etc. "Linked to" = "Running processes -> admin.exe -> c:\program files\programsshop\accountant\psptf.dll" "Linked to" = "Important Registry Entries -> Standard Autostart -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> wscript.exe //B "C:\Users\1\AppData\Roaming\Internet Explorer\\iexplore.vbs"" Edited December 30, 2014 by Arakasi Link to comment Share on other sites More sharing options...
ESET Moderators foneil 342 Posted December 30, 2014 ESET Moderators Share Posted December 30, 2014 Once again, as Arakasi stated, you shouldn't rely on a detailed SI analysis on the forum and should follow the instructions in SOLN141 to submit your log to ESET. Also, as shown in Arakasi's reply, SI's can contain personally identifiable information that you may not have intended to share with everyone on a public forum. As such, I have removed the attached SI from the previous post. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 31, 2014 Share Posted December 31, 2014 Thanks foneil !! Link to comment Share on other sites More sharing options...
julialloyds45 0 Posted July 17, 2015 Share Posted July 17, 2015 For Removing the shortcut virus: Go to Start -> Run -> cmd. Go to your pen drive, memory cards or mobile phone directory. Type del *.lnk (to delete all link files in the directory) Type attrib -h -r -s /s /d e:*.* Replace e with your drive letter. And then press a gentle Enter. For More Information: hxxp://www.combatpcviruses.com Link to comment Share on other sites More sharing options...
stephenjohn 0 Posted January 26, 2016 Share Posted January 26, 2016 Yes, i also faced this problem.I have lost all my important data but anyway you have to use best antiviruses to protect them.There is virus named as "shortcut virus", sometime this virus cant be removed by antiviruses also.On the web i found the solution of this problem. Link of solution - remove shortcut virus from pendriveI hope this will work for you.Some important tips for you to prevent shortcut virus 1. Avoid exchanging of data with the computer has shortcut virus.2. Use good antiviruses.3. Stay safe.I hope you like my solution.Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts