shortcut virus on work pcClosed

Question

Hello, new to forum :)
I have searched through the topics i am at work, the laptop is infected, but because i am at a copy-print shop i don't have much time to search through the topics. The laptop got the virus 10 days ago. I partitioned one disk (c:) and installed a fresh copy on new partition (d:) Yesterday a guy came and had the virus. I ran usb fix after he left, with my usb disk on and these are the results.

############################## | UsbFix V 7.169 | [Deletion]

User: aaaaaa (Administrator) # MAGAZI
Updated 31/03/2014 by El Desaparecido - Team SosVirus
Started at 16:38:46 | 29/04/2014

Website : http://www.en.usbfix.net/
Changelog : http://www.en.usbfix.net/changelog/
Support : https://ccm.net/forum/viruses-security-7
Upload Malware : http://www.sosvirus.net/upload_malware.php
Contact : http://www.en.usbfix.net/contact/

PC: MICRO-STAR INTERNATIONAL CO., LTD (To be filled by O.E.M.)
CPU:          Intel(R) Atom(TM) CPU N270   @ 1.60GHz
RAM -> [Total : 1013 Mo| Free : 741 Mo]
Bios: American Megatrends Inc.
Boot: Normal boot

OS: Microsoft Windows XP Professional (5.1.2600 32-Bit) Service Pack 3
WB: Windows Internet Explorer : 8.0.6001.18702
WB: Google Chrome : 34.0.1847.131
WB: Mozilla Firefox : 28.0

SC: Security Center [Enabled]
WU: Windows Update [Enabled]

FW: Windows FireWall [Enabled]

C:\ -> Fixed drive # 51 Gb (20 Mb free - 39%) [] # NTFS
D:\ (%systemdrive%) -> Fixed drive # 98 Gb (89 Mb free - 91%) [] # NTFS
E:\ -> Removable drive # 960 Mb (943 Mb free - 98%) [] # FAT

################## | Active Processes |

D:\WINDOWS\System32\smss.exe (ID: 696 |ParentID: 4)
D:\WINDOWS\system32\winlogon.exe (ID: 800 |ParentID: 696)
D:\WINDOWS\system32\services.exe (ID: 844 |ParentID: 800)
D:\WINDOWS\system32\lsass.exe (ID: 856 |ParentID: 800)
D:\WINDOWS\system32\svchost.exe (ID: 1020 |ParentID: 844)
D:\WINDOWS\System32\svchost.exe (ID: 1236 |ParentID: 844)
D:\WINDOWS\system32\spoolsv.exe (ID: 1632 |ParentID: 844)
D:\WINDOWS\Explorer.EXE (ID: 1932 |ParentID: 1856)
D:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe (ID: 748 |ParentID: 844)
D:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe (ID: 148 |ParentID: 844)
D:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe (ID: 224 |ParentID: 844)
D:\WINDOWS\system32\wuauclt.exe (ID: 444 |ParentID: 1236)

################## | Generic Research |


(!) Temporary files deleted.

################## | Registry |


################## | Regedit Run |

F2 - HKLM\..\Winlogon : [Shell] Explorer.exe
F2 - [x64] HKLM\..\Winlogon : [Shell] Explorer.exe
F2 - HKLM\..\Winlogon : [Userinit] D:\WINDOWS\system32\userinit.exe,
F2 - [x64] HKLM\..\Winlogon : [Userinit] D:\WINDOWS\system32\userinit.exe,
04 - HKCU\..\Run : [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
04 - HKLM\..\Run : [RTHDCPL] RTHDCPL.EXE
04 - HKLM\..\Run : [ClamWin] "D:\Program Files\ClamWin\bin\ClamTray.exe" --logon
04 - HKLM\..\Run : [SDTray] "D:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
04 - HKLM\..\Run : [Adobe ARM] "D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
04 - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\..\Run : [] 
04 - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\..\RunOnce : [] 
04 - HKU\S-1-5-21-746137067-854245398-1547161642-1003\..\Run : [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

################## | Listing |

[10/11/2010 - 00:52:42 | D] - C:\$AVG
[27/09/2008 - 20:53:21 | N | 0 Ko] - C:\-797702211
[15/08/2009 - 15:09:26 | D] - C:\287c17f25f4f6440c1
[20/06/2008 - 08:15:20 | A | 0 Ko] - C:\AUTOEXEC.BAT
[26/03/2008 - 15:42:28 | N | 16 Ko] - C:\bdch.dll.vcd
[25/02/2008 - 17:05:28 | N | 556 Ko] - C:\bdguictl.dll.vcd
[25/10/2007 - 16:56:50 | N | 208 Ko] - C:\bdsubmit.dll.vcd
[21/03/2008 - 20:40:00 | N | 892 Ko] - C:\bdsubwiz.exe.vcd
[23/11/2007 - 14:25:34 | N | 76 Ko] - C:\bdutils.dll.vcd
[27/04/2014 - 23:38:17 | SH | 0 Ko] - C:\boot.ini
[02/03/2006 - 15:00:00 | N | 5 Ko] - C:\Bootfont.bin
[30/10/2008 - 23:08:32 | D] - C:\Bungalow
[27/04/2014 - 21:45:15 | D] - C:\Config.Msi
[20/06/2008 - 08:15:20 | N | 0 Ko] - C:\CONFIG.SYS
[20/06/2008 - 17:48:39 | D] - C:\DOCS
[01/04/2012 - 15:37:03 | D] - C:\Documents and Settings
[20/06/2008 - 17:48:39 | D] - C:\DOTNETFX
[11/04/2012 - 22:46:03 | D] - C:\f1276637301cb4b45816
[08/12/2009 - 22:26:26 | N | 0 Ko] - C:\install.log
[06/07/2008 - 14:26:01 | D] - C:\Intel
[20/06/2008 - 08:15:20 | RASH | 0 Ko] - C:\IO.SYS
[30/04/2008 - 16:08:58 | N | 1128 Ko] - C:\livesrv.exe.vcd
[14/03/2014 - 12:40:32 | N | 0 Ko] - C:\LOG1D6.log
[14/03/2014 - 12:40:32 | N | 0 Ko] - C:\LOG1D6.tmp
[20/06/2008 - 08:15:20 | RASH | 0 Ko] - C:\MSDOS.SYS
[07/07/2008 - 12:32:58 | RHD] - C:\MSOCache
[27/04/2014 - 23:02:34 | N | 46 Ko | B2DE3452DE03674C6CEC68B8C8CE7C78] - C:\NTDETECT.COM
[27/04/2014 - 23:02:35 | RASH | 244 Ko] - C:\ntldr
[29/04/2014 - 16:14:05 | N | 1560576 Ko] - C:\pagefile.sys
[27/04/2014 - 21:44:56 | D] - C:\Program Files
[02/03/2006 - 15:00:00 | N | 38 Ko] - C:\README.HTM
[28/04/2014 - 15:33:27 | SHD] - C:\RECYCLER
[02/03/2006 - 15:00:00 | N | 2524 Ko | 8B419B16F3744834A5F4505BAC4BADFC] - C:\SETUP.EXE
[02/03/2006 - 15:00:00 | N | 102 Ko] - C:\SETUPXP.HTM
[07/07/2008 - 14:56:54 | N | 0 Ko] - C:\sqmdata00.sqm
[07/07/2008 - 14:56:54 | N | 0 Ko] - C:\sqmnoopt00.sqm
[20/06/2008 - 17:50:24 | D] - C:\SUPPORT
[28/08/2008 - 02:21:22 | SHD] - C:\System Volume Information
[03/04/2014 - 14:31:01 | N | 0 Ko | EDCD9989132E26D4BEE106EE953C6DD6] - C:\TDSSKiller.2.8.16.0_03.04.2014_14.30.54_log.txt
[17/04/2007 - 16:30:02 | N | 88 Ko] - C:\txmlx.dll.vcd
[24/04/2008 - 14:39:16 | N | 156 Ko] - C:\upgrepl.exe.vcd
[20/06/2008 - 17:50:25 | D] - C:\VALUEADD
[02/03/2006 - 15:00:00 | N | 0 Ko] - C:\WIN51
[02/03/2006 - 15:00:00 | N | 0 Ko] - C:\WIN51IC
[02/03/2006 - 15:00:00 | N | 0 Ko] - C:\WIN51IC.SP2
[03/04/2014 - 14:27:50 | D] - C:\WINDOWS
[22/10/2007 - 14:31:44 | N | 560 Ko] - C:\wslib.dll.vcd
[03/04/2014 - 09:30:18 | D] - C:\[Smad-Cage]
[28/04/2014 - 00:07:45 | D] - D:\Documents and Settings
[28/04/2014 - 01:00:44 | D] - D:\Intel
[28/04/2014 - 11:17:50 | RHD] - D:\MSOCache
[29/04/2014 - 16:36:44 | ASH | 1560576 Ko] - D:\pagefile.sys
[28/04/2014 - 13:07:39 | D] - D:\Program Files
[29/04/2014 - 12:24:06 | SHD] - D:\RECYCLER
[27/04/2014 - 23:59:55 | SHD] - D:\System Volume Information
[29/04/2014 - 16:34:44 | D] - D:\UsbFix
[28/04/2014 - 14:40:04 | N | 3 Ko | 3E84F6D9D0B5081B672369E88EC25C5A] - D:\UsbFix [Clean 2] MAGAZI.txt
[28/04/2014 - 14:49:16 | N | 2 Ko | 4BE0C7AD249D79A920D444BB54460EBF] - D:\UsbFix [Clean 4] MAGAZI.txt
[29/04/2014 - 16:24:16 | N | 7 Ko | 6FEF96B8B57D139BC217A4CFA4F45DE5] - D:\UsbFix [Clean 6] MAGAZI.txt
[29/04/2014 - 16:40:14 | A | 6 Ko | 2C2E75A4AF73B48B17267AFCA4B3C0D3] - D:\UsbFix [Clean 8] MAGAZI.txt
[29/04/2014 - 16:35:31 | N | 5 Ko | 4C9A1AABFFD5854D048D88D187D22C49] - D:\UsbFix [Listing 1] MAGAZI.txt
[29/04/2014 - 13:18:35 | N | 5 Ko | 0AB150E9A20E50268ED03A26C5EEBC3A] - D:\UsbFix [Scan 1] MAGAZI.txt
[29/04/2014 - 16:11:51 | N | 5 Ko | 173D4AA837FA128F257D9A0AA37ACCE5] - D:\UsbFix [Scan 2] MAGAZI.txt
[28/04/2014 - 14:44:10 | D] - D:\WINDOWS
[29/04/2014 - 11:06:48 | SHD] - E:\System Volume Information
[15/04/2014 - 19:04:02 | N | 582 Ko] - E:\1 VLSI PG Intro(15).pdf
[15/04/2014 - 19:31:26 | N | 451 Ko] - E:\5 VLSI Stadia kataskevis IC(10).pdf
[15/04/2014 - 19:35:28 | N | 1874 Ko] - E:\6 CMOS Inverter(15).pdf
[15/04/2014 - 19:34:36 | N | 220 Ko] - E:\7 Diakrito(5).pdf
[15/04/2014 - 19:38:16 | N | 584 Ko] - E:\9 Low power slide(15).pdf
[15/04/2014 - 19:38:00 | N | 66 Ko] - E:\10 Antistaseis vlsi(4).pdf
[15/04/2014 - 19:38:06 | N | 62 Ko] - E:\References VLSI PG(1).pdf
[15/04/2014 - 19:31:36 | N | 1200 Ko] - E:\3 VLSI Krystallogr 2(10).pdf
[15/04/2014 - 19:15:22 | N | 10312 Ko] - E:\2 VLSI Krystallogr 1(5).pdf
[12/10/2013 - 23:10:12 | N | 1734 Ko] - E:\QuantumElec-LED(10).pdf

################## | Vaccin |

C:\Autorun.inf -> Vaccine created by UsbFix (El Desaparecido)
E:\Autorun.inf -> Vaccine created by UsbFix (El Desaparecido)

################## | E.O.F | http://www.en.usbfix.net/ - https://www.sosvirus.net/ |

Then today i ran usb fix again and these are the results:

############################## | UsbFix V 7.169 | [Deletion]

User: aaaaaa (Administrator) # MAGAZI
Updated 31/03/2014 by El Desaparecido - Team SosVirus
Started at 14:36:59 | 30/04/2014

Website : http://www.en.usbfix.net/
Changelog : http://www.en.usbfix.net/changelog/
Support : https://ccm.net/forum/viruses-security-7
Upload Malware : http://www.sosvirus.net/upload_malware.php
Contact : http://www.en.usbfix.net/contact/

PC: MICRO-STAR INTERNATIONAL CO., LTD (To be filled by O.E.M.)
CPU:          Intel(R) Atom(TM) CPU N270   @ 1.60GHz
RAM -> [Total : 1013 Mo| Free : 330 Mo]
Bios: American Megatrends Inc.
Boot: Normal boot

OS: Microsoft Windows XP Professional (5.1.2600 32-Bit) Service Pack 3
WB: Windows Internet Explorer : 8.0.6001.18702
WB: Google Chrome : 34.0.1847.131
WB: Mozilla Firefox : 28.0

SC: Security Center [Enabled]
WU: Windows Update [Enabled]

FW: Windows FireWall [Enabled]

C:\ -> Fixed drive # 51 Gb (20 Mb free - 39%) [] # NTFS
D:\ (%systemdrive%) -> Fixed drive # 98 Gb (89 Mb free - 91%) [] # NTFS
E:\ -> CD-ROM

################## | Active Processes |

D:\WINDOWS\System32\smss.exe (ID: 696 |ParentID: 4)
D:\WINDOWS\system32\winlogon.exe (ID: 800 |ParentID: 696)
D:\WINDOWS\system32\services.exe (ID: 844 |ParentID: 800)
D:\WINDOWS\system32\lsass.exe (ID: 856 |ParentID: 800)
D:\WINDOWS\system32\svchost.exe (ID: 1024 |ParentID: 844)
D:\WINDOWS\System32\svchost.exe (ID: 1236 |ParentID: 844)
D:\WINDOWS\system32\spoolsv.exe (ID: 1612 |ParentID: 844)
D:\WINDOWS\Explorer.EXE (ID: 1940 |ParentID: 1836)
D:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe (ID: 724 |ParentID: 844)
D:\WINDOWS\RTHDCPL.EXE (ID: 1400 |ParentID: 1940)
D:\Program Files\ClamWin\bin\ClamTray.exe (ID: 1440 |ParentID: 1940)
D:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (ID: 1544 |ParentID: 1940)
D:\WINDOWS\system32\ctfmon.exe (ID: 1508 |ParentID: 1940)
D:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe (ID: 924 |ParentID: 844)
D:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe (ID: 1264 |ParentID: 844)
D:\WINDOWS\system32\wuauclt.exe (ID: 3936 |ParentID: 1236)
D:\Program Files\Mozilla Firefox\firefox.exe (ID: 3068 |ParentID: 1940)
D:\Program Files\Mozilla Firefox\plugin-container.exe (ID: 2876 |ParentID: 3068)

################## | Generic Research |


(!) Temporary files deleted.

################## | Registry |


################## | Regedit Run |

F2 - HKLM\..\Winlogon : [Shell] Explorer.exe
F2 - [x64] HKLM\..\Winlogon : [Shell] Explorer.exe
F2 - HKLM\..\Winlogon : [Userinit] D:\WINDOWS\system32\userinit.exe,
F2 - [x64] HKLM\..\Winlogon : [Userinit] D:\WINDOWS\system32\userinit.exe,
04 - HKCU\..\Run : [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
04 - HKLM\..\Run : [RTHDCPL] RTHDCPL.EXE
04 - HKLM\..\Run : [ClamWin] "D:\Program Files\ClamWin\bin\ClamTray.exe" --logon
04 - HKLM\..\Run : [SDTray] "D:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
04 - HKLM\..\Run : [Adobe ARM] "D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
04 - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\..\Run : [] 
04 - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\..\RunOnce : [] 
04 - HKU\S-1-5-21-746137067-854245398-1547161642-1003\..\Run : [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

################## | Listing |

[10/11/2010 - 00:52:42 | D] - C:\$AVG
[27/09/2008 - 20:53:21 | N | 0 Ko] - C:\-797702211
[15/08/2009 - 15:09:26 | D] - C:\287c17f25f4f6440c1
[20/06/2008 - 08:15:20 | A | 0 Ko] - C:\AUTOEXEC.BAT
[26/03/2008 - 15:42:28 | N | 16 Ko] - C:\bdch.dll.vcd
[25/02/2008 - 17:05:28 | N | 556 Ko] - C:\bdguictl.dll.vcd
[25/10/2007 - 16:56:50 | N | 208 Ko] - C:\bdsubmit.dll.vcd
[21/03/2008 - 20:40:00 | N | 892 Ko] - C:\bdsubwiz.exe.vcd
[23/11/2007 - 14:25:34 | N | 76 Ko] - C:\bdutils.dll.vcd
[27/04/2014 - 23:38:17 | SH | 0 Ko] - C:\boot.ini
[02/03/2006 - 15:00:00 | N | 5 Ko] - C:\Bootfont.bin
[30/10/2008 - 23:08:32 | D] - C:\Bungalow
[27/04/2014 - 21:45:15 | D] - C:\Config.Msi
[20/06/2008 - 08:15:20 | N | 0 Ko] - C:\CONFIG.SYS
[20/06/2008 - 17:48:39 | D] - C:\DOCS
[01/04/2012 - 15:37:03 | D] - C:\Documents and Settings
[20/06/2008 - 17:48:39 | D] - C:\DOTNETFX
[11/04/2012 - 22:46:03 | D] - C:\f1276637301cb4b45816
[08/12/2009 - 22:26:26 | N | 0 Ko] - C:\install.log
[06/07/2008 - 14:26:01 | D] - C:\Intel
[20/06/2008 - 08:15:20 | RASH | 0 Ko] - C:\IO.SYS
[30/04/2008 - 16:08:58 | N | 1128 Ko] - C:\livesrv.exe.vcd
[14/03/2014 - 12:40:32 | N | 0 Ko] - C:\LOG1D6.log
[14/03/2014 - 12:40:32 | N | 0 Ko] - C:\LOG1D6.tmp
[20/06/2008 - 08:15:20 | RASH | 0 Ko] - C:\MSDOS.SYS
[07/07/2008 - 12:32:58 | RHD] - C:\MSOCache
[27/04/2014 - 23:02:34 | N | 46 Ko | B2DE3452DE03674C6CEC68B8C8CE7C78] - C:\NTDETECT.COM
[27/04/2014 - 23:02:35 | RASH | 244 Ko] - C:\ntldr
[29/04/2014 - 16:14:05 | N | 1560576 Ko] - C:\pagefile.sys
[27/04/2014 - 21:44:56 | D] - C:\Program Files
[02/03/2006 - 15:00:00 | N | 38 Ko] - C:\README.HTM
[28/04/2014 - 15:33:27 | SHD] - C:\RECYCLER
[02/03/2006 - 15:00:00 | N | 2524 Ko | 8B419B16F3744834A5F4505BAC4BADFC] - C:\SETUP.EXE
[02/03/2006 - 15:00:00 | N | 102 Ko] - C:\SETUPXP.HTM
[07/07/2008 - 14:56:54 | N | 0 Ko] - C:\sqmdata00.sqm
[07/07/2008 - 14:56:54 | N | 0 Ko] - C:\sqmnoopt00.sqm
[20/06/2008 - 17:50:24 | D] - C:\SUPPORT
[28/08/2008 - 02:21:22 | SHD] - C:\System Volume Information
[03/04/2014 - 14:31:01 | N | 0 Ko | EDCD9989132E26D4BEE106EE953C6DD6] - C:\TDSSKiller.2.8.16.0_03.04.2014_14.30.54_log.txt
[17/04/2007 - 16:30:02 | N | 88 Ko] - C:\txmlx.dll.vcd
[24/04/2008 - 14:39:16 | N | 156 Ko] - C:\upgrepl.exe.vcd
[20/06/2008 - 17:50:25 | D] - C:\VALUEADD
[02/03/2006 - 15:00:00 | N | 0 Ko] - C:\WIN51
[02/03/2006 - 15:00:00 | N | 0 Ko] - C:\WIN51IC
[02/03/2006 - 15:00:00 | N | 0 Ko] - C:\WIN51IC.SP2
[03/04/2014 - 14:27:50 | D] - C:\WINDOWS
[22/10/2007 - 14:31:44 | N | 560 Ko] - C:\wslib.dll.vcd
[03/04/2014 - 09:30:18 | D] - C:\[Smad-Cage]
[28/04/2014 - 00:07:45 | D] - D:\Documents and Settings
[28/04/2014 - 01:00:44 | D] - D:\Intel
[28/04/2014 - 11:17:50 | RHD] - D:\MSOCache
[30/04/2014 - 09:19:17 | ASH | 1560576 Ko] - D:\pagefile.sys
[28/04/2014 - 13:07:39 | D] - D:\Program Files
[29/04/2014 - 12:24:06 | SHD] - D:\RECYCLER
[27/04/2014 - 23:59:55 | SHD] - D:\System Volume Information
[30/04/2014 - 14:36:10 | D] - D:\UsbFix
[30/04/2014 - 14:38:21 | A | 6 Ko | 387185EEDE554283C92F03AE08C66D2A] - D:\UsbFix [Clean 10] MAGAZI.txt
[28/04/2014 - 14:40:04 | N | 3 Ko | 3E84F6D9D0B5081B672369E88EC25C5A] - D:\UsbFix [Clean 2] MAGAZI.txt
[28/04/2014 - 14:49:16 | N | 2 Ko | 4BE0C7AD249D79A920D444BB54460EBF] - D:\UsbFix [Clean 4] MAGAZI.txt
[29/04/2014 - 16:24:16 | N | 7 Ko | 6FEF96B8B57D139BC217A4CFA4F45DE5] - D:\UsbFix [Clean 6] MAGAZI.txt
[29/04/2014 - 16:40:14 | N | 8 Ko | 9B4779779D681A3853497961D509693D] - D:\UsbFix [Clean 8] MAGAZI.txt
[29/04/2014 - 16:35:31 | N | 5 Ko | 4C9A1AABFFD5854D048D88D187D22C49] - D:\UsbFix [Listing 1] MAGAZI.txt
[29/04/2014 - 13:18:35 | N | 5 Ko | 0AB150E9A20E50268ED03A26C5EEBC3A] - D:\UsbFix [Scan 1] MAGAZI.txt
[29/04/2014 - 16:11:51 | N | 5 Ko | 173D4AA837FA128F257D9A0AA37ACCE5] - D:\UsbFix [Scan 2] MAGAZI.txt
[28/04/2014 - 14:44:10 | D] - D:\WINDOWS

################## | Vaccin |

C:\Autorun.inf -> Vaccine created by UsbFix (El Desaparecido)

################## | E.O.F | http://www.en.usbfix.net/ - https://www.sosvirus.net/ |

Do i have to run usbfix every time a new usb is inserted? Because there are about 50-100 people everyday coming to print. Also does the fix remove only the virus or all the files on usb disk?
Thank you :)

2011N2 · Answer

Hello,

The problem of shortcuts is solved ?

UsbFix doesn't delete the files on the key, only the infections.
If the pendrives are infected, you have to run UsbFix. Otherwise, it's not an obligation.

Gabriel.

Shortcut virus on work pc

1 response

Subscribe To Our Newsletter!