Worldwide Relay Virus

Question

Hello. Like many, I fell into the trap of the Mondial Relay email and my computer is polluted with messages like "windows script host". I followed the detailed procedure in other questions from the virus/security forum and here are the attached links to FRST.txt and addition.txt. https://pjjoint.malekal.com/files.php?id=20190619_s11j12f10b8n13 https://pjjoint.malekal.com/files.php?id=FRST_20190619_l5u7m5c13m14 Note that after the scan I did not find the shortcut.txt file mentioned in the FRST tutorial. Could someone help me disinfect my PC please? Thank you very much in advance. /Brigitte

Malekal_morte- · Answer

Hello,   You have programs that were installed when you purchased the computer or later and that are not necessarily useful. They clutter Windows and can slow it down. You can therefore uninstall them. Go to the Control Panel then Programs and Features. Uninstall:  CyberLink McAfee Internet Security McAfee Security Scan Plus McAfee WebAdvisor    Here is the fix to perform with FRST. You can use this explanatory note with screenshots. Restart FRST then press CTRL + Y on your keyboard. The Notepad will open, copy/paste this.  Start:CloseProcesses:CreateRestorePoint:HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [VLUXCS~1] => wscript.exe //B "C:\Users\Brigitte\AppData\Roaming\VLUXCS~1.VBS"HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [LzGwUMTbPX] => wscript.exe //B "C:\Users\Brigitte\AppData\Roaming\LzGwUMTbPX.vbs"HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [SystemDefenderSecurity.vbs] => "C:\Users\Brigitte\AppData\Roaming\SystemDefenderSecurity.vbs"HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [Chrome.vbs] => C:\Users\Brigitte\AppData\Roaming\Chrome.vbs [50924 2019-01-19] () [Unsigned file]HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [vGDVRipzvW] => wscript.exe //B "C:\Users\Brigitte\AppData\Roaming\vGDVRipzvW.vbs"HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [HNtqeMmtGv] => wscript.exe //B "C:\Users\Brigitte\AppData\Roaming\HNtqeMmtGv.vbs"HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [SystemWindows.vbs] => "C:\Users\Brigitte\AppData\Roaming\SystemWindows.vbs"HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [IgsjaQhbLo] => wscript.exe //B "C:\Users\Brigitte\AppData\Roaming\IgsjaQhbLo.vbs"HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [ZOYGXDURGF] => "C:\Users\Brigitte\AppData\Roaming\Colis-1.vbs"HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [ynArAsTqWn] => wscript.exe //B "C:\Users\Brigitte\AppData\Roaming\ynArAsTqWn.vbs"HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [wYRgmxhEAs] => wscript.exe //B "C:\Users\Brigitte\AppData\Roaming\wYRgmxhEAs.vbs"HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [CKJPCK~1] => wscript.exe //B "C:\Users\Brigitte\AppData\Local\Temp\CKJPCK~1.VBS" <==== WARNINGTask: {09DE06F6-7D29-4662-B0F2-84451E02A5E2} - System32\Tasks\Skype => C:\Users\Brigitte\AppData\Roaming\Colis-1.vbs2019-06-18 17:59 - 2019-06-19 08:51 - 000021924 _____ C:\Users\Brigitte\AppData\Roaming\UTJxTWUdie.vbs2019-01-19 17:44 - 2019-01-19 17:44 - 000050924 _____ () C:\Users\Brigitte\AppData\Roaming\Chrome.vbs2019-05-13 07:48 - 2019-05-13 07:48 - 000059505 _____ () C:\Users\Brigitte\AppData\Roaming\CKjPcKxmoA_123.vbs2019-01-19 17:44 - 2019-06-18 17:59 - 000020564 _____ () C:\Users\Brigitte\AppData\Roaming\LzGwUMTbPX.vbs2016-06-20 18:17 - 2017-01-24 01:49 - 000000112 _____ () C:\Users\Brigitte\AppData\Roaming\Préfs JP2K CS62019-06-18 17:59 - 2019-06-19 08:51 - 000021924 _____ () C:\Users\Brigitte\AppData\Roaming\UTJxTWUdie.vbs2015-10-10 19:07 - 2015-10-10 19:07 - 225111747 _____ () C:\Users\Brigitte\AppData\Local\ACCCx3_3_0_151.zip.aamdownload2015-10-10 19:07 - 2015-10-10 19:07 - 000002615 _____ () C:\Users\Brigitte\AppData\Local\ACCCx3_3_0_151.zip.aamdownload.aamd2019-01-12 17:31 - 2019-01-12 17:31 - 000000000 _____ () C:\Users\Brigitte\AppData\Local\{8D64FA48-C0A7-4F1D-83CB-D9E271DA4E96}2019-01-09 15:37 - 2019-01-09 15:37 - 000000000 _____ () C:\Users\Brigitte\AppData\Local\{D34BA859-D6D9-4857-A203-BF8828B61320}EmptyTemp:RemoveProxy:Reboot:End:  Save the content from the file menu and then save.  Close Notepad, return to FRST and click on the "Fix" button. A restart may be necessary and automatic. A text file will appear, copy/paste the content here in a new message.  Restart the computer.    To protect yourself from removable infections like Wscript (Windows Script Host) Download and install Marmiton Click on Disable at the Windows Script Host level. Marmiton will block malicious scripts (VBS, VBE, JavaScript, etc.) that are used to spread ransomware like Locky.  To clean removable disks from USB viruses, follow the steps in the tutorial in order: insert each of your USB keys and external hard drives one by one to clean them. Then send the reports to https://pjjoint.malekal.com/ and provide the links to those reports so we can view them.  Plug in all USB keys and other removable devices.  Download Remediate VBS Worm  Select option B  Type the letter of the USB key, for example, E and press enter [color=red]WARNING: DO NOT SPECIFY THE DRIVE OF YOUR HARD DISK![/color]  Go to "My Computer" then drive "C", a report "Rem-VBS.log" should be there. Open this report with Notepad and copy/paste the content here in a following response.     -- Please press any key to continue the disinfection...

brichartier · Answer

Hello again. I corrected it with FRST and the file that was sent to me. The fixlog file is attached https://pjjoint.malekal.com/files.php?id=20190619_w13d7x8e6x10 The Windows Script Host message related to colis-1.vbs has disappeared, but I’m now getting 2 others that I will try to copy into this message  and  Should I run FRST again and do a new scan? Once again, thank you for all the help you are providing me in this mess. /Brigitte

brichartier · Answer

Just in case, I've restarted a FRST scan and here are the 3 log files https://pjjoint.malekal.com/files.php?id=20190619_e14l5z11h12b15 https://pjjoint.malekal.com/files.php?id=FRST_20190619_i6h5k10k9s7 https://pjjoint.malekal.com/files.php?id=20190619_f12x5z13v9b14 Thank you again in advance /Brigitte

Malekal_morte- · Answer

Here is the correction to be made with FRST. You can use this explanatory note with screenshots.  Restart FRST and then press CTRL + Y on your keyboard.  The notepad will open, copy/paste this.  Start:CloseProcesses:CreateRestorePoint:HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [LzGwUMTbPX] => wscript.exe //B "C:\Users\Brigitte\AppData\Roaming\LzGwUMTbPX.vbs"Task: {FECB20F2-458C-4D3A-8FB8-9533589AF212} - System32\Tasks\NYANP => C:\Users\Brigitte\AppData\Local\Temp\6525complet.exe <==== WARNINGStartup: C:\Users\Brigitte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.vbs [2019-01-19] () [Unsigned file]Startup: C:\Users\Brigitte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CKJPCK~1.VBS [2019-05-13] () [Unsigned file]Startup: C:\Users\Brigitte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LzGwUMTbPX.vbs [2019-05-19] () [Unsigned file]Startup: C:\Users\Brigitte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zKxATsKgIW.vbs [2018-11-03] () [Unsigned file]EmptyTemp:RemoveProxy:Reboot:End:   Save the content from the file menu then save.   Close the notepad, go back to FRST and click on the "Fix" button  A restart may be necessary and automatic.  A text file will appear, copy/paste the content here in a new message.   Restart the computer.   --  Please press a key to continue the disinfection...

brichartier · Answer

Thank you for your response and the second fix. After this second fix, there is still something wrong because the first error message mentioned in my previous response has disappeared, but the second one (related to meee.vbs) is still there... I have uploaded the fixlog to pijoint https://pjjoint.malekal.com/files.php?id=20190619_q8i12l15z14s10 Just in case, I restarted a FRST scan and uploaded the 3 log files to pijoint. https://pjjoint.malekal.com/files.php?id=20190619_v15b7k5c9u13 https://pjjoint.malekal.com/files.php?id=FRST_20190619_q109k10i14e6 https://pjjoint.malekal.com/files.php?id=20190619_f8f14n15v7j13 I must admit that I feel somewhat helpless to resolve this, so if you have a bit more time to help me, I would greatly appreciate it. Thank you in advance from the bottom of my heart. /Brigitte

Malekal_morte- · Answer

Wscript.exe is already running so you haven't performed the manipulation with Marmiton. McAfee is still installed.  Disable Windows Script Hosting with Marmiton re-scan with FRST and provide the reports again.  -- Please press any key to continue the disinfection...

brichartier · Answer

Hello. Indeed, I had forgotten the configuration for Marmiton. That's done, and the message on meee.vbs has disappeared, replaced by a message saying that Windows Script Host is disabled on this machine. Here are the log files from the latest FRST scan: https://pjjoint.malekal.com/files.php?id=20190621_m15c13v14w6r6 https://pjjoint.malekal.com/files.php?id=FRST_20190621_q8u14x11f14x5 https://pjjoint.malekal.com/files.php?id=20190621_r5l12g14o5d15 I disabled MacAfee to do the scan, but I'm hesitant to uninstall it not only because I'm paying for a subscription but also because that would leave me without antivirus. What do you think? Once again, thank you for all the help you've provided me. Best regards /Brigitte

Malekal_morte- · Answer

You shouldn't renew McAfee, it's not great. By the way, it didn't help you at all this time. Here is the correction to be made with FRST. You can refer to this explanatory note with screenshots. Relaunch FRST and then press CTRL + Y on your keyboard. The Notepad will open, copy/paste this. Start:CloseProcesses:CreateRestorePoint:C:\ProgramData\FirefoxUpdate.exeTask: {996A0C74-1EA8-494F-B989-A4C78A5C83EC} - System32\Tasks\Skypee => C:\Users\Brigitte\AppData\Local\Temp\meee.vbs <==== ATTENTIONTask: {B0E49032-7F34-4E66-8510-82CBDDF406D5} - System32\Tasks\NYAN => C:\ProgramData\FirefoxUpdate.exe <==== ATTENTIONHKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [Chrome.vbs] => C:\Users\Brigitte\AppData\Roaming\Chrome.vbs [0 2019-06-20] ()HKU\S-1-5-21-2672313087-2739738965-858074783-1001\...\Run: [LzGwUMTbPX] => wscript.exe //B "C:\Users\Brigitte\AppData\Roaming\LzGwUMTbPX.vbs"Startup: C:\Users\Brigitte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.vbs [2019-06-20] ()Startup: C:\Users\Brigitte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LzGwUMTbPX.vbs [2019-06-19] () [Unsigned file]EmptyTemp:RemoveProxy:Reboot:End: Save the content from the file menu then save. Close Notepad, go back to FRST and click on the "Fix" button. A restart may be necessary and automatic. A text file will appear, copy/paste the content here in a new message. Restart the computer.

Worldwide Relay Virus

8 réponses

Saracroche: the effective french app against phone spam

How to get the character µ on the android keyboard.

Texture issues in enshrouded

Access issue to my "contact me" profile

Windows spotlight is not working.

Black screen digital camera

Connecting rj45 cable with fiber

Sony bravia tv red led blinks 4 times

Free: associating with the freebox server in progress

Inuyasha in french