My computer has been infected with some sort of malware, known as the "Mabraze" or "au travail" / "travaillez" (French for "get to work!").
A message appears from time to time:
"Il est maintenant XX:XX:XX (the present time)
il est temps de se mettre au travail, au lieu de rester à ne rien faire d'important!!
Ce n'est pas un mabraze ici !!"
Translation: "It is now XX:XX:XX (the present time)
It is time to get to work, instead of doing nothing important!!
This is not a Mabraze !!"
I found a site that had some useful information on the malware and am in the process of trying to get rid of it. I have made progress, but have encountered some difficulties.
Here's what I have done:
Followed the following instructions based on the following post (http://www.commentcamarche.net/forum/affich-9140211-suppression-de-antinul-vbe?page=2, in French):
"Cause : antinul.vbe its autorun.inf
This little 'joke' is transmitted via usb flash drive. So if you've used a usb flash drive, be sure to follow steps one and two saving the corresponding files on the root of your usb flash drive. Do this before disinfecting your PC.
1. Open a text editor and write "kill vbscript travailplus". Save as "antinul.vbe" on your Desktop.
2. Open a text editor and write "kill vbscript travailplus". Save as "autorun.inf" on your Desktop.
3. Copy the two files in the following location: C:\windows\system32\. If you are asked to overwrite the files, do so.
4. Download HiJackThis, execute it, tick lines RO - R1 - F2 - O7 and click on fixchecked (to delete)
5. Return to system32 et delete antinul.vbe et autorun.inf (not necessary, leaving them could prevent a new infection)
6. Set the registry back to normal so that you can access Folder Options in the Control Panel (Google it!)."
Most of this has worked, but there is one problem. The antinul.vbe file does not execute properly. When rebooting, I get a message saying that the "antinul.vbe" file was not compiled properly because it did not terminate properly (or something like that... syntax error?), and therefore did not execute. There is a carriage return at the end of the two files.
I did execute a .reg script to restore the "Folder Options" in the Control Panel, and that worked, no problem there.
Other problem, and I don't know if this is related to any of the above. I wrote a short batch script to save files and folders onto an external hard drive. Some of the folders do not appear in Explorer. They are there, and I can access them by adding "\FolderName", but cannot see them nor access them from the command line or using Explorer.
I have some HiJackThis logs, and can post them if need be.
So my primary questions are:
1) Have I followed the right procedure?
2) If the "antinul.vbe" script doesn't execute, it means that I haven't followed the procedure from beginning to end. Is there something wrong with my syntax? Do I need to add something to the script?
3) What else do I need to do to finish the procedure?
Edited by Pandy, 18 December 2008 - 12:57 PM.
Moved From HijackThis Logs and Virus/Trojan/Spyware/Malware Removal