Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

101 lyrics folders hidden


  • Please log in to reply
11 replies to this topic

#1 tsnyman

tsnyman

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 24 August 2013 - 10:26 AM

Hey everyone,

 

I got this virus recenly from a copy shop, it seems to target removable devices and hides folders and files on the device, replacing them with shortcuts. I've had one of those before and it was fairly easy to remove by just deleting the infected files in safe mode and, to be safe, running an anti-virus scan, also in safe mode. Then, after rebooting, you could just unhide the folders and everything is fine. This virus, however, hides the folders, creates shortcuts, disables the unhide function and keeps comming back even after every single suspicious file was removed in safe mode. It aslo creates a script file on the device called "101 lyrics". I've even formatted my device but, now when I am in normal mode, the 101 lyrics file just keeps reappearing on the device. I have AVG and it was one of the only softwares that seemed to be able to detect and remove the previous versions of this virus. I'm thinking that there has to be a file on my PC that is infected and is reinfecting my removable devices, but it does not show up on virus scans. The closest I've gotten to a solution is to use command to unhide all folders on the pc to solve the problem where the unhide option is disabled, but there doesn't seem to be anything that actually solves the problem short of formatting the entire computer.

 

Does anybody have any ideas?


Edited by hamluis, 24 August 2013 - 10:41 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:08:06 PM

Posted 24 August 2013 - 10:48 AM

First let's clean USB

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
mcshield%20unhide.JPG
Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans



After that:

Download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • When it prompts you to try their 30-day trail, click decline
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Edited by TwinHeadedEagle, 24 August 2013 - 10:49 AM.


#3 tsnyman

tsnyman
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 24 August 2013 - 11:04 AM

here is the malware bytes scan:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.24.03

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Thomas :: THOMAS-PC [administrator]

24/08/2013 08:57:35
mbam-log-2013-08-24 (08-57-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 253116
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Thomas\AppData\Local\Temp\utt2809.tmp (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Thomas\Downloads\Deadpool.PROPER.Crack.Only.English-SKIDROW.zip (Malware.Gen.SKR) -> Quarantined and deleted successfully.
C:\Users\Thomas\Downloads\iLividSetup.exe (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.

(end)

 

thanks



#4 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:08:06 PM

Posted 24 August 2013 - 11:17 AM

Malwarebytes only found crap, there is no real malware here?

What about MCShield scan?

#5 tsnyman

tsnyman
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 24 August 2013 - 11:24 AM

>>> MCShield AllScans.txt <<<



MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 2.7.4.23 / DB: 2013.8.18.1 / Windows 7 <<<


24/08/2013 08:53:57 > Drive C: - scan started (no label ~931 GB, NTFS HDD )...



=> The drive is clean.


24/08/2013 08:53:57 > Drive H: - scan started (KINGSTON ~15215 MB, FAT32 flash drive )...


>>> H:\new.lnk - Malware > Deleted. (13.08.24. 08.55 new.lnk.252026; MD5: 1d02b36c7cbcb29d3b3f3b6e541041d3)

>>> H:\101  lyrics.vbs - Suspicious > Renamed. (MD5: 3dc3f8d093205870f8e168241b0ebc5c)

> Resetting attributes: H:\new < Successful.


=> Malicious files   : 1/1 deleted.
=> Suspicious files  : 1/1 renamed.
=> Hidden folders    : 1/1 unhidden.

____________________________________________

::::: Scan duration: 1min 59sec ::::::::::::
____________________________________________

 

There is only one folder on the drive. It is called new, H:\101  lyrics.vbs is the file that keeps reappearing, even after the device has been formatted



#6 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:08:06 PM

Posted 24 August 2013 - 11:32 AM

OK, USB was cleaned, how are things now?

#7 Phillip1982

Phillip1982

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 26 August 2013 - 04:11 AM

Heya Guys 

 

Im having the same problem but, i used MC shield to remove the virus from the usb and it works fine but!!!! now we have some pc's that is infected, we tryed everyting to remove it from the pc it self but still keeps coming back. Its a big problem now because im working at North West University and most of the Students is getting the virus on there pc's and cant remove it.

 

Any suggestions on how to remove it from a infected pc.



#8 Phillip1982

Phillip1982

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 26 August 2013 - 04:14 AM

>>> MCShield AllScans.txt <<<



MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 2.7.4.23 / DB: 2013.8.18.1 / Windows 7 <<<


24/08/2013 08:53:57 > Drive C: - scan started (no label ~931 GB, NTFS HDD )...



=> The drive is clean.


24/08/2013 08:53:57 > Drive H: - scan started (KINGSTON ~15215 MB, FAT32 flash drive )...


>>> H:\new.lnk - Malware > Deleted. (13.08.24. 08.55 new.lnk.252026; MD5: 1d02b36c7cbcb29d3b3f3b6e541041d3)

>>> H:\101  lyrics.vbs - Suspicious > Renamed. (MD5: 3dc3f8d093205870f8e168241b0ebc5c)

> Resetting attributes: H:\new < Successful.


=> Malicious files   : 1/1 deleted.
=> Suspicious files  : 1/1 renamed.
=> Hidden folders    : 1/1 unhidden.

____________________________________________

::::: Scan duration: 1min 59sec ::::::::::::
____________________________________________

 

There is only one folder on the drive. It is called new, H:\101  lyrics.vbs is the file that keeps reappearing, even after the device has been formatted

Hehehe T my voorgespring ne!!!!



#9 MzLindyOne

MzLindyOne

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:06 PM

Posted 26 August 2013 - 06:21 AM

Well ... you've got yourself a network-aware vbs worm.  Upload that lyrics.vbs file at virustotal.com and see if anything knows it.  That will tell you what can remove it if anything current, and will report to all listed vendors.  If any of them know it, maybe there's a description up.

 

And Phillip, you might consider disabling the student network until you find out what it is.  In fact I would say - Please do.

 

Please let us know the results from VirusTotal.



#10 tsnyman

tsnyman
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 26 August 2013 - 06:49 AM

Hey everyone, I found out how to kill this thing.

 

For the 101 lyrics virus, remove your removable device then navigate to your users folder on your hard drive, go to your administrators account folder, whichever one it is, and look for the 101 lyrics file (make sure that all protected system files and folders are shown). Then open task manager and look for a task called wscript, end this process and then delete the 101 lyrics file in your user files. Now you can insert your removable device and delete the infected folders on it, make sure you delete the 101 lyrics file on the device as soon as possible after inserting it. You should be clean now.



#11 Phillip1982

Phillip1982

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 27 August 2013 - 01:25 AM

Thank you to all for the repleys on my problem hte way with the registry works good Buttttttt!!!! im looking for a virus scaner to detect the virus so that we can load it on the students pc's and laptops we are using the mchield now for all usb's but need one to scan whole pc for other malicous files aswell.



#12 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:08:06 PM

Posted 27 August 2013 - 04:53 AM

Online scanner --> http://www.eset.com/us/online-scanner/

Kaspersky Virus Removal Tool --> http://www.kaspersky.com/antivirus-removal-tool?form=1




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users