Sign in with
Sign up | Sign in
Your question
Closed

files turned into shortcuts - ulbloqmeed.vbs

Last response: in Storage
Share
August 23, 2013 4:08:28 PM

hello
I think I have a glitch
I used my DiscOnKey on a public computer and when i returned home to my Dell laptop I noticed all my files and folders turned into shortcuts.
i tried using another DiscOnKey on my computer n it infected it too - i mean i now have the same problem on both DiscOnKeys.
i tried formating it with no use - this problem sticks. i scaned my computer n DiscOnKeys with AntiVirus - no infections found.

i changed folder options to show hidden files and also protected operating system files and found this file : ' ulbloqmeed.vbs ' (VBScript Script File) in flash drive and in C:\Users\Ran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup and in C:\Users\Ran\AppData\Local\Temp
i tried deleting it and got a messege: "the actiion can not be competed because the file is open in microsoft windows based script host".

can anyone please help me fix it?
I use windows 7 btw.

Best solution

August 23, 2013 4:28:50 PM

Malwarebytes should get rid of that virus. Follow these steps-

http://cocodrilabs.wordpress.com/2012/04/16/virus-my-fi...
Share
August 24, 2013 12:48:24 PM

davefowler said:
Malwarebytes should get rid of that virus. Follow these steps-

http://cocodrilabs.wordpress.com/2012/04/16/virus-my-fi...


no. it didnt work. i use AVG and I just updated it and i ran a full scan. also tried Malwarebytes - with no use - it didnt detect the file i mentioned (ulbloqmeed.vbs).
can anyone come up with another solution?
Score
0
Related resources
a b $ Windows 7
a b G Storage
August 24, 2013 11:21:36 PM

ComboFix should find and fix this. Carefully read the instructions at http://www.bleepingcomputer.com which is also the best download site. Make sure you wait until it has completely finished and produced its log before going into the Run box, then type in combofix /uninstall. It will seem to be installing again but that's just part of the process. Again, wait until confirmation appears then restart the system.
Score
0
August 25, 2013 1:33:54 AM

Saga Lout said:
ComboFix should find and fix this. Carefully read the instructions at http://www.bleepingcomputer.com which is also the best download site. Make sure you wait until it has completely finished and produced its log before going into the Run box, then type in combofix /uninstall. It will seem to be installing again but that's just part of the process. Again, wait until confirmation appears then restart the system.


Saga Lout - tyvm your solution worked. and after i did what u said i used davefowler's solution just to be sure - meaning i deleted the .vbs file and used CMD to run this command: attrib -h -r -s /s /d F:\*.*
important note: use windows search to find all the copies of ulbloqmeed.vbs and delete them. do that for all infected flash drives.
thanx again to both of you
Score
0
a b $ Windows 7
a b G Storage
August 25, 2013 6:43:49 AM

Well done - nice when it works out like that and two tools are better than one. Double check the Registry for leftover references to that file - a search from the Edit>Find menu should track the first one down, delete it and Function 3 takes you on to the next, etc.
Score
0
August 26, 2013 11:52:07 AM

Saga Lout said:
Well done - nice when it works out like that and two tools are better than one. Double check the Registry for leftover references to that file - a search from the Edit>Find menu should track the first one down, delete it and Function 3 takes you on to the next, etc.


hmm can u explain what u just said plz? where is this edit->find bottun exacly?
Score
0
a b $ Windows 7
a b G Storage
August 26, 2013 11:54:59 AM

The Edit menu is on the Registry when you open it using regedit in the Run box. Find that by going to c:\windows\system32, highlight regedit.exe and right click then select RunAs Administrator.
Score
0
August 26, 2013 12:03:06 PM

Saga Lout said:
The Edit menu is on the Registry when you open it using regedit in the Run box. Find that by going to c:\windows\system32, highlight regedit.exe and right click then select RunAs Administrator.


i did as u asked n the search didnt come up with any result. i hope thats ok...
thanx again!
Zook
Score
0
a b $ Windows 7
a b G Storage
August 26, 2013 12:38:33 PM

Sounds good. All clear now.
Score
0
September 13, 2013 4:25:56 AM

It happened also to me. Anti virus cannot detect it. What you are going to do is to delete it manually.

Reminder:
1st step:
You should check the SHOW HIDDEN FILES. Then, unchecked HIDE EXTENSIONS FROM KNOWN FILES and HIDE PROTECTED OPERATING SYSTEM
To do this
Open My Computer
View
Folder Options
Then do the first step


So here it is

First
From task manager, you should end the process wscript.exe

Second
Go to C:\Documents and Settings\(your user name)\Local Settings\Temp
you should see kpcgrhynko.vbs file delete it (I deleted this file using QuickWiper)
(So if there is no such file as this, proceed to the next step)

Next Go to C:\Documents and Settings\(your user name)\Start Menu\Programs\Startup
you should see again this file kpcgrhynko.vbs. Delete it (I deleted this file using QuickWiper)
(So if there is no such file as this, proceed to the next step)

Third
Open your flashdrive
Delete kpcgrhynko.vbs again
Then, delete all the shorcut files

Fourth
Here I assume your flahdrive is G
Run CMD
enter this command:
attrib -h -r -s s /s /d G:\*.*



So thats it......
Sorry for my bad english.....

I'm also using this noscript.exe application to enable or disable vbs(visual basic script) so that .vbs malware will not spread on my computer...

I hoped it helps
Score
0
September 29, 2013 11:26:55 AM

@uchiha77794 thank you very much it was very helpful and solved my problem


but the command should be written like that attrib -h -r -s /s /d G:\*.*
thank you again ;) 
Score
0
a b $ Windows 7
a b G Storage
December 4, 2013 1:21:13 AM

I've answered your post in there but it's unclear whether you're posting advice or still need some. I'll close this one now - it's getting a bit old.
Score
0
!