files turned into shortcuts - ulbloqmeed.vbs

Ran Haba · Aug 23, 2013

hello
I think I have a glitch
I used my DiscOnKey on a public computer and when i returned home to my Dell laptop I noticed all my files and folders turned into shortcuts.
i tried using another DiscOnKey on my computer n it infected it too - i mean i now have the same problem on both DiscOnKeys.
i tried formating it with no use - this problem sticks. i scaned my computer n DiscOnKeys with AntiVirus - no infections found.

i changed folder options to show hidden files and also protected operating system files and found this file : ' ulbloqmeed.vbs ' (VBScript Script File) in flash drive and in C:\Users\Ran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup and in C:\Users\Ran\AppData\Local\Temp
i tried deleting it and got a messege: "the actiion can not be competed because the file is open in microsoft windows based script host".

can anyone please help me fix it?
I use windows 7 btw.

davefowler · Aug 23, 2013

Malwarebytes should get rid of that virus. Follow these steps-

http://cocodrilabs.wordpress.com/2012/04/16/virus-my-files-turned-into-shortcuts-solved/

Ran Haba · Aug 24, 2013

davefowler :

no. it didnt work. i use AVG and I just updated it and i ran a full scan. also tried Malwarebytes - with no use - it didnt detect the file i mentioned (ulbloqmeed.vbs).
can anyone come up with another solution?

Saga Lout · Aug 25, 2013

ComboFix should find and fix this. Carefully read the instructions at http://www.bleepingcomputer.com which is also the best download site. Make sure you wait until it has completely finished and produced its log before going into the Run box, then type in combofix /uninstall. It will seem to be installing again but that's just part of the process. Again, wait until confirmation appears then restart the system.

Ran Haba · Aug 25, 2013

Saga Lout :

Saga Lout - tyvm your solution worked. and after i did what u said i used davefowler's solution just to be sure - meaning i deleted the .vbs file and used CMD to run this command: attrib -h -r -s /s /d F:\*.*
important note: use windows search to find all the copies of ulbloqmeed.vbs and delete them. do that for all infected flash drives.
thanx again to both of you

Saga Lout · Aug 25, 2013

Well done - nice when it works out like that and two tools are better than one. Double check the Registry for leftover references to that file - a search from the Edit>Find menu should track the first one down, delete it and Function 3 takes you on to the next, etc.

Ran Haba · Aug 26, 2013

Saga Lout :

hmm can u explain what u just said plz? where is this edit->find bottun exacly?

Saga Lout · Aug 26, 2013

The Edit menu is on the Registry when you open it using regedit in the Run box. Find that by going to c:\windows\system32, highlight regedit.exe and right click then select RunAs Administrator.

Ran Haba · Aug 26, 2013

Saga Lout :

i did as u asked n the search didnt come up with any result. i hope thats ok...
thanx again!
Zook

Saga Lout · Aug 26, 2013

Sounds good. All clear now.

uchiha77794 · Sep 13, 2013

It happened also to me. Anti virus cannot detect it. What you are going to do is to delete it manually.

Reminder:
1st step:
You should check the SHOW HIDDEN FILES. Then, unchecked HIDE EXTENSIONS FROM KNOWN FILES and HIDE PROTECTED OPERATING SYSTEM
To do this
Open My Computer
View
Folder Options
Then do the first step

So here it is

First
From task manager, you should end the process wscript.exe

Second
Go to C:\Documents and Settings\(your user name)\Local Settings\Temp
you should see kpcgrhynko.vbs file delete it (I deleted this file using QuickWiper)
(So if there is no such file as this, proceed to the next step)

Next Go to C:\Documents and Settings\(your user name)\Start Menu\Programs\Startup
you should see again this file kpcgrhynko.vbs. Delete it (I deleted this file using QuickWiper)
(So if there is no such file as this, proceed to the next step)

Third
Open your flashdrive
Delete kpcgrhynko.vbs again
Then, delete all the shorcut files

Fourth
Here I assume your flahdrive is G
Run CMD
enter this command:
attrib -h -r -s s /s /d G:\*.*

So thats it......
Sorry for my bad english.....

I'm also using this noscript.exe application to enable or disable vbs(visual basic script) so that .vbs malware will not spread on my computer...

I hoped it helps

mohammadtissue · Sep 29, 2013

@uchiha77794 thank you very much it was very helpful and solved my problem

but the command should be written like that attrib -h -r -s /s /d G:\*.*
thank you again

ripshock · Dec 4, 2013

Guys can you look at this link http://www.tomshardware.co.uk/answers/id-1912967/vbs-files-dangerous.html, it`s related to the above

Saga Lout · Dec 4, 2013

I've answered your post in there but it's unclear whether you're posting advice or still need some. I'll close this one now - it's getting a bit old.

Search

files turned into shortcuts - ulbloqmeed.vbs

Ran Haba

Honorable

davefowler

davefowler

Honorable

Ran Haba

Honorable

Saga Lout

Retired Mod

Ran Haba

Honorable

Saga Lout

Retired Mod

Ran Haba

Honorable

Saga Lout

Retired Mod

Ran Haba

Honorable

Saga Lout

Retired Mod

uchiha77794

Honorable

mohammadtissue

Honorable

ripshock

Honorable

Saga Lout

Retired Mod

TRENDING THREADS

Latest posts

Moderators online

Share this page