• C:\GoogleChrome
• C:\MozillaFirefox

She put the malicious script GoogleChrome.a3x (encoded AutoIt Script), renowned wscript.exe copies, copies of famous AutoIt.exe, copies of cmd.exe renamed and shortcuts :

• GoogleChrome.lnk
• GoogleUpdate.lnk
• MozillaFirefox.lnk
• My Music.lnk
• WindowsUpdate.lnk

GoogleChrome.a3x create two shortcuts in Windows Startup folder to call the malicious script with command CMD or AutoIt executable :

• %StartUp%\Google Chrome.lnk : %SysDir%\cmd.exe -> %SystemDrive%\MozillaFirefox\GoogleChrome.a3x
• %StartUp%\GoogleUpdate.lnk : %SystemDrive%\GoogleChrome\GoogleChrome.exe (Autoit.exe renommé) -> %SystemDrive%\GoogleChrome\GoogleChrome.a3x

The infection will then spread to removable drives (USB, SD card etc), it created the MozillaFirefox folder and places his malicious code :
%UsbDrive%:\MozillaFirefox\GoogleChrome.a3x
She also create this following files :

• %UsbDrive%:\! Videos\! Videos.lnk
• %UsbDrive%:\! Videos\My Music.lnk
• %UsbDrive%:\My Games\My Games.lnk
• %UsbDrive%:\My Games\My Music.lnk
• %UsbDrive%:\My Videos\My Videos.lnk
• %UsbDrive%:\My Videos\My Music.lnk
• %UsbDrive%:\My Movies\My Movies.lnk
• %UsbDrive%:\My Movies\My Music.lnk

.lnk Files are shortcuts, they are all trapped in order to execute the malicious script GoogleChrome.a3x.
A trapped shortcut is created in all folder of the USB drive : My Music.lnk

Deleted! I:\Documents.lnk
Deleted! I:\Downloads.lnk
Deleted! C:\GoogleChrome\GoogleChrome.a3x
Deleted! C:\GoogleChrome\GoogleChrome.exe
Deleted! C:\GoogleChrome\GoogleChrome.lnk
Deleted! C:\GoogleChrome\GoogleUpdate.lnk
Deleted! C:\GoogleChrome\MozillaFirefox.lnk
Deleted! C:\GoogleChrome\My Music.lnk
Deleted! C:\GoogleChrome\WindowsUpdate.lnk
Deleted! C:\GoogleChrome
Deleted! C:\MozillaFirefox\GoogleChrome.a3x
Deleted! C:\MozillaFirefox\GoogleChrome.exe
Deleted! C:\MozillaFirefox\GoogleChrome.lnk
Deleted! C:\MozillaFirefox\GoogleUpdate.lnk
Deleted! C:\MozillaFirefox\MozillaFirefox.lnk
Deleted! C:\MozillaFirefox\My Music.lnk
Deleted! C:\MozillaFirefox\WindowsUpdate.lnk
Deleted! C:\MozillaFirefox
Deleted! E:\MozillaFirefox\GoogleChrome.a3x
Deleted! E:\MozillaFirefox\GoogleChrome.exe
Deleted! E:\MozillaFirefox\GoogleChrome.lnk
Deleted! E:\MozillaFirefox\GoogleUpdate.lnk
Deleted! E:\MozillaFirefox\MozillaFirefox.lnk
Deleted! E:\MozillaFirefox\My Music.lnk
Deleted! E:\MozillaFirefox\WindowsUpdate.lnk
Deleted! E:\MozillaFirefox
Deleted! F:\MozillaFirefox\GoogleChrome.a3x
Deleted! F:\MozillaFirefox\GoogleChrome.exe
Deleted! F:\MozillaFirefox\GoogleChrome.lnk
Deleted! F:\MozillaFirefox\GoogleUpdate.lnk
Deleted! F:\MozillaFirefox\MozillaFirefox.lnk
Deleted! F:\MozillaFirefox\My Music.lnk
Deleted! F:\MozillaFirefox\WindowsUpdate.lnk
Deleted! F:\MozillaFirefox
Deleted! G:\MozillaFirefox\GoogleChrome.a3x
Deleted! G:\MozillaFirefox\GoogleChrome.exe
Deleted! G:\MozillaFirefox\GoogleChrome.lnk
Deleted! G:\MozillaFirefox\GoogleUpdate.lnk
Deleted! G:\MozillaFirefox\MozillaFirefox.lnk
Deleted! G:\MozillaFirefox\My Music.lnk
Deleted! G:\MozillaFirefox\WindowsUpdate.lnk
Deleted! G:\MozillaFirefox
Deleted! I:\MozillaFirefox\GoogleChrome.a3x
Deleted! I:\MozillaFirefox\GoogleChrome.exe
Deleted! I:\MozillaFirefox\GoogleChrome.lnk
Deleted! I:\MozillaFirefox\GoogleUpdate.lnk
Deleted! I:\MozillaFirefox\MozillaFirefox.lnk
Deleted! I:\MozillaFirefox\My Music.lnk
Deleted! I:\MozillaFirefox\WindowsUpdate.lnk
Deleted! I:\MozillaFirefox
Deleted! I:\System Volume Information\My Music.lnk
Deleted! I:\Yennai Arindhaal (2015) – LOTUS DVDRip – x264 – AAC

How to remove GoogleChrome.a3x ?

• Download UsbFix on your computer, and execute it.
• It will launch automatically, and a shortcut will be created on your desktop.
• Connect all your external data sources to your PC (Usb keys, external drives, etc…) Do not open them.
• Choose “Clean” option.