Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB/Autorun.inf problem...as a matter of fact its a nightmare.


  • Please log in to reply
20 replies to this topic

#1 San Lorenzo

San Lorenzo

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 02 February 2009 - 03:03 PM

First of I just want to say thanks in advance but let me get to the nitty gritty.

I basically run use two computers at home

one is a Dell Dimension 4700 that's running Windows Xp Home Edition (2002) service Pack 2

my other computer is a 15" Mac Powerbook G4 laptop running OS X 10.4.11

and I have a San Disk cruzer 2g micro that has that u3 software it comes with bundled on it.

I also have two external Lacie Harddrives (one is a 250gb Formated FAT32 and the other is 500gb formatted NTFS)


I use my flash drive on a daily basis to transfer files between both machines. I've had the Dell since either the fall of 2004
or the spring of 2005. I've never hooked it up to the internet, its just always been a machine for fun, games, and to give test runs
to certain programs. My Mac I've had since 2006, I've brought it with me everywhere. Overseas, to work, to school, the library etc.

It was last night I noticed something funny when I plugged my flash drive into the Dell. The autorun box popped up, but at the top of the list the open folder icon was that of an exe. file? Naturally I said wtf. One of my siblings sent me an article through email a few weeks ago about a virus spreading like this. and then I thought geez i'm screwed. I x'ed out the autoplay box, and then I clicked on start and opened my computer. Everything looked perfectly fine, I took to the time to re read the icons just to make sure it wasn't like the article. The instance I click on the flash drive nothing happens. I say wtf again? I sit there for maybe a good 30 seconds or a minute and then I open the flash drive through explore. Everything looks normal, so I decided to pop out the drive and put it in the Mac to see if anything is unusual.

I'm browsing through my files/folders and I see a folder that says "Drivers". I knew that I didn't create it so I opened it to see what was in it. I find a folder that says "Usb" so I click on that and in the folder I see a weird file (see the quoted text further down in this post) with jumbled up numbers and something that looks like the euro symbol (originally I thought the extension was .cab, my bad on that, just making an edit here)and another that said Desktop.ini. while at the root there's an autorun.inf file. Both the autorun.inf file and the .cab are locked. I've never encountered and autorun.inf file in the root of a flash drive. I'm thinking to myself I gotta go get this straightened out asap so I hit google. I do a few searches and I see that some people are reformatting their hard drive and turning off autoplay. I reformat the flash drive on the Dell, but after I check the the drive out on the mac I see that the files are still there!?

I did a search on youtube to see if there was anything that could help me. I followed the instructions of one video instructing me to open up
cmd: and delete the autorun.inf from there. but needless to say it didn't work. Although here's what I saw after I typed in K: (the flash drive) and autorun.inf in command

[autorun]
open=driver\usb\ΗρσελρηΥΔει
action=Open
shell\open=Open
shell\open\command=driver\usb\ΗρσελρηΥΔει
Usb_Driver installed


I didn't really know what to do next. I did a little more scavenging and I found Malwarebytes anti-malware while searching some videos. I downloaded it from from cnet, installed it on the Dell and went from there. This is what my first log looked like

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

2/2/2009 10:18:35 AM
mbam-log-2009-02-02 (10-18-35).txt

Scan type: Full Scan (C:\|H:\|I:\|K:\|)
Objects scanned: 212285
Time elapsed: 1 hour(s), 35 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (Adware.MyWay) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{4d25f920-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4d25f923-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IST (Trojan.ISTBar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Delete on reboot.

Files Infected:
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (Adware.MyWebSearch) -> Delete on reboot.
C:\Documents and Settings\Marcus Renaissance\My Documents\uno\Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
H:\Unzipped\Sony Acid Pro 5.0 + Key\Sony Acid Pro 5.0 + Key\kgsonyall.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


I did shut down the computer so those files would delete on reboot. I also deleted the other ones with the Malwarebytes application.
I noticed even after that the files were still on the flash drive! at this point I'm a stuttering mess. I go back and look at that video for Malware bytes, and I see the narrator wrote to delete the file while your computer is in safe mode. I reboot the Dell and hit f8 to start safe mode, when it comes time to log in there's an administrator login other than my main one (again I blurted yet another wtf!?!). I go to start>run>cmd and as soon as the box opens, the instance I move the mouse it freezes. Now the computer didn't freeze or anything but It was like the mouse and the keyboard were automatically disabled? I don't know what to do now. So I go browsing the internet again and I found the flash disinfector.exe and the OTmoveit3.exe through cached posts made from this forum. with the OT application I moved some recycler files but other than that.

I dunno at the moment I just feel like a Gorilla is trying to sit on my back. any help would most definitely, incredibly, super silliously be appreciated.

Edited by San Lorenzo, 02 February 2009 - 03:52 PM.


BC AdBot (Login to Remove)

 


#2 San Lorenzo

San Lorenzo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 02 February 2009 - 03:19 PM

at the same time, I should add with the dell I also use pro tools m powered on it (yes an official version), I have an ilok that has my licenses on it. I am extremely paranoid about plugging it to start a session (the application won't run without the licenses). Plus I have a few other licenses on there and I really don't want to lose them or end up with a defective ilok.

at the same time I also use an Akai MPC heavily with the dell, and I transfer alot of samples back and forth to the external drives (The newer MPC's have a feature where you can transfer samples, its basically just a feature that turns the units into overpriced card readers). I'm also paranoid about my unit being affected by this too.

Edited by San Lorenzo, 02 February 2009 - 03:20 PM.


#3 San Lorenzo

San Lorenzo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 02 February 2009 - 07:06 PM

I've also done a full scan twice with malwarebytes. on all of the drives

#4 San Lorenzo

San Lorenzo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 03 February 2009 - 11:52 AM

I had installed Avira Antivir yesterday, and everything seem alright but It detected a 'TR/Trash.Gen [trojan]' in C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1003\A0080810.dll.

then I told the program to delete the file.

after that I turned off system restore and shut down the computer.
then I rebooted and turned system restore back on.


is anyone out there!?!?! Help Please!!!!!!

#5 San Lorenzo

San Lorenzo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 03 February 2009 - 12:41 PM

one other thing I might add I've ran the F-secure stuff and it tells me the same thing all the time. "Nothing Found"

The thing is I know something still has to be up. because when I log out/shut down, or Log in it doesn't say my computer's name anymore. I just says log off "computer". I know its a small detail but i've always found that the small details are the things that need to be paid attention to the most because they come up and bite you when you least expect it.

I really really Just want to get this off of my Flash Drive too.

after all of the things that I've done, even after I look at the flash drive on the pc, I can still see that hidden folder.
When I open up that hidden folder I see another folder that's a recycle bin that says "USB". Now I haven't opened this folder on my pc but I have on my Mac and like I said there's some weird exe. file in there that's locked and a Desktop.ini file


because to be honest I really don't want to do a system restore to my machine. I know there has to be someone out there who at least understands what's going on with my situation.

#6 San Lorenzo

San Lorenzo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 03 February 2009 - 02:36 PM

Here are some PHOTOS

Now this is what I see on my PC looking at the C:Drive

Posted Image

now this is what I see on the K/Flash Drive. The Driver folder is where the corrupt file is located
Posted Image

This Is what I see in the Driver Folder
Posted Image

whenever I clicked on explore for this file, it was always empty. Even when I tried to delete it, It was empty.
Then I always had to use the OT Move it, to move recycler from the c drive


NOW THIS IS WHAT I SEE ON THE MAC


here is the Flash Drive, you can see how that driver folder is already there
Posted Image

here the usb folder
Posted Image

NOW HERE IS INSIDE THE USB FOLDER WITHIN THE DRIVER FOLDER
Posted Image

NOW THIS IS WHAT I SEE WHEN I CLICK ON "GET INFO" OVER THAT WEIRD FILE
Posted Image

WTF!?!?!

Edited by San Lorenzo, 03 February 2009 - 02:48 PM.


#7 San Lorenzo

San Lorenzo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 03 February 2009 - 03:22 PM

I Don't know if this worked or not but here's what I just did

I noticed I could actually delete the files on my Mac

but everytime I put the flash drive back in my computer, they showed back up on the drive.

So I'm figuring the culprit is that my computer has been infected.

So I tried this.

As you can see from the photos I posted. There was always a driver folder being created, with a Usb subfolder.
Now in the subfolder there was always the exe file and the desktop.ini file


So here's what I did. I went into the driver folder on my mac and in the usb subfolder I unlocked the Exe file

then I simply deleted the whole folder.

I made a brand new folder called "Driver"

made it identical with the usb subfolder, except this time within the usb sub folder I created another folder called "Desktop.ini"

I popped the drive out of my mac and plugged it back into the PC (while holding shift)
to see what would happen.

So it turns out the driver folder is still listed as a hidden folder yet this time its only 6.00 kb before it was 88k because of the exe file.

So Like I said this leads me to believe that the virus is STILL on my computer somewhere.
despite using Malwarebytes, Flash Disinfector, OTmoveit, ATF Cleaner, and the F-secure website stuff


its not as much of a pain in *** as it was to me yesterday when I think about this.

anybody out there feel the same? help!

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:05 AM

Posted 03 February 2009 - 03:26 PM

update MBAM and run another scan and post that log
Chewy

No. Try not. Do... or do not. There is no try.

#9 San Lorenzo

San Lorenzo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 03 February 2009 - 04:01 PM

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

2/3/2009 4:05:52 PM
mbam-log-2009-02-03 (16-05-52).txt

Scan type: Quick Scan
Objects scanned: 51689
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)








Something is still up, I wasn't able to update because that Comp doesn't have internet access and I'm typing this from my Mac right now.
(although yet I have another Dell, the model is pretty similar and I installed malwarebytes on there and when I went to update awhile ago nothing happened) So I guess i'm flying blind right now fellas

help!!!

#10 San Lorenzo

San Lorenzo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 03 February 2009 - 04:21 PM

So Let me get this straight

after giving this thing too much thought.


The Autorun.inf isn't necessarily a virus? It could be used for maybe opening up something like a Game or CD automatically and that being the case software like Malwarebyte's etc. Don't really see it as a threat. So it won't scan the exe files being written, but most cases such as mine occurred when the user didn't click explore and clicked on the icon within the my computer screen?

that being the case, something has infected the system which is undetectable, or i'm just clueless to what I'm dealing with. I think its a combination of both.

BUT I think that it has to be on the computer now. because the computer couldn't overwrite the folders on the flash drive after I changed them and it couldn't install an Autorun.inf file after I created an Autorun.inf folder.

So What exactly is going on?

It doesn't seem like I need a system restore, I think that would be a little bit too uncalled for. IT JUST FEELS like this is something small causing a ruckus, almost like a toothing infant.


help!

#11 San Lorenzo

San Lorenzo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 03 February 2009 - 04:51 PM

I just did another scan with Avira


vira AntiVir Personal
Report file date: Tuesday, February 03, 2009 16:13

Scanning for 1038808 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: Marcus Renaissance
Computer name: D44R6771

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 22:57:13
ANTIVIR2.VDF : 7.1.0.89 221184 Bytes 11/16/2008 22:16:47
ANTIVIR3.VDF : 7.1.0.97 45056 Bytes 11/17/2008 22:38:59
Engineversion : 8.2.0.31
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 16:05:56
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 11/11/2008 20:00:07
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 21:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 15:41:39
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/7/2008 21:06:41
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/7/2008 21:06:41
AEHELP.DLL : 8.1.1.3 119157 Bytes 11/7/2008 21:06:41
AEGEN.DLL : 8.1.1.0 319859 Bytes 11/7/2008 21:06:41
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56
AECORE.DLL : 8.1.4.1 172405 Bytes 11/7/2008 21:06:41
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 18:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Local Hard Disks
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldiscs.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Use file extension list
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, February 03, 2009 16:13

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexingService.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'WZQKPICK.EXE' - '1' Module(s) have been scanned
Scan process 'NkbMonitor.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'svchoste.exe' - '1' Module(s) have been scanned
Scan process 'DSAgnt.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'M-AudioTaskBarIcon.exe' - '1' Module(s) have been scanned
Scan process 'mafwTray.exe' - '1' Module(s) have been scanned
Scan process 'cledx.exe' - '1' Module(s) have been scanned
Scan process 'QTTask.exe' - '1' Module(s) have been scanned
Scan process 'daemon.exe' - '1' Module(s) have been scanned
Scan process 'mcregwiz.exe' - '1' Module(s) have been scanned
Scan process 'MpfTray.exe' - '1' Module(s) have been scanned
Scan process 'McVSEscn.exe' - '1' Module(s) have been scanned
Scan process 'mcvsshld.exe' - '1' Module(s) have been scanned
Scan process 'DMXLauncher.exe' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'realplay.exe' - '1' Module(s) have been scanned
Scan process 'mcupdate.exe' - '1' Module(s) have been scanned
Scan process 'mmtask.exe' - '1' Module(s) have been scanned
Scan process 'mm_tray.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'mcagent.exe' - '1' Module(s) have been scanned
Scan process 'MpfAgent.exe' - '1' Module(s) have been scanned
Scan process 'ALG.EXE' - '1' Module(s) have been scanned
Scan process 'McShield.exe' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'MpfService.exe' - '1' Module(s) have been scanned
Scan process 'mcvsrte.exe' - '1' Module(s) have been scanned
Scan process 'MA_CMIDI_Inst.exe' - '1' Module(s) have been scanned
Scan process 'MAUSBMRInst.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'MMERefresh.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
55 processes with 55 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '78' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
[WARNING] The file could not be opened!


End of the scan: Tuesday, February 03, 2009 16:54
Used time: 40:35 Minute(s)

The scan has been done completely.

7845 Scanning directories
102053 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
102050 Files not concerned
4974 Archives were scanned
3 Warnings
0 Notes



should I be worried about those 3 warnings???? help!

Edited by San Lorenzo, 03 February 2009 - 04:57 PM.


#12 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:05 AM

Posted 03 February 2009 - 05:21 PM

autorun.inf is from the Flash Card Disinfector application that you ran

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:05 AM

Posted 03 February 2009 - 05:26 PM

lpt3.This folder was created by Flash_Disinfector


mine are labeled

I wonder why you can't get MBAM to update?
Chewy

No. Try not. Do... or do not. There is no try.

#14 San Lorenzo

San Lorenzo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 03 February 2009 - 05:28 PM

but even before I did that, I had a file that said Autorun.inf


I compared two of the same flash drives on my Mac

one (the infected one) had the autorun file on it

the uninfected one didn't


everytime I deleted it from the Flash drive on the Mac, and Popped it back into the PC and then check it on the mac
I'd find the autorun.inf file. This autorun.inf file wasn't a folder it was a file that was kind of like an exe


In a few minutes i'll be able to make a screenshot of it on my Mac to show you

#15 San Lorenzo

San Lorenzo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 03 February 2009 - 05:32 PM

lpt3.This folder was created by Flash_Disinfector


mine are labeled

I wonder why you can't get MBAM to update?


DaChew, I don't know why. I Had it trying to update on the other computer for a long time (maybe about an hour) but to no avail. it was just an empty bar saying "connection to malwarbytes for update".


Yeah my folder isn't labeled "This folder was created by Flash_Disinfector"

I had to go on the mac and make a folder named "autorun.inf"

that whole folder recreation I did is the only way I can really use the flash drive and not worry about it getting infected. Yet I know SOMETHING is still on my machine.

rhelp!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users