Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    North Korea's Elites Are Ditching Facebook for Chinese Social Networks

Featured Deal: Pay What You Want: The 2018 Machine Learning Bundle Deal

Photo

RECYCLER problems.

Started by elesdee , Feb 03 2009 10:04 AM

  • Please log in to reply
8 replies to this topic

#1 elesdee

elesdee

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:10:35 PM

Posted 03 February 2009 - 10:04 AM

ok so i read the topic that killa57 wrote and i just wish i could have found this site before i reformatted the computer back to factory settings. no biggie. but anyway im having problems opening up my external HD (no longer seems to be hindering my ability to open my other drives).

followed what i saw PropogandaPanda write about these programs but i couldnt get FlashDisinfector to work. says the file cannot be saved because it cannot be read.

( i also tried to take a screenshot but for some reason it will not let me copy/paste the http link)
it looks just the same as killa57's screenshot as well as a couple others i have seen around the site concerning this bug.

anyway, here are my log results according to the guidance from killa57's post:


========== FILES ==========
c:\RECYCLER\S-1-5-21-2990273130-2400861128-3873276286-1009 moved successfully.
c:\RECYCLER moved successfully.
d:\RECYCLER moved successfully.
Folder e:\recycler not found.
Folder f:\recycler not found.
Folder g:\recycler not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02032009_063957



Malwarebytes' Anti-Malware 1.33
Database version: 1718
Windows 5.1.2600 Service Pack 2

2/3/2009 6:47:27 AM
mbam-log-2009-02-03 (06-47-27).txt

Scan type: Quick Scan
Objects scanned: 54935
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)


Error: Unable to interpret <c:\recycled\> in the current context!
Error: Unable to interpret <d:\recycled\> in the current context!
Error: Unable to interpret <e:\recycled\> in the current context!
Error: Unable to interpret <f:\recycled\> in the current context!
Error: Unable to interpret <g:\recycled\> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02032009_065730






! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1726b93a-651f-11da-a100-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1726b93b-651f-11da-a100-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1726b93c-651f-11da-a100-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{484a9f20-eb72-11da-8404-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{484a9f21-eb72-11da-8404-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCFDFDFDF5FDFDF0101FFFFFFFFFFFFFFFFFF000100000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{484a9f22-eb72-11da-8404-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{55453ac7-f1ee-11dd-8e9e-00040b808080}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000100000009070000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{55453ac7-f1ee-11dd-8e9e-00040b808080}\Shell
<NO NAME> REG_SZ Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{55453ac7-f1ee-11dd-8e9e-00040b808080}\Shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{55453ac7-f1ee-11dd-8e9e-00040b808080}\Shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{55453ac7-f1ee-11dd-8e9e-00040b808080}\Shell\AutoRun
<NO NAME> REG_SZ Auto&Play

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{55453ac7-f1ee-11dd-8e9e-00040b808080}\Shell\AutoRun\command
<NO NAME> REG_SZ C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-7-4-88-100021111-100026562-100029917-6919.com g:\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{55453ac7-f1ee-11dd-8e9e-00040b808080}\Shell\Open

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{55453ac7-f1ee-11dd-8e9e-00040b808080}\Shell\Open\command
<NO NAME> REG_SZ RECYCLER\S-7-4-88-100021111-100026562-100029917-6919.com g:\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71a29220-f145-11dd-8e9b-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71a29221-f145-11dd-8e9b-806d6172696f}
BaseClass REG_SZ Drive
_CommentFromDesktopINI REG_SZ

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71a29221-f145-11dd-8e9b-806d6172696f}\Shell
<NO NAME> REG_SZ Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71a29221-f145-11dd-8e9b-806d6172696f}\Shell\AutoRun
<NO NAME> REG_SZ Auto&Play

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71a29221-f145-11dd-8e9b-806d6172696f}\Shell\AutoRun\command
<NO NAME> REG_SZ C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-6-0-63-100026664-100023447-100001691-5132.com d:\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71a29221-f145-11dd-8e9b-806d6172696f}\Shell\Open

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71a29221-f145-11dd-8e9b-806d6172696f}\Shell\Open\command
<NO NAME> REG_SZ D:\RECYCLER\S-6-0-63-100026664-100023447-100001691-5132.com d:\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71a29222-f145-11dd-8e9b-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{55453ac7-f1ee-11dd-8e9e-00040b808080}
Data REG_BINARY 360B00005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E0061007400750072006500340034004600440046004500300036004F006600660073006500740037004500300030004C0065006E00670074006800370034003700300039003800300034003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00350035003400350033006100630037002D0066003100650065002D0031003100640064002D0038006500390065002D003000300030003400300062003800300038003000380030007D005C0000004D007900200042006F006F006B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000046004100540033003200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002F00000011000000080000000190000006000000FF00000010000000D545EB47000000000000003000600000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{71a29220-f145-11dd-8e9b-806d6172696f}
Data REG_BINARY 000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E0061007400750072006500430041004200310030004200450045004F006600660073006500740037004500300030004C0065006E00670074006800310041003200420037003700430034003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00370031006100320039003200320030002D0066003100340035002D0031003100640064002D0038006500390062002D003800300036006400360031003700320036003900360066007D005C00000050005200450053004100520049004F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E0054004600530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000800000001100000FF000500FF0000003600000060A306B4000000000000003000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{71a29221-f145-11dd-8e9b-806d6172696f}
Data REG_BINARY 000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E0061007400750072006500430041004200310030004200450045004F006600660073006500740031004100320042004600350043003400300030004C0065006E0067007400680031004300360037003900420045003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00370031006100320039003200320031002D0066003100340035002D0031003100640064002D0038006500390062002D003800300036006400360031003700320036003900360066007D005C00000050005200450053004100520049004F005F0052005000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000046004100540033003200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000080000000110000006000000FF00000010000000C06B6E4B000000000000003000E00000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{71a29222-f145-11dd-8e9b-806d6172696f}
Data REG_BINARY 000000005C005C003F005C0049004400450023004300640052006F006D004C004900540045002D004F004E005F0043004F004D0042004F005F0053004F00480043002D0034003800330036004B005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F00530050004A0032005F005F005F005F002300330030003300320033003600330030003300340033003000330038003300310033003000330030003300310033003000330037003300380033003400330030003200300032003000320030003200300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00370031006100320039003200320032002D0066003100340035002D0031003100640064002D0038006500390062002D003800300036006400360031003700320036003900360066007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000100000001F010000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1








========== FILES ==========
Folder c:\recycled not found.
d:\Recycled moved successfully.
Folder e:\recycled not found.
f:\Recycled moved successfully.
Folder g:\recycled not found.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943ea3-6e52-11dd-ad2e-0016b65751d5}\\ not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02032009_070110





and i still cannot open my external HD (F:) at this point. please help.

Edited by elesdee, 03 February 2009 - 09:16 PM.

BC AdBot (Login to Remove)

 

#2 elesdee

elesdee
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:10:35 PM

Posted 03 February 2009 - 09:18 PM

can someone please help me out


:thumbsup:

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:11:35 PM

Posted 03 February 2009 - 09:40 PM

Hello.

Please do not use OTMoveIT3 unless instructed, it's a strong tool and can cause serious damage to your computer if not used correctly..

Do you have another computer that you can transfer flash-drive disinfector? Best if you have some CD's and a CDBurner software and transfer flash-drive disinfector to this machine and then run it.

Run Script with OTMoveIt3
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :reg
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1726b93a-651f-11da-a100-806d6172696f}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{484a9f20-eb72-11da-8404-806d6172696f}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{55453ac7-f1ee-11dd-8e9e-00040b808080}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71a29220-f145-11dd-8e9b-806d6172696f}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]
:commands
[EmptyTemp]
[Reboot]
  • Click the large Posted Image button.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Post back with the OTMoveIT log. See if you can get flash-drive disinfector to run again.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 elesdee

elesdee
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:10:35 PM

Posted 04 February 2009 - 07:15 AM

========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1726b93a-651f-11da-a100-806d6172696f}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{484a9f20-eb72-11da-8404-806d6172696f}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{55453ac7-f1ee-11dd-8e9e-00040b808080}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71a29220-f145-11dd-8e9b-806d6172696f}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\\ deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\etilqs_YYgCsjwPhtcMfQbpiz97 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\vknvb47w.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\vknvb47w.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\vknvb47w.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\vknvb47w.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\vknvb47w.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\vknvb47w.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02042009_035049

Files moved on Reboot...
File C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\etilqs_YYgCsjwPhtcMfQbpiz97 not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\vknvb47w.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\vknvb47w.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\vknvb47w.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\vknvb47w.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\vknvb47w.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\vknvb47w.default\XUL.mfl moved successfully.





as for the tutorials on removing Autostart, when i attempted the first i get a message stating that windows couldnt find gpedit.msc. but i got the 2nd one to work fine.

i am going to reboot now and update results when i get back.


alright, everything seems good. i am now able to open my external HD and was also able to get FlashDisinfector. NOD 32 kept interpreting it as a virus and terminating connection so i just temporarily disabled it.

anyway, i do notice that the files that were moved by OtMoveIT are still around. is there something i should do with them? i mean, those are the bad files that were messing things up, right?


thanks a lot though, extremeboy, i really appreciate you taking the time to help me out with this.
i gotta tell everyone i know about disabling autoplay. IT SUCKS ANYWAY!


but i am still having problems with my computer not rebooting when commanded to. it kinda just sits at the regular windows screen and does nothing. then if i try to open a program or app, it says "cannot open process because Windows is closing" or something like that. is that bad??

Edited by elesdee, 04 February 2009 - 07:40 AM.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:11:35 PM

Posted 04 February 2009 - 04:31 PM

as for the tutorials on removing Autostart, when i attempted the first i get a message stating that windows couldnt find gpedit.msc. but i got the 2nd one to work fine.

As long as flash-drive disinfector ran, it's fine.

anyway, i do notice that the files that were moved by OtMoveIT are still around. is there something i should do with them? i mean, those are the bad files that were messing things up, right?

Yes, those are backups we will remove those once we are done. No need to worry about them for now.

but i am still having problems with my computer not rebooting when commanded to. it kinda just sits at the regular windows screen and does nothing. then if i try to open a program or app, it says "cannot open process because Windows is closing" or something like that. is that bad??

Not necessarily bad but not good obviously. I had the same problem before not being able to shut-down my computer, I have to force shutting it down using a command in CMD. When windows is trying to shut down and you try to open a program it will not work. To be honest I'm not exactly sure why you have that problem.

Run an online scan, let's see if there's anything else to pick up. Run GMER scan as well to confirm no rootkits is involved here..

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

F-Secure Online Scan

Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
Post back with:
-f-Secure log
-GMER log once it's complete.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 elesdee

elesdee
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:10:35 PM

Posted 04 February 2009 - 08:06 PM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-04 16:01:35
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1796] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 4 Bytes [ C2, 04, 00, 00 ]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.14 ----









Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ F:\
Result: 14 malware found
Rootkit.Win32.TDSS.hby (virus)

* C:\_OTMOVEIT\MOVEDFILES\02032009_063957\RECYCLER\S-2-0-24-100013510-100029561-100007048-8438.COM (Renamed & Submitted)
* C:\_OTMOVEIT\MOVEDFILES\02032009_063957\RECYCLER\S-2-8-84-100001727-100018011-100011017-3089.COM (Renamed & Submitted)
* C:\_OTMOVEIT\MOVEDFILES\02032009_063957\RECYCLER\S-5-2-46-100017816-100003248-100013047-4274.COM (Renamed & Submitted)
* C:\_OTMOVEIT\MOVEDFILES\02032009_063957\RECYCLER\S-5-5-22-100012688-100028206-100011382-9946.COM (Renamed & Submitted)
* C:\_OTMOVEIT\MOVEDFILES\02032009_063957\RECYCLER\S-6-0-63-100026664-100023447-100001691-5132.COM (Renamed & Submitted)
* C:\_OTMOVEIT\MOVEDFILES\02032009_063957\RECYCLER\S-6-9-89-100001917-100029142-100002428-3816.COM (Renamed & Submitted)
* C:\_OTMOVEIT\MOVEDFILES\02032009_063957\RECYCLER\S-7-0-85-100022494-100001957-100029745-2498.COM (Renamed & Submitted)
* C:\_OTMOVEIT\MOVEDFILES\02032009_063957\RECYCLER\S-7-4-88-100021111-100026562-100029917-6919.COM (Renamed & Submitted)
* C:\_OTMOVEIT\MOVEDFILES\02032009_063957\RECYCLER\S-8-4-48-100025020-100023560-100010895-4344.COM (Renamed & Submitted)

TrackingCookie.Advertising (spyware)

* System

TrackingCookie.Atdmt (spyware)

* System

TrackingCookie.Atwola (spyware)

* System

TrackingCookie.Doubleclick (spyware)

* System

TrackingCookie.Yieldmanager (spyware)

* System

Statistics
Scanned:

* Files: 22148
* System: 3121
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 9
* Deleted: 0
* None: 5
* Submitted: 9

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\TEMP\ETILQS_JIC973FPJXVERGJERL6Q
* C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\TEMP\ETILQS_JIC973FPJXVERGJERL6Q-JOURNAL

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:11:35 PM

Posted 04 February 2009 - 08:14 PM

Hello again.

GMER log looks good. F-Secure only found items related to OTMoveIT moved files. Let's do some housework and wrap everything up, if you have no more problems.

Cleanup! with OTMoveIt
Let's remove all the tools we've used so far.
  • Double click the OTMoveIt3.exe to run it.
  • Click Posted Image. If you recieve a warning from your security program, select allow to download the packet.
  • A pop-up box will appear saying "Cleanup list download succesfully Begin Removal Process?". Click Yes.
  • If required for a reboot click Yes
Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 elesdee

elesdee
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:10:35 PM

Posted 05 February 2009 - 10:02 AM

F-'in great man. thanks alot for your time and help!


:thumbsup:


not sure if there is any way that i could help you out but you never know.
let me know..

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:11:35 PM

Posted 05 February 2009 - 12:50 PM

Hello.

Glad I could help :thumbsup:

Happy surfing again and I will let you know if I require any help.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.
Back to Am I infected? What do I do?


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Am I infected? What do I do?
  4. Privacy Policy
  5. Rules ·