Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB memory sticks disabled, %fystemroot% changes, winlogon.exe corrupt


  • Please log in to reply
1 reply to this topic

#1 James A Sutherland

James A Sutherland

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 20 May 2009 - 11:21 AM

I had a pair of machines brought to me with very similar symptoms: memory sticks would no longer mount (Windows would detect the device itself, but never mount the disk), various services such as BITS and wuauclt had their paths edited to %fystemroot% (rather than %systemroot%).

One machine is being reinstalled; I'd like to clean the other and gather any information on the infection first if possible. The machine is off the network (for obvious reasons), but this and the inability to use memory sticks impairs diagnosis somewhat. I've run Spybot, MBAM and a McAfee VirusScan (Enterprise 8.7, DAT from 17 May 2009), manually fixed the permissions on the '%fystemroot%' services and corrected the paths, as well as capturing a few rogue files from system32 (I'll try to upload those to the appropriate sites tomorrow to get a proper ID). The machine now shows as clean in all 3 scanners, after McAfee 'cleaned' explorer.exe, winlogon.exe and a few others. I don't see any unexpected Winlogon notification packages, but it looks as if winlogon.exe itself had been modified.

In the mean time, does anyone have any suggestions? Other cleanup tools and/or ways to get memory sticks working again would be ideal, please!

BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 PM

Posted 20 May 2009 - 02:56 PM

By memory sticks do you mean flash drives? If so,

Download and Run FlashDisinfector

You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users