Hi this is has also been mentioned at the following post- this is the vista machine
http://www.bleepingcomputer.com/forums/t/272251/stop-cross-infection-from-external-hard-drive/I placed a hack this log up for here but have pulled the thread as the machine has been clean installed and doesn't seem to have any issues I will copy and paste the rundown from this thread and add to it. This is the first infection machine. This machine most likely hasn't been connected to the internet since September. Just before i gave it to a friend it was running normally at this time. I did uninstall a whole lot of programs at that time so if you need to know what they are let me know.
http://www.bleepingcomputer.com/forums/topic272935.htmlWhat the infection does
It travels through usb and cd or dvd. It will autorun on the drive and attach itself to everything that enters the drive. It will cause the computer to type backwards and you are unable to select and open everything the high lighting will flash backwards and forward between several things makes it hard to run things. The infection first appeared when i plugged in a usb to back some data up quickly on another machine after i spelt water on the keyboard. I put the behavior down to the water not an infection. (this is the vista machine is very sick which we will deal with after this one) Unaware i stupidly plugged the usb into this computer a couple of weeks ago with an external hard drive attached.
Scans that i have used with no detection at all
Malwarebytes
Kapersky online scanner
trendmirco housecall
spyblot
avast
I tried using the rootrepeal on this machine but has encounted and error
i have had to type these logs off so if you question something i will doublecheck i have typed it correctly
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (ver_09-10-26.01)
Microsoft windows Vista Home Basic
Boot Device: \Device\Harddiskvolume1
Intall Date: 4/03/2009 11:08:41 PM
System uptime 21/11/2009 4:57:16 PM (1 hours ago)
Motherboard: Acer, Inc | | Prespa1
Processor: Intel ® Celeron M CPU 430 @ 1.73GHz | U2E1 | 1733/133mhz
=====Disk Partitions============================
C: is FIXED (NTFS) - 75 gIb total 47.692 GiB free.
D: is CDROM ()
=====Disabled Device Manager Items=============
=====System Restore Points=======
=====Installed Programs=====================
Acer Arcade
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer Gridvista
Acer Mobility Centre Plug-In
Acer OrbiCam
Acer Orbicam
Acrobat.com
Ad-Aware
Adobe Flash Player 10 Activex
Adobe Flash player 10 Plugin
Adobe Reader 9.1.3
Agere Systems HDA Modem
avast! Antivirus
CCleaner (remove only)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (kb+58484
Java 6 Update 15
LightScribe 1.4.136.1
Malwarebytes Anti-Malware
Microsoft .Net Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office Access MUI (English)2007
Microsoft Office Access Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Metadata MUI (English) 2007
Microsoft Office Infopath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (Frence) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Mozilla Firefox (3.5.2)
MSXML 4.0 SP2 (KB954430)
NTI Backup Now! 4.7
NTI CD & DVD-Maker
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Spelling Dictonary Support For Adobe Reader 9
Spy - Search & Destroy
Synaptics Pointer Device Driver
Texas Instrument PCIxx21/x515/xx12 drivers.
TIPCI
Update for Microsoft .NET Framework 3.5 SP1
VC 9.0 Runtime
Visual C++ 2008 X86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
DDS (ver_09-10-26.01) NTFSx86
Run by Vickie at 16:59:57.14 on Sat 21/11/2009
Internet Explorer: 8.0.6001.18813 BrowersJavaVersion: 1.6.0_15
Microsoft Windows Vista Home Basic 6.0.6000.0.1252.61.1033.18.2038.1343 [GMT 11:00]
AV: avast! antivirus 4.81229 [VPS 091120-1] *On-access scanning enabled* (Updated) {7591db91-41FO-48A3-B128-1A293FD8233D}
SP: Spyblot - Search and Destroy *disabled* (outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft AD-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (outdated) {d68ddc3a-831f-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1229 [VPS 091120-1] *enabled* (updated) {759DB91-41FO-48A3-B128-1A293FD8233D}
============Running Processes ================
c:\windows\system32\wininit.exe
c:\windows\system32\lsm.exe
c:\windows\system32\svchost.exe -k DcomLaunch
c:\windows\system32\svchost.exe -k rpcss
c:\windows\system32\svchost.exe -k secsvcs
c:\windows\system32\svchost.exe -k LocalserviceNetworkRestricted
c:\windows\system32\svchost.exe -k LocalSystemNetworkrestricted
c:\windows\system32\svchost.exe -k netsvcs
c:\windows\system32\svchost.exe -k GPSvcGroup
c:\windows\system32\SLsvc.exe
c:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\svchost.exe -k LocalService
c:\windows\system32\svchost.exe -k Networkservice
c:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
c:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32/svhost.exe -k LocalServiceNoNetwork
c:\Program Files\Alwil Software\Avast4\setup\avast.setup
c:windows\system32\agrsmsvc.exe
c:\Acer\mobility Centre\MobilityService.exe
c:\windows\system32\SearchIndexer.exe
c:\Program Files\Spyblot - Search & Destroy\SDWinSec.exe
c:\Program Files\Alwil software\Avast4\ashwebSv.exe
c:\windows\system32\wbem\unsecappp.exe
c:\Program Files\Alwil software\Avast4\ashwebSv.exe
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\system32\userinit.exe
c:\windows\system32\Dwn.exe
c:\windows\Explorer.EXE
c:\Program Files\Alwil Software\Avast4\ashDisp.exe
c:\Program Files\Synaptics\SynTP\SyTPEnh.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\igfxpers.exe
c:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
c:\Program Files\Java\jre6\bin\jusched.exe
c:\windows\sustem32\taskeng.exe
c:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:windows\system32\igfxsrvc.exe
c:windows\system32\DllHost.exe
c:windows\system32\DllHost.exe
c:User\vickie\Desktop\dds.scr
c:\windows\system32\wbem\wmiprvse.exe
=========================Pseudo HJT Report=============
uStart Page = hxxp://ninemsn.com.au/
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults\sp/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Page_URL = Hxxp://www.ninemsn.com.au
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet settings ,ProxyOverride = .local
uSearchURL, (Default)= Hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://ww.yahoo.com
uURLSearchHooks:Yahoo! Toolbar: {ef99bd32-c1fb-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper:{18ddf081c-e8ad-4283-a596-fa578c2ebdc3} -C:\program files\common files\adobe\acrobat\activex\AcroIEHelpShin.dll
BHO: Spyblot-S&D IE protection: {53707962-6f74-2d53-2644-206d7942484f} -c:program files\spybot - search & destroy\SDHelper.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: JavePlug-In 2 ssv Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun: [avast!] c:/progra-1\alwils-1\avast4\ashDisp.exe
mRun: [MSConfig] "c:windows\system32\msconfig.exe" /auto
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Acer product Registration] "c:\program files\acer registration\ACE1. exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: E&xport to Microsoft Excel - c:\progra-1\micros-2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdpscamdel.exe
IE: {2670000a-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\proga-1\micros-2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\proga-1\micros-2\office12\BEFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB39FD2A2} - [53707962-6F74-2D53-2644-206D7942484F} - C:\program files\spyblot - search & destroy\SDHelp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update.1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: igfxcui - igfxdev.dll
==============FIREFOX================================
FF - Profilepath - c:\users\vickie\appdata\roaming\mozilla\firefox\profiles
FF - Plugin: c:\program files\ mozilla firefox\plugins\nppdf32 (2).dll
FF - Hiddenextension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassisstextension\
FF - Hiddenextension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Hiddenextension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Hiddenextension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
------FIREFOX POLICIES-------------
FF - user.js: yahoo.homepage.dontask - true
===========SERVICES / DRIVERS
R0 Lbd;Lbd; c:\windows\system32\drivers\Lbd.sys [2009-7-6 64161]
R1 aswSP;abast! Self Protection;c:windows\system32\drivers\aswSP.sys[2009-3-4 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-4 51280]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMONFlt.sys [2009-3-4 51280}
S3 s0017bus;sony Ericsson Device 0017 driver (wdm);c:\windows\system32\drivers\s0017bus.sys [2009-3-4 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-3-4 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem driver;c:\windows\system32\drivers\s0017mdm.sys [2009-3-4 122152]
S3 s0017mgmt;sony Ericsson Device 0017 USB Device Management Drivers (WDM);C:\windows\system32\drivers\s0017mgmt.sys [2009-3-4 115496]
S3 s0017nd5;sony Ericsson Device 0017 USB Etherenet Emulation SEMc0017 (NDIS);c:\windows\system32drivers\s0017nd5.sys [2009-3-4 25768]
s3 s0017obex;Sony Ericsson Decice 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-3-4 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);C:\windows\system32\drivers\s0017unic.sys [2009-3-4 117672]
===============Created Last 30===============
2009-11-20 00:00:27 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-19 23:59:56 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-19 23:59:39 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-11-19 23:59:39 171608 ----a-w- c:\windows\system32\wuwebv.dll
===============Find3M=======================
2009-09-09 05:03:59 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-09 05:03:59 56016 ----a-w- c:\windows\inf\infpub.dat
2009-09-09 05:03:59 143360 ----a-w- c:\windows\infstrin.dat
2009-08-29 03:41:42 1686528 ----a-w- c:\windows\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\systemsApphlpdm.dll
2009-08-28 23:21:54 4247552 ----a-w- c:\windows\Apphlpdm.dll
2009-03-04 03:17:41 174 --sha-w- c:\windows\destop.ini
2009-03-04 03:14:00 665600 ----a-w- c:\windows\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-28 00:44:42 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history\.ie5\index.dat
2009-04-28 00:44:42 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-04-28 00:44:42 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-04-26 05:11:19 16384 --sha-w- C:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-04-26 05:11:19 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\temporary internet files\content.ie5\index.dat
2009-04-26 05:11:19 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\cookies\index.dat
2009-04-26 05:11:19 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\ietdcache\index.dat
2009-06-11 05:07:59 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
=========FINISH 17:02:01.77===============================
cheers