Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Shortcut folders "virus" on flash drives


  • Please log in to reply
9 replies to this topic

#1 unpaidassassin

unpaidassassin

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 07 September 2011 - 03:13 PM

I have two computers: an XP/2003 desktop and a Vista laptop. I have three flash drives: a 512mb, 2gb, and 256mb.

I had used the 512 at school and apparently caught the "virus". It seems my desktop has been infected which in turn caused the 2gb to become affected.

I searched for this "virus", but there is NO explanation at all of the "virus". I was able to remove all the shortcuts and revert the folder property so it is no longer hidden (I ALWAYS have hidden folders visible and file extensions shown). I've done this many times on my 512 since that is what I use most.

When I "solved" the shortcut/hidden issue with the 512, I would remove it and then reinsert it to check. The issue would just happen again. I tried inserting in laptop after removing shortcut/hidden but it would happen again. This is when I tried the 256 in my laptop. I had not used the 256 on my desktop ever. The 256 was also affected, which I guess suggests my laptop is infected.

This issue started last October/November but I didn't really pay attention until this past May. That was when I attempted to "fix" the 512 since I thought the school computers messed it up. I reformatted it (backed up data before) and checked it on my desktop and the shortcut/hidden started. Removed shortcut/hidden or reformat then tried on laptop and same.

I ran malwarebytes on desktop and laptop and removed whatever is detected but this still occurs. I tried deleting the autorun.inf files on the flash drives (sometimes it's hard since file is "in use" -_-) but the shortcut/hidden issue reappears. I have not checked to see if my external hard drives would also become affected/infected. Partitioned hard drives on desktop and laptop (both only have one hdd installed) are not affected.

I would like for the shortcut/hidden to stop reappearing after I have remedied the issue. All the things I found on the internet when googling is of no help - I know how to remove shortcuts and make hidden folders (they're visible with my settings) regular. I also prefer NOT to use some supposed executable file as some kind of fix.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:55 PM

Posted 07 September 2011 - 09:37 PM

Well it'd be a good idea to check both of your computer.

Start with one of your choice.

Do NOT use USB sticks until we're done.

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 unpaidassassin

unpaidassassin
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 07 September 2011 - 10:51 PM

I'll start with my laptop.
here is the output file from the Security Check
++++++++++++++++++++++++++++++++++++++++++++++++++++

Results of screen317's Security Check version 0.99.18
Windows Vista (UAC is enabled)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
McAfee Security Scan Plus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 26
Java™ 6 Update 5
Out of date Java installed!
Adobe Flash Player 9 (Out of date Flash Player installed!)
Flash Player Out of Date!
Adobe Flash Player 10.2.152.26
Adobe Reader X (10.1.0)
Mozilla Firefox (3.6.21) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbam.exe
``````````End of Log````````````

Edited by unpaidassassin, 07 September 2011 - 10:52 PM.


#4 unpaidassassin

unpaidassassin
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 07 September 2011 - 11:09 PM

ran a full scan with malwarebytes, again laptop.

--------------------------------

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7660

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

9/8/2011 12:09:31 AM
mbam-log-2011-09-08 (00-09-31).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 321676
Time elapsed: 26 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 unpaidassassin

unpaidassassin
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 07 September 2011 - 11:16 PM

MiniToolBox output. I don't think any of the ip/host settings have anything to do with this.

____________________________

MiniToolBox by Farbar
Ran by Me (administrator) on 08-09-2011 at 00:14:32
Windows ™ Vista Home Premium Service Pack 1 (X64)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

::1 localhost

127.0.0.1 localhost


========================= Event log errors: ===============================

Application errors:
==================
Error: (09/07/2011 08:29:47 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (09/07/2011 00:16:45 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/06/2011 10:58:59 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/06/2011 03:11:05 AM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (09/05/2011 11:57:43 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (09/05/2011 11:43:52 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (09/05/2011 03:08:58 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/04/2011 04:35:39 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/02/2011 06:40:44 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/20/2007 00:03:03 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (09/07/2011 08:35:59 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.2.101 for the Network Card with network address 001F3B9C7975 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).

Error: (09/07/2011 02:36:57 PM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.2.101 on the Network Card with network address 001F3B9C7975.

Error: (03/20/2007 00:02:16 AM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (09/07/2011 01:48:35 AM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (09/06/2011 11:23:46 PM) (Source: ipnathlp) (User: )
Description: The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Error: (09/06/2011 11:34:26 AM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.2.101 on the Network Card with network address 001F3B9C7975.

Error: (03/20/2007 00:01:32 AM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (09/06/2011 03:11:05 AM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (09/06/2011 03:07:17 AM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.2.101 on the Network Card with network address 001F3B9C7975.

Error: (03/20/2007 00:01:32 AM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Adobe AIR (Version: 2.5.1.17730)
Adobe Flash Player 10 Plugin (Version: 10.2.152.26)
Adobe Flash Player 9 ActiveX (Version: 9.0.115.0)
Adobe Reader X (10.1.0) (Version: 10.1.0)
Adobe Shockwave Player 11.5 (Version: 11.5.9.620)
ATI Catalyst Install Manager (Version: 3.0.657.0)
BigFix (Version: 2.2.0.04)
Camera Assistant Software for Gateway (Version: 1.7.049.0927)
Catalyst Control Center Core Implementation (Version: 2008.0109.2141.38743)
Catalyst Control Center Graphics Full Existing (Version: 2008.0109.2141.38743)
Catalyst Control Center Graphics Full New (Version: 2008.0109.2141.38743)
Catalyst Control Center Graphics Light (Version: 2008.0109.2141.38743)
Catalyst Control Center Graphics Previews Common (Version: 2008.0109.2141.38743)
Catalyst Control Center Graphics Previews Vista (Version: 2008.0109.2141.38743)
Catalyst Control Center Localization Chinese Standard (Version: 2008.0109.2141.38743)
Catalyst Control Center Localization French (Version: 2008.0109.2141.38743)
Catalyst Control Center Localization German (Version: 2008.0109.2141.38743)
Catalyst Control Center Localization Italian (Version: 2008.0109.2141.38743)
Catalyst Control Center Localization Japanese (Version: 2008.0109.2141.38743)
Catalyst Control Center Localization Portuguese (Version: 2008.0109.2141.38743)
Catalyst Control Center Localization Spanish (Version: 2008.0109.2141.38743)
ccc-core-static (Version: 2008.0109.2141.38743)
ccc-utility64 (Version: 2008.0109.2141.38743)
CCC Help Chinese Standard (Version: 2008.0109.2140.38743)
CCC Help English (Version: 2008.0109.2140.38743)
CCC Help French (Version: 2008.0109.2140.38743)
CCC Help German (Version: 2008.0109.2140.38743)
CCC Help Italian (Version: 2008.0109.2140.38743)
CCC Help Japanese (Version: 2008.0109.2140.38743)
CCC Help Portuguese (Version: 2008.0109.2140.38743)
CCC Help Spanish (Version: 2008.0109.2140.38743)
CCleaner (Version: 3.10)
CyberLink Power2Go (Version: 5.0.3925)
doPDF 7.2 printer
HDAUDIO Soft Data Fax Modem with SmartCP
IDT Audio (Version: 5.10.5303.0)
Intel® Matrix Storage Manager
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
Java™ 6 Update 5 (Version: 1.6.0.50)
LabelPrint (Version: 2.0.2212)
Malwarebytes' Anti-Malware version 1.51.1.1800 (Version: 1.51.1.1800)
MATLAB R2010b (Version: 7.11)
McAfee Security Scan Plus (Version: 2.0.181.2)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft NodeXL Excel Template (Version: 1.0.169)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Home and Student 2007 (Version: 12.0.4518.1014)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.4518.1014)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Silverlight (Version: 4.0.60129.0)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.50727.42)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Mozilla Firefox (3.6.21) (Version: 3.6.21 (en-US))
Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista (Version: 1.00.0000)
Realtek USB 2.0 Card Reader (Version: )
Skins (Version: 2008.0109.2141.38743)
Synaptics Pointing Device Driver (Version: 9.1.3.0)
Visual Studio Tools for the Office system 3.0 Runtime
Visual Studio Tools for the Office system 3.0 Runtime (Version: 9.0.30729)
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (Version: 1)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)

========================= Memory info: ===================================

Percentage of memory in use: 57%
Total physical RAM: 4093.5 MB
Available physical RAM: 1759.34 MB
Total Pagefile: 8390.32 MB
Available Pagefile: 6102.96 MB
Total Virtual: 4095.88 MB
Available Virtual: 4012.47 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:217.07 GB) (Free:161.46 GB) NTFS
2 Drive d: (Recovery) (Fixed) (Total:15.81 GB) (Free:8.05 GB) NTFS


**** End of log ****

#6 unpaidassassin

unpaidassassin
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 07 September 2011 - 11:34 PM

I ran gmer. after 20+ minutes a message appeared that no system updates or something were made. I saved the log but it is blank

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:55 PM

Posted 07 September 2011 - 11:43 PM

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/


  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
  • Close SUPERAntiSpyware.
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

  • Open SUPERAntiSpyware.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post SUPERAntiSpyware log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 unpaidassassin

unpaidassassin
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 September 2011 - 09:59 PM

been busy past week.

I just ran SuperAntiSpyware and nothin

-----------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/15/2011 at 10:55 PM

Application Version : 5.0.1118

Core Rules Database Version : 7668
Trace Rules Database Version: 5480

Scan type : Complete Scan
Total Scan Time : 00:53:42

Operating System Information
Windows Vista Home Premium 64-bit, Service Pack 1 (Build 6.00.6001)
UAC On - Limited User

Memory items scanned : 443
Memory threats detected : 0
Registry items scanned : 67850
Registry threats detected : 0
File items scanned : 146314
File threats detected : 0

----

I don't think this is a virus; just that all posts I found called it a "virus", though it is likely it's more to annoy users (and fool ones who don't have certain settings enabled into thinking their files off their flash drive were erased).

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:55 PM

Posted 15 September 2011 - 10:51 PM

Did you try to format those drives?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 unpaidassassin

unpaidassassin
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 16 September 2011 - 11:35 PM

Did you try to format those drives?


yes I did, several times in fact.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users