Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Virus/Malware Infection on My Thumbdrives


  • Please log in to reply
12 replies to this topic

#1 thaiguy

thaiguy

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 23 April 2013 - 02:00 PM

Hi. I'm proud to be able to say I've been back in Asia and kept my gear clean for nealry a year now, but I find myself needing help once again now.

 

The deal is that I had to print some documents at took a couple of different thumbdrives with me to different print shops around town and now they are acting funny. At first there wasa reformatted look to the folder display, and now I find that my computer - and other computers - can't open/explore them them at all. They just say that there's nothing there, alhtough the Properties function shows there's data on there. Avast detected 2 somethings on one and put it into the vault, but it's still not behaving right/ the problem isn't really solved.

 

So... if someone would be so kind to help, I'm thinking the best thing to do is plug both into my pc and then run a full scan of the entire machine plus the thumbdrives and get a diagnosis for one of you to look at.

 

I'm cool with doing exactly as you say and following directions. I await the good word.

 

Thanks.



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:04 PM

Posted 27 April 2013 - 12:31 AM

Let's see what this short scan shows...

 

Download RogueKiller:
http://www.sur-la-toile.com/RogueKiller/

 

When you get to the website, go to where it says:

(Download link) Lien de téléchargement

 

Select the version that applies to your system. (See Note at the end of this post.)

Click the dark-blue button to download.

Save to the Desktop.

 

Close all windows and browsers.

 

Right-click the downloaded file and select: Run as Administrator

 

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)

 

Press: SCAN

 

When done, a report opens on the Desktop: RKreport.txt

 

If not,press the Report button to get it.

 

 

Please provide the RKreport.txt (Mode: Scan) in your reply.  <<---

(Please do not fix anything!)

 

 

Note:
You need to know if the infected computer is running a 32-bit or 64-bit system.

To find out, click: Start
Type System in the Start Search box
Click System in the Programs list.

 

The operating system is displayed under System > System type:
x64 = 64-bit Operating System
x86 = 32-bit Operating System


Old duck...


#3 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 05 May 2013 - 02:57 AM

Thanks for keeping this topic open, Aaflac. I had a busy week or so and now have time to really look after this and get things straight. More/reports coming soon....



#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:04 PM

Posted 05 May 2013 - 05:24 PM

Will wait for your reply.


Old duck...


#5 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 08 May 2013 - 08:53 AM

Hi Aaflac. Here is that first report:

 

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Roger [Admin rights]
Mode : Scan -- Date : 05/05/2013 15:09:11
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[SHELL][SUSP PATH] HKCU\[...]\Windows : Load (C:\Users\Roger\Local Settings\Temp\msiquk.exe) [x] -> FOUND
[SHELL][SUSP PATH] HKUS\S-1-5-21-304891217-4070557938-2040308090-1001[...]\Windows : Load (C:\Users\Roger\Local Settings\Temp\msiquk.exe) [x] -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10 EARS-00Y5B1 SCSI Disk Device +++++
--- User ---
[MBR] 775ba62bdea86fe7cd897de8eae368a5
[BSP] f14e442d54c77154d8c3da80e719ab10 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Kingston DataTraveler 2.0 USB Device +++++
--- User ---
[MBR] 4d541761c6abfea9b596197dd81cdc92
[BSP] 25659164538df9b29313dd048790fd21 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 63 | Size: 1906 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: USB FLASH DRIVE USB Device +++++
--- User ---
[MBR] 8b8c55630090086885f519b4fcf85337
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7640 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_05052013_02d1509.txt >>
RKreport[1]_S_05052013_02d1509.txt


 



#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:04 PM

Posted 09 May 2013 - 01:28 PM

My apology thaiguy, missed your reply...

 

Please download and use the Panda USB Vaccine:
http://www.majorgeeks.com/Panda_USB_and_AutoRun_Vaccine_d6029.html

 

•Double-click on USBVaccineSetup.exe to install the program
•Read/accept the license agreement, and click: Next

•When setup completes, make sure  the following is checked: Launch Panda USB Vaccine
•Click: Finish

•At the program console, click the Vaccinate computer button to show a green check and confirm the Computer is vaccinated.
 

 

•Now, hold down the Shift key and insert your USB drive.
•When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive.
•Exit the program when done

 

Note: Computer vaccination preventsa any AutoRun file from running, regardless of whether the removable device is infected or not.
The USB vaccination disables the autorun file so it cannot be read, modified or replaced, and creates an AUTORUN_.INF file as protection against malicious code.

 

Now, let's press on with RogueKiller...

•Please quit all programs
•Right-click the RogueKiller file and select 'Run as Administrator'
•Wait until the Prescan finishes
•Press: Scan
•Once the scan is done, press the [Delete] button.

Please post the new RKreport (Mode: Delete) created on the Desktop in your reply.

(The RKreport also opens using the Report button on the console.)

 


Old duck...


#7 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 19 May 2013 - 04:09 PM

Alright Aaflac. Here we go. I followed your instruxn's and did the porcedures a few days ago already and then failed to post because of work deadlines. So now I've run Rogue Killer a second time. Since I don't really have much understanding of the readout reports, I'm going to post the one I did a few days ago, then follow it with the one I just did now. Note also, that the program is turning out two reports for me each time, so a total of 4 documents. Not sure why there are 2 docs per scan, but that's how it is. Perhaps because of the memory sticks being plugged in ?

 

Anyway.... here's that fun stuff:

Reports from 5/13

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Roger [Admin rights]
Mode : Scan -- Date : 05/13/2013 05:46:52
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[SHELL][SUSP PATH] HKCU\[...]\Windows : Load (C:\Users\Roger\Local Settings\Temp\msiquk.exe) [x] -> FOUND
[SHELL][SUSP PATH] HKUS\S-1-5-21-304891217-4070557938-2040308090-1001[...]\Windows : Load (C:\Users\Roger\Local Settings\Temp\msiquk.exe) [x] -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10 EARS-00Y5B1 SCSI Disk Device +++++
--- User ---
[MBR] 775ba62bdea86fe7cd897de8eae368a5
[BSP] f14e442d54c77154d8c3da80e719ab10 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Kingston DataTraveler 2.0 USB Device +++++
--- User ---
[MBR] 4d541761c6abfea9b596197dd81cdc92
[BSP] 25659164538df9b29313dd048790fd21 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 63 | Size: 1906 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: USB FLASH DRIVE USB Device +++++
--- User ---
[MBR] 8b8c55630090086885f519b4fcf85337
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7640 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_05132013_02d0546.txt >>
RKreport[1]_S_05132013_02d0546.txt

And # 2
 

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Roger [Admin rights]
Mode : Remove -- Date : 05/13/2013 05:48:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[SHELL][SUSP PATH] HKCU\[...]\Windows : Load (C:\Users\Roger\Local Settings\Temp\msiquk.exe) [x] -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10 EARS-00Y5B1 SCSI Disk Device +++++
--- User ---
[MBR] 775ba62bdea86fe7cd897de8eae368a5
[BSP] f14e442d54c77154d8c3da80e719ab10 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Kingston DataTraveler 2.0 USB Device +++++
--- User ---
[MBR] 4d541761c6abfea9b596197dd81cdc92
[BSP] 25659164538df9b29313dd048790fd21 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 63 | Size: 1906 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: USB FLASH DRIVE USB Device +++++
--- User ---
[MBR] 8b8c55630090086885f519b4fcf85337
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7640 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_05132013_02d0548.txt >>
RKreport[1]_S_05132013_02d0546.txt ; RKreport[2]_D_05132013_02d0548.txt

 

ONe last thing.... The Quarantine Report from the scan had this to say:

 

 Time : 13/05/2013 05:46:52
 --------------------------
ERROR [Local.vir] -> C:\Users\Roger\Local
ERROR [Local.vir] -> C:\Users\Roger\Local


 Time : 13/05/2013 05:48:15
 --------------------------
ERROR [Local.vir] -> C:\Users\Roger\Local
ERROR [Local.vir] -> C:\Users\Roger\Local
ERROR [Local.vir] -> C:\Users\Roger\Local
 


Then from this evening 5/20
RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Roger [Admin rights]
Mode : Scan -- Date : 05/20/2013 03:20:46
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10 EARS-00Y5B1 SCSI Disk Device +++++
--- User ---
[MBR] 775ba62bdea86fe7cd897de8eae368a5
[BSP] f14e442d54c77154d8c3da80e719ab10 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Kingston DataTraveler 2.0 USB Device +++++
--- User ---
[MBR] 4d541761c6abfea9b596197dd81cdc92
[BSP] 25659164538df9b29313dd048790fd21 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 63 | Size: 1906 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: USB FLASH DRIVE USB Device +++++
--- User ---
[MBR] 8b8c55630090086885f519b4fcf85337
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7640 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_05202013_02d0320.txt >>
RKreport[1]_S_05202013_02d0320.txt

Part 2 of 5/20
 

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Roger [Admin rights]
Mode : Remove -- Date : 05/20/2013 03:23:37
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10 EARS-00Y5B1 SCSI Disk Device +++++
--- User ---
[MBR] 775ba62bdea86fe7cd897de8eae368a5
[BSP] f14e442d54c77154d8c3da80e719ab10 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Kingston DataTraveler 2.0 USB Device +++++
--- User ---
[MBR] 4d541761c6abfea9b596197dd81cdc92
[BSP] 25659164538df9b29313dd048790fd21 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 63 | Size: 1906 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: USB FLASH DRIVE USB Device +++++
--- User ---
[MBR] 8b8c55630090086885f519b4fcf85337
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7640 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_05202013_02d0323.txt >>
RKreport[1]_S_05202013_02d0320.txt ; RKreport[2]_D_05202013_02d0323.txt


 



#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:04 PM

Posted 22 May 2013 - 11:26 PM

Please run RogueKiller once again while the USB pendrives are plugged in. This time, press: Shortcut Fix, and provide the RKresults in your reply.


Follow with Malwarebytes' Anti-Malware:
http://www.malwarebytes.org/mbam-download-exe.php
Save to the Desktop.


MBAM may make changes to the Registry as part of its disinfection routine.
If using other security programs that detect Registry changes, they may interfere or alert you.
Temporarily disable such programs as shown, or permit them to allow the changes:
http://www.bleepingcomputer.com/forums/topic114351.html


Right-click the MBAM file, and select: Run as Administrator
When the installation begins, follow the prompts.
If presented, make sure you uncheck: Enable free trial of Malwarebytes


Leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Click: Finish


MBAM automatically starts and you are asked to update the program.
If an update is found, the program automatically updates itself.
Press the OK button to close that box and continue.


On the Scanner tab:
Make sure the Perform Full Scan option is selected.

If asked to select the drives to scan, leave all the drives selected.

 

Then click on the Scan button.

If asked to select the drives to scan, select C:\, the external HDD, any any other drive that has info in it. No need to scan CDROM/DVD drive, etc.

Click on the Scan button.


The scan may take some time to complete, so please be patient.

When the scan is finished, a message box shows The scan completed successfully.


Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware found.
Make sure everything is checked, and click: Remove Selected


When removal is completed, a report opens in Notepad.
The log is automatically saved and is viewed by clicking the Logs tab.


Please attach or copy/paste the entire contents of the MBAM report in your reply.
Exit MBAM when done.


Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.


-->> When done, please check the status of the USB pendrive and give an update. Thanks.


Old duck...


#9 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 24 May 2013 - 08:13 AM

Alright Aaflac. Here comes all of the results. I know you're maybe gonna say something about the cracked programs I had on my computer.... I know. Also, I had Malwarebytes, but... maybe hadn't run it in a month or so. Oh, and both thumbdrives now work again, though there are a bunch of weird extra extension folders and files sitting on them now, that I'm tempted to just delete. I can send you a screengrab next time. For now, the requested stats await:

 

RK TEST 1

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Roger [Admin rights]
Mode : Shortcuts HJfix -- Date : 05/24/2013 03:42:56
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 46 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 18 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 63 / Fail 0
My documents: Success 3 / Fail 3
My favorites: Success 0 / Fail 0
My pictures: Success 1 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 2839 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\CdRom1 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume3 -- 0x2 --> Restored
[G:] \Device\HarddiskVolume4 -- 0x2 --> Restored

Finished : << RKreport[1]_SC_05242013_02d0342.txt >>
RKreport[1]_SC_05242013_02d0342.txt
 

 

RK TEST 2

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Roger [Admin rights]
Mode : Scan -- Date : 05/24/2013 03:52:00
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10 EARS-00Y5B1 SCSI Disk Device +++++
--- User ---
[MBR] 775ba62bdea86fe7cd897de8eae368a5
[BSP] f14e442d54c77154d8c3da80e719ab10 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Kingston DataTraveler 2.0 USB Device +++++
--- User ---
[MBR] 4d541761c6abfea9b596197dd81cdc92
[BSP] 25659164538df9b29313dd048790fd21 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 63 | Size: 1906 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: USB FLASH DRIVE USB Device +++++
--- User ---
[MBR] 8b8c55630090086885f519b4fcf85337
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7640 Mo
User = LL1 ... OK!

 

MALWAREBYTES TEST 3

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.23.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16576
Roger :: ROGER-PC [administrator]

5/24/2013 9:30:07 AM
mbam-log-2013-05-24 (09-30-07).txt

Scan type: Full scan (C:\|F:\|G:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 903247
Time elapsed: 3 hour(s), 14 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Users\Roger\Desktop\Works To Assimilate 111\Media Holder\media.player.codec.pack.v4.1.1.setup.exe (PUP.Dealio.TB) -> Quarantined and deleted successfully.
C:\Users\Roger\Desktop\Works To Assimilate 111\Media Holder\Old Execs 4 Win XP\RemoveWGA 1.2\RemoveWGA.rar (PUP.RemoveWGA) -> Quarantined and deleted successfully.
C:\Users\Roger\Desktop\Works To Assimilate 111\Media Holder\Progs Exec\Divx Pro Codec v6.8.3.9zxc.rar (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Roger\Desktop\Works To Assimilate 111\Media Holder\Progs Exec\media.player.codec.pack.v3.9.7.setup.exe (PUP.Dealio.TB) -> Quarantined and deleted successfully.
C:\Users\Roger\Downloads\ACDSee.Pro.v6.2.212.x64.Incl.Keymaker-CORE\CORE10k.EXE (PUP.Keygen.Intro) -> Quarantined and deleted successfully.
G:\~$WPK.NFC (Backdoor.Bot) -> Quarantined and deleted successfully.

(end)
 

 

 

 

 

 

 

 

 



#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:04 PM

Posted 25 May 2013 - 11:29 AM

Can you use the Snipping tool and post an image? of those 'wierd' extensions, etc.

It is the same for Windows 7:
http://www.vistax64.com/tutorials/14...ool-vista.html


Old duck...


#11 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 25 May 2013 - 03:55 PM

Hey Aaflac. Took me forever to find this attachment option. You'd think there'd just be a paper clip option in the header... but anyway... I just used Snag It, my goto grab program.

Attached Files



#12 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 25 May 2013 - 04:01 PM

Last one from inside that last G subfile. I don't know what these are, but it looks like remnants of isolated/quarantined and then documented trouble. Do I need to keep it ?

 

Also, in the G Drive, I've put an arrow next to that autorun icon. We're done with that now, yeah ? Do I remove that program ? How ? I can't just throw it out with a simple delete, can I ?

 

 

Well... just went to upload... looks like I've maxed out my upload possibilities, but there's quite a bit of stuff in that last file... do you just already know by what you see that I can delete those G Drive files I'm suspicious of ? Or... how do I upload it ? I have 23.12kb allowed, n the file i want to upload is 301kb... not much really. How do I up my allowance ?



#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:04 PM

Posted 27 May 2013 - 10:05 PM

Have you used these USB pendrives in a MAC OS? Looks like there are files in there that belong to it, and others that belong to Windows.

 

You are dealing with two different platforms, and I have absolutely no knowledge of anything  MAC OS, or any of its malware. 

Anything I can offer deals only with Windows.

 

In the future, you may want to use a USB drive specifically for Windows, and another for use in MAC OS.

 

At this point, consider going to the MAC OS forum: http://www.bleepingcomputer.com/forums/f/172/mac-os/

 

Someone there may be able to provide you some guidance on those files.

 

Good luck, thaiguy!


Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users