Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

External drive shortcut virus? Help with removal...


  • Please log in to reply
11 replies to this topic

#1 eriolclow

eriolclow

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 27 May 2013 - 11:32 AM

Was asked to repost this witth dds logs from the Am I Infected? forum:

 

Hi! My office laptop was recently infected with malware, which our IT folks got rid of by doing a complete reformatting of the affected drive. However, in the period before they did so, I'd inserted my external drive to the laptop because I needed to access some files for work. After I did so, I saw that my folders had been changed to shortcuts instead, and the files couldn't be accessed unless I did a search for them. Clicking on one of the shortcut folders gives this message:

 

"Windows cannot find G:\Trashes\b3dadef.com. Make sure you typed the name correctly, and then try again."  

 

Anyway, I've been looking for a solution online and saw some threads that advised checking the show hidden files and folders box in settings, which I did. I noticed three folders which weren't there before, G:\$RECYCLE.BIN, G:\.Trashes

 and Recycler. Clicking the first folder reveals eaight recycle bin icons, the second shows a desktop configuration settings icon, and the third shows three recycle bin icons with the following names S-1-5-21-299502267-861567501-839522115-1003, S-1-5-21-1547161642-879983540-682003330-7813 and S-1-5-21-1734592127-2630383672-2567058847-1006.

 

I've run malwarebytes and superantispyware on the drive a few days prior to posting this, and only superantispyware had a detection, but probably not for the virus causing the problem:

 

PUP.CNETInstaller
 G:\BACKUP HP LAPTOP\KIM 2\WORK FILES\NG4\CNET2_AVC-FREE_EXE.EXE

Adware.Downware
 G:\SYSTEM VOLUME INFORMATION\_RESTORE{1895ACEB-74F5-4F6F-AC7F-EFC37E1E8274}\RP365\A0090005.EXE

 

Any help/advice on how to get rid of the shortcuts would be appreciated. Also, I was wondering if plugging the external drive to my personal laptop like I'm doing now would cause any malware issues with the laptop, or if the problem is localized to the drive?

 

*edit*

 

Windows is having trouble recognizing my drive already. One USB port couldn't read it altogether, a second one could only do so after I unplugged and then replugged it. :(

 

Here's the DDS log. Attached the attach.txt file to the post as well.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.21.2
Run by admin at 0:24:48 on 2013-05-28
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.298 [GMT 8:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\DatacardService\DCService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\EaseUS\EaseUS Partition Master 9.2.2\bin\EpmNews.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [ThpSrv] thpsrv /logon
mRun: [TPSMain] TPSMain.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [Synchronization Manager] c:\windows\system32\mobsync.exe /logon
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [EaseUS EPM tray] c:\program files\easeus\easeus partition master 9.2.2\bin\EpmNews.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript c:\windows\installer\tsclientmsitrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "c:\windows\installer\tsclientmsitrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: EditLevel = dword:0
uPolicies-Explorer: NoCommonGroups = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1326028265968
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 202.78.117.7 210.4.2.61
TCP: Interfaces\{F7257515-7A09-44A3-AC24-F1359E4BE8C8} : DHCPNameServer = 202.78.117.7 210.4.2.61
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
Notify: WgaLogon - <no file>
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages =  scecli psqlpwd
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\jx92uhk7.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-27 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2010-7-21 6528]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-1-11 37352]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-23 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-12 116608]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-1-11 86752]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-1-11 110816]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-1-11 84744]
R2 DCService.exe;DCService.exe;c:\documents and settings\all users\application data\datacardservice\DCService.exe [2010-5-8 229376]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-2-24 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-2-24 33024]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2010-7-26 6016]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2012-1-11 70656]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2013-4-20 13896]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2013-4-20 9160]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2012-1-11 101504]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2012-1-11 117504]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2013-4-20 15576]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2013-4-20 10200]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-3 14336]
S4 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\frameworkservice.exe" /servicestart --> c:\program files\mcafee\common framework\FrameworkService.exe [?]
.
=============== Created Last 30 ================
.
2013-05-16 13:24:35 -------- d-----w- c:\documents and settings\admin\local settings\application data\Apple
2013-05-16 13:21:43 -------- d-----w- c:\documents and settings\admin\local settings\application data\Apple Computer
2013-05-11 10:37:28 209472 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M  ====================
.
2013-05-16 13:21:28 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-16 13:21:28 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-24 15:30:19 4624113 ----a-w- c:\program files\win32 disk imager.exe
2013-04-24 15:11:52 746608 ----a-w- c:\program files\winima90beta1.exe
2013-04-20 15:33:16 15102976 ----a-w- c:\program files\pwhe78.exe
2013-04-20 12:26:30 26388552 ----a-w- c:\program files\epm.exe
2013-04-20 11:52:06 10802989 ----a-w- c:\program files\SABnzbd-0.7.11-win32-setup.exe
2013-04-20 09:04:58 23909328 ----a-w- c:\program files\SUPERAntiSpyware.exe
2013-04-16 22:17:15 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17:14 43520 ------w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17:14 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28:55 385024 ------w- c:\windows\system32\html.iec
2013-04-11 06:10:50 2498216 ----a-w- c:\windows\system32\BootMan.exe
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 06:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-03 21:35:08 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-31 13:35:23 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-31 13:35:23 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-31 02:48:39 84744 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-03-31 02:48:39 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-03-19 02:52:36 4095448 ----a-w- c:\program files\spywareblastersetup50.exe
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 05:37:20 2888384 ----a-w- c:\windows\system32\pwNative.exe
2013-03-07 05:37:06 15576 ------w- c:\windows\system32\pwdrvio.sys
2013-03-07 05:36:54 10200 ------w- c:\windows\system32\pwdspio.sys
2013-03-07 01:49:20 9160 ----a-w- c:\windows\system32\EuGdiDrv.sys
2013-03-07 01:49:20 87112 ----a-w- c:\windows\system32\setupempdrv03.exe
2013-03-07 01:49:20 13896 ----a-w- c:\windows\system32\epmntdrv.sys
2013-03-07 01:49:12 19840 ----a-w- c:\windows\system32\EuEpmGdi.dll
2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-27 05:31:23 36864 ----a-w- c:\windows\system32\tsgqec.dll
2013-02-27 05:31:23 2691072 ----a-w- c:\windows\system32\mstscax.dll
2013-02-27 05:31:23 131072 ----a-w- c:\windows\system32\aaclient.dll
2013-02-09 19:44:54 16883056 ----a-w- c:\program files\IE8-WindowsXP-x86-ENU.exe
2013-01-27 06:16:27 969104 ----a-w- c:\program files\uTorrent.exe
2013-01-11 00:13:36 105603488 ----a-w- c:\program files\avira_free_antivirus_en.exe
2013-01-11 00:07:46 3258000 ----a-w- c:\program files\spywareblastersetup46.exe
2013-01-10 15:42:34 10156344 ----a-w- c:\program files\mbam-setup-1.70.0.1100.exe
2012-04-01 11:13:53 16157992 ----a-w- c:\program files\Firefox Setup 11.0.exe
2012-01-08 09:29:53 50821120 ----a-w- c:\program files\calibre-0.9.13.msi
.
============= FINISH:  0:25:44.65 ===============
 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:11 PM

Posted 29 May 2013 - 12:57 AM

eriolclow,

 

Please download WinRAR:

http://www.rarlab.com/download.htm
Select the 32-bit or 64-bit version that applies to your system.
Save to the Desktop.
This download is a trial version of the WinRAR archiver for use during a test period of 40 days.

 

Double-click the downloaded program to install...

At the WinRAR Setup, click: OK
On the last prompt, feel free to check any of the tabs, and, when finished, press: Done
Close out of WinRAR.

 

Now please remove all external hard disks or pendrives using its appropriate method.

 

Restart the computer.

 

Plug-in the problem USB drive while pressing the left Shift key so that autorun is disabled.

 

Go to Start > All Programs, and look for the WinRAR folder

Open the folder, and double-click the WinRAR icon.

 

When the WinRAR console opens, navigate to the USB drive by using the down arrow on the far right of the path area.

All the files on the USB drive, including hidden files, show in WinRAR.

 

Search for the file autorun.inf and press View to open it with Notepad.

 

Please copy/paste and post the contents of the Notepad file in your reply.


Edited by Aaflac, 29 May 2013 - 12:59 AM.

Old duck...


#3 eriolclow

eriolclow
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 02 June 2013 - 08:33 AM

Hi! Sorry for the late reply. I tried to view autorun,inf in winrar (didn't re-install it anymore as I already had it installed) as instructed, but got the following winrar diagnostic messages: Cannot open autorun.inf and Access is denied.



#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:11 PM

Posted 03 June 2013 - 08:14 PM

eriolclow,

 

Please plug in the USB drive and restart the computer in Safe Mode with Command Prompt:
As the computer starts tap the F8 key on your keyboard repeatedly until you are presented with the Windows 7 Advanced Boot Options menu.
Using the arrow keys, select: Safe Mode with Command Prompt

Press the Enter key on the keyboard, and let the computer boot to the option selected:

safe-comm-promp.jpg
 

At the command prompt, type in the following commands (contained inside the code box), one at a time, and press Enter after each:
(Note...  X: = your drive's name. Replace X with the actual letter of the drive.)
 

X: 
attrib -s -h -a 
attrib -r -s -h autorun.inf
shutdown /r

Before shutting down, a  prompt shows:

You are about to be logged off.

Windows will shut down in less than one minute.

 

When the computer restarts again, tap the F8 key, and, this time select: Safe Mode
 

Open WinRAR.exe and browse for the USB drive using WinRAR’s explorer.
 

After locating the drive, open it in WinRAR to show all the files, including those that are hidden.
 

Search for the file Autorun.inf, open it with Notepad, name oit  ARfile, and save to the Desktop.

 

Reboot normally to Windows, and post the content of Notepad in your reply.


Edited by Aaflac, 03 June 2013 - 08:15 PM.

Old duck...


#5 eriolclow

eriolclow
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 12 June 2013 - 07:28 AM

Hi! So sorry for the late reply. Been out of town without access to a non-admin locked laptop. Anyway, this is what showed up in the text file:

 

[autorun]
ICON=AUTORUN\WDLOGO.ICO

 

Is it possible for there to be more than one autorun.inf located inside the drive? I tried to search for it using winrar, but since I have a lot of password protected files there and couldn't access the passwords, the search operation kpt breaking off.
 


Edited by eriolclow, 12 June 2013 - 07:33 AM.


#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:11 PM

Posted 13 June 2013 - 12:12 AM

Please plug-in the problem USB drive while pressing the left Shift key so that autorun is disabled.

Next, download RogueKiller:
http://tigzy.geekstogo.com/roguekiller.php
Select the version applicable to your system.

Click the button to download.
Save to the Desktop.

Close all windows and browsers.
Right-click and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

Edited by Aaflac, 13 June 2013 - 12:13 AM.

Old duck...


#7 eriolclow

eriolclow
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 13 June 2013 - 12:11 PM

Hi, tried to plug in my USB but now I get the message "USB device not recognized: one of the USB devices attached to this computer has malfunctioned, and windows does not recognize it"...



#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:11 PM

Posted 13 June 2013 - 06:07 PM

This may sound rather simplistic, but try shutting down the computer, and disconnect the power cable from the wall socket. Leave it disconnected for about 30 minutes.

This action allows any residual current or capacitance on the motherboard to discharge.

Plug in the USB drive once again, and see how it goes.

If no-go, shut down the computer, and try another USB port.

If still no-go, leave the USB drive plugged in, and run RogueKiller anyway.

Then post the RKreport in your reply.

Old duck...


#9 eriolclow

eriolclow
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 23 June 2013 - 07:22 PM

Hi! Sorry for the late reply again. I've tried all three USB ports in the laptop, but none will recognize the drive, even though the drive is flashing since the indicator is on when plugged in. So I ran roguekiller directly instead, as you instructed:

 

RogueKiller V8.6.1 [Jun 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : admin [Admin rights]
Mode : Scan -- Date : 06/24/2013 08:21:53
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[25] : NtClose @ 0x8056F8D7 -> HOOKED (Unknown @ 0xBA7FF8B4)
[Address] SSDT[41] : NtCreateKey @ 0x80578ACE -> HOOKED (Unknown @ 0xBA7FF86E)
[Address] SSDT[50] : NtCreateSection @ 0x8056DB66 -> HOOKED (Unknown @ 0xBA7FF8BE)
[Address] SSDT[53] : NtCreateThread @ 0x80584D59 -> HOOKED (Unknown @ 0xBA7FF864)
[Address] SSDT[63] : NtDeleteKey @ 0x8059978F -> HOOKED (Unknown @ 0xBA7FF873)
[Address] SSDT[65] : NtDeleteValueKey @ 0x805983AE -> HOOKED (Unknown @ 0xBA7FF87D)
[Address] SSDT[68] : NtDuplicateObject @ 0x8057F1A9 -> HOOKED (Unknown @ 0xBA7FF8AF)
[Address] SSDT[98] : NtLoadKey @ 0x805D526B -> HOOKED (Unknown @ 0xBA7FF882)
[Address] SSDT[122] : NtOpenProcess @ 0x8057F956 -> HOOKED (Unknown @ 0xBA7FF850)
[Address] SSDT[128] : NtOpenThread @ 0x805E484F -> HOOKED (Unknown @ 0xBA7FF855)
[Address] SSDT[177] : NtQueryValueKey @ 0x80572F2A -> HOOKED (Unknown @ 0xBA7FF8D7)
[Address] SSDT[193] : NtReplaceKey @ 0x8065738E -> HOOKED (Unknown @ 0xBA7FF88C)
[Address] SSDT[200] : NtRequestWaitReplyPort @ 0x8057D153 -> HOOKED (Unknown @ 0xBA7FF8C8)
[Address] SSDT[204] : NtRestoreKey @ 0x80656F25 -> HOOKED (Unknown @ 0xBA7FF887)
[Address] SSDT[213] : NtSetContextThread @ 0x806363E9 -> HOOKED (Unknown @ 0xBA7FF8C3)
[Address] SSDT[237] : NtSetSecurityObject @ 0x8059DDEB -> HOOKED (Unknown @ 0xBA7FF8CD)
[Address] SSDT[247] : NtSetValueKey @ 0x805800A4 -> HOOKED (Unknown @ 0xBA7FF878)
[Address] SSDT[255] : NtSystemDebugControl @ 0x80651C59 -> HOOKED (Unknown @ 0xBA7FF8D2)
[Address] SSDT[257] : NtTerminateProcess @ 0x8058E8D1 -> HOOKED (Unknown @ 0xBA7FF85F)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0xBA7FF8E6)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0xBA7FF8EB)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK1032GSX +++++
--- User ---
[MBR] 2c5c2420865a18453b58ee1ece5dc451
[BSP] 4706e6bfcf5f045dee9b1dfde398c51d : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 95385 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_06242013_082153.txt >>

 

 



#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:11 PM

Posted 23 June 2013 - 11:40 PM

Are you able to connect another USB drive and check whether your system is able to recognise it?

If the system recognizes another USB drive, unplug it from the computer, and post back the status..

 

:exclame:  Now, please go to Start > Control Panel > Folder Options
In Folder Options, click the View tab

In addition to checking:
-Show hidden files and folders

Uncheck:
-Hide protected operating system files (Recommended)

Click: Apply > OK

 

:exclame:  Connect the problem USB Drive.

 

:exclame:  Please check whether the drive shows up in: Device Manager

Click: Start > Run

Type the following command in the Open box:

 

devmgmt.msc

 

Press: OK

 

If the drive shows, are there any error message in its Properties?

 

:exclame:  Also, check the whether the drive shows in: Disk Management.

Click: Start > Run

Type the following command in the Open box:

 

diskmgmt.msc

 

Press: OK

 

Is the drive seen?

 

:exclame:  If so please take a screenshot and attach it to your reply.

Take a screen shot:
http://windows.microsoft.com/en-us/windows-xp/help/setup/take-a-screen-shot

 

 

:exclame: The G:\Trashes folder indicates the USB drive was previously connected to a Mac OS X computer.
The Mac OS X automatically creates a folder for the trash, the Windows equivalent of the Recycle Bin.

This folder does no harm to the drive.
It contains the files that were sent to the trash when connected to the Mac OS X system.

You can delete this folder to free space on the drive.


Edited by Aaflac, 23 June 2013 - 11:42 PM.

Old duck...


#11 eriolclow

eriolclow
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 02 July 2013 - 11:23 AM

Hi! Sorry if I'm taking so long between replies. Anyway, just tried starting up my laptop with the affected USB drive plugged in before startup. Seems that the drive is recognized if it's plugged in prior to startup, but not when I try to connect it after Windows has started up already.

 

BTW, when I typed devmgt.msc, I got a "Windows cannot find devmgt.msc" message



#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:11 PM

Posted 03 July 2013 - 10:45 PM

On devmgmt.msc

 

Click Start > Run, type cmd, and then click OK.

At the command prompt, type (or copy/paste with mouse): cd %windir%\system32, and then press: Enter

 

At the Command Prompt, copy/paste the following commands, and press Enter after each:

 


Regsvr32 Msxml.dll
Regsvr32 Msxml2.dll
Regsvr32 Msxml3.dll

 

Type: exit, and then press ENTER to close the Command Prompt window.

 

Restart the computer.

 

Try: devmgmt.msc

Check out what is under: Disk Drives

 

 

Then, press on with the rest of the instructions in Post # 10.

 

Also, see if you can delete System Volume Information from the USB drive.

G:\SYSTEM VOLUME INFORMATION\_RESTORE{1895ACEB-74F5-4F6F-AC7F-EFC37E1E8274}\RP365\A0090005.EXE

 

Go to Start > All Programs > Accessories, > Command Prompt

Right-click the Command Prompt and select: Run as administrator

 

At the Command Prompt, copy/paste (with mouse) the following commands, one at a time, and press Enter after each:

G:
cd \
takeown /r /f "System Volume Information"

Answer "Y" for yes when asked if to replace permissions.

See if you can delete the System Volume Information directory on the USB drive.

 

 

Last, run RogueKiller once again, and, this time press: Shortcut Fix.

Please post the new RKreport in your reply.


Edited by Aaflac, 04 July 2013 - 12:40 AM.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users