Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Pendrive in another computer shows virus


  • Please log in to reply
54 replies to this topic

#31 Newbie1011

Newbie1011
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 11 November 2013 - 02:22 AM

I ran Eset after checking all boxes as advised by you

No threats were found

I uninstalled the application and clicked finish

 

Please advise

 

Thanks for helping



BC AdBot (Login to Remove)

 


#32 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:38 PM

Posted 11 November 2013 - 09:44 PM

:step1: Make sure your pen drive is connected.

:step2: Please download RogueKiller:
http://tigzy.geekstogo.com/roguekiller.php

Select the x64 (64-bit) version for your 64-bit system (Purple button on right.)
Save to the Desktop.

Close all windows and browsers.
Right-click and select: Run as Administrator

At the program console, wait for the prescan to finish.
(Under Status, it says: Prescan finished)

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt


>> Please provide the RKreport.txt (Mode: Scan) in your reply.

Edited by Aaflac, 11 November 2013 - 09:45 PM.

Old duck...


#33 Newbie1011

Newbie1011
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 12 November 2013 - 07:23 AM

RogueKiller V8.7.7 _x64_ [Nov 11 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Shravan [Admin rights]
Mode : Scan -- Date : 11/12/2013 17:51:43
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] Viber.exe -- C:\Users\Shravan\AppData\Local\Viber\Viber.exe [7] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 7 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Viber ("C:\Users\Shravan\AppData\Local\Viber\Viber.exe" StartMinimized [7][x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-950273752-2326613030-74709175-1000\[...]\Run : Viber ("C:\Users\Shravan\AppData\Local\Viber\Viber.exe" StartMinimized [7][x]) -> FOUND
[DNS][PUM] HKLM\[...]\CCSet\[...]\{2BE50405-7707-4913-8488-C5774ABE191E} : NameServer (125.22.47.125,202.56.250.5 [(Unknown Country?) (XX) - INDIA (IN)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS001\[...]\{2BE50405-7707-4913-8488-C5774ABE191E} : NameServer (125.22.47.125,202.56.250.5 [(Unknown Country?) (XX) - INDIA (IN)]) -> FOUND
[DNS][PUM] HKLM\[...]\CS002\[...]\{2BE50405-7707-4913-8488-C5774ABE191E} : NameServer (125.22.47.125,202.56.250.5 [(Unknown Country?) (XX) - INDIA (IN)]) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\Users\Administrator\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\Users\Default User\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\Documents and Settings\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\Documents and Settings\Shravan\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST3250310SV ATA Device +++++
--- User ---
[MBR] 0f838bc359c96f7a78c1e5fd5b21175c
[BSP] 7370089c81cd60320ecc73ef3f736d3d : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238473 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) WDC WD5000AAKX-003CA0 ATA Device +++++
--- User ---
[MBR] 0503b8e75b89a0233e30780cc1227ad8
[BSP] 78dfbb8ed82a9667a2d2b941fc0bc2eb : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 276940 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 567174825 | Size: 199996 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_11122013_175143.txt >>
 
 
 
Thanks for helping


#34 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:38 PM

Posted 12 November 2013 - 10:35 PM

Please submit the following file for analysis to VirusTotal:

http://www.virustotal.com/

 

File: C:\Users\Shravan\AppData\Local\Viber\Viber.exe

 

Use the 'Choose File' button to navigate to the location of the file.

 

In the Choose file to upload prompt, select the file, then, click the 'Open' button.

 

The file is now displayed in the blank box of VirusTotal

Click: Scan It, and wait for the results.

 

If you get a message saying: File has already been analyzed, click: Reanalyze file now

 

Once scanned, please provide the link to the results page in your reply.

 

 

 


Old duck...


#35 Newbie1011

Newbie1011
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 13 November 2013 - 12:07 AM

I uploaded the file and waited for an hour but nothing happened

 

the file is only 892 kb and I have a 8mbps net connection.

 

In case it helps Viber is a chat messenger used mainly for mobile to mobile messaging similar to whats apps but can also be installed on a computer

 

Please advise alternate method

 

Thanks for helping



#36 Newbie1011

Newbie1011
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 13 November 2013 - 04:00 AM

I was unable to do it using explorer 11 but when i tried Firefox, i was successful
 
 
Thanks for helping

Edited by Newbie1011, 13 November 2013 - 04:07 AM.


#37 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:38 PM

Posted 13 November 2013 - 02:41 PM

Good!  :thumbup2:

On your initial concern:

 

 

I had put my pendrive in another computer running Kaspersky antivirus to transfer some files

That computer said that my pendrive contains rootkit viruses

I did not get details of the suspected viruses as the pendrive was removed immediately

 

 

Please run the Kaspersky Security Scan:
Download: http://www.kaspersky.com/virus-scanner

Double-click the downloaded file.
Follow the prompts in the Setup Wizard, and Install
When done, click: Finish

>> Plug in the USB pen drive into the computer.

 

Back at the Desktop, double-click the Kaspersky icon.

The program may need to update data. If so, please let it do so.

 

At the program console, place the mouse over the icons at the bottom, and select the icon for: Full Scan
(It scans your entire computer, including all hard-disk partitions and removable drives.)

 

If the scanner reveals problems, a Problems Found window appears.
Click on: Details

Highlight all the information presented by clicking any empty area, and using the Ctrl and the A keys.
Paste the information to Notepad, and provide it in youe reply.

 

The Kaspersky Security Scan does not fix any issues. If it finds any problems, a Fix Now button prompts you to purchase something from the Kaspersky site.

There is no need to engage in purchasing any product recommended.


Old duck...


#38 Newbie1011

Newbie1011
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 15 November 2013 - 05:23 AM

 
 
 
 
 
 
Detailed report
 
Problems found
 Scanning date: 
 
 Database update date: 
 
 
 Product version:  11/15/2013 06:55 PM 
 
11/15/2013 02:04 PM 
 
 
12.0.1.340  
 
 
 
 
Computer protection (0)
 
 
 
Information about anti-virus software and firewalls installed on the computer. 
 
 
 
 
 
 
 
 
 
Malware (0)
 
 
 
Information about malware detected on the computer. 
 
 
 
 
 
 
 
Vulnerabilities (2)
 
 
 
Information about applications and operating system components in which vulnerabilities have been detected. 
 
1.C:\Windows\system32\Macromed\Flash\NPSWF64_11_9_900_117.dll
 
 
2.C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll
 
 
 
 
 
Other issues (15)
 
 
 
Information about vulnerabilities associated with the settings of installed applications and the operating system. 
 
1."Process termination timeout is out of admissible values"
 
 
2."Service termination timeout is out of admissible values"
 
 
3."Autorun from hard drives is allowed"
 
 
4."Autorun from network drives is enabled"
 
 
5."CD/DVD autorun is enabled"
 
 
6."Removable media autorun is enabled"
 
 
7."Windows Explorer - show extensions of known file types"
 
 
8."Microsoft Internet Explorer: clear history of typed URLs"
 
 
9."Microsoft Internet Explorer - disable caching data received via protected channel"
 
 
10."Microsoft Internet Explorer: disable sending error reports"
 
 
11."Microsoft Internet Explorer: clear the list of trusted domains"
 
 
12."Microsoft Internet Explorer: clear list of pop-up blocker exceptions"
 
 
13."Microsoft Internet Explorer: enable cache autocleanup on browser closing"
 
 
14."Windows Explorer: display of known file types extensions is disabled"
 
 
15."Microsoft Internet Explorer: start page reset"
 
 
Thanks for helping

Edited by Newbie1011, 15 November 2013 - 08:36 AM.


#39 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:38 PM

Posted 15 November 2013 - 08:49 PM

I had put my pendrive in another computer running Kaspersky antivirus to transfer some files.

That computer said that my pendrive contains rootkit viruses

I did not get details of the suspected viruses as the pendrive was removed immediately.



Do you still have access to the computer where Kaspesky presented the notice about your pen drive containing rootkit viruses?

It would be interesting to find out if it still would give the notice.


However, if you decide to try it out, please run UsbFix once again, and click: Vaccinate

Connect your USB pen drive and click: OK

A confirmation that your USB drive is vaccinated appears.
Press: OK

Edited by Aaflac, 17 November 2013 - 01:19 PM.

Old duck...


#40 Newbie1011

Newbie1011
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 16 November 2013 - 07:04 AM

It would not be ethical on my part to again put someone else  computer at risk.

 

So it would not like to put my pendrive in that computer unless I am sure that the pendrive is clean

 

Thanks for helping


Edited by Newbie1011, 16 November 2013 - 07:05 AM.


#41 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:38 PM

Posted 16 November 2013 - 11:45 AM

There is no way I would ask you to do something that is not ethical.

Do you know by any chance which Kaspersky product made the malware detection, or, can you find out?
It may be that the Kaspersky product is detecting falsely. That happens.

At this point there is no evidence showing that the USB drive is infected.

Are you experiencing any malware problems with it, or with your computer?

Old duck...


#42 Newbie1011

Newbie1011
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 16 November 2013 - 06:25 PM

He is using Kaspersky Internet security

 

I am not facing any malware problems, but I wanted to be sure that my computer is clean.

 

Is there anything suspicious in the list of threats in the KSS report ?

 

Has any of the programs run by you also checked for rootkit viruses?

 

Thanks for helping



#43 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:38 PM

Posted 16 November 2013 - 10:43 PM

The Kaspersky Internet Security (KIS) has a free trial:
http://usa.kaspersky.com/downloads/free-home-trials/internet-security?domain=kaspersky.com#creativeID1131

 

Since that was the program that gave you notice of a rootkit, etc., consider downloading it, using it, and finding out what it reports.

The cracks and unethical programs on the computer and/or flash drive may have triggered the initial results of KIS.
As long as those are in play, you will be infected. That is what they bring.

 

The Farbar Recovery Scan Tool is a good rootkit detector, but, it did not find any. Neither did Malwarebytes Anti-Malware or ESET.

 

If you wish to run another program for reassurance, you can also try the following:

 

Download Malwarebytes Anti-Rootkit:
http://www.malwarebytes.org/products/mbar/

Save to the Desktop

Right-click the file and select: Extract here...

 

Follow ithe Usage instructions on the website from Step 1 to Step 6.

For now, please stop at Step 6.

 

When the program is done, two reports are created in the mbar folder:

1. system-log.txt

2. mbar-log-2013-02-18 (20-13-32).txt (corresponds to mbar-log-year-month-day (hour-minute-second).txt)

 

Please provide the mbar-log and the system-log.txt in your reply.

 


Old duck...


#44 Newbie1011

Newbie1011
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 17 November 2013 - 07:00 AM

I ran Malwarebytes Anti-Rootkit: as advised

 

I got the message that no cleanup required after the program ran.

No files were generated

 

Please advise

 

Thanks for helping



#45 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:38 PM

Posted 17 November 2013 - 01:47 PM

Good!

One last program...

Please download TDSSKiller:
http://www.bleepingcomputer.com/download/tdsskiller/
Select the .exe version
Save to the Desktop
Right-click and select: Run as Administrator
On the screen that appears, click on: Change parameters
On the next screen, check: Loaded Modules and Detect TDLFS file system.

If asked to reboot because an "Extended Monitoring Driver is required" please click: Reboot now

Next...
Click Start Scan and allow the scan process to run

If a suspicious object is detected, the default action will be Skip, click on: Continue

If malicious objects are found, they will show in the Scan results
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
(Note: If Cure is not available, please choose Skip instead, do not choose: Delete)

By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_23.10.2013_15.31.43_log.txt

Please post the TDSSKiller log in your reply.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users