Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probable virus on USB Flash Drive


  • Please log in to reply
20 replies to this topic

#1 Alchemic

Alchemic

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 12 December 2015 - 09:52 AM

Greetings,

 

I think I got a virus called SergeLeLama.vbs on my USB flash drive - and infected my Desktop PC with it. I've been inserting other flash drives, lately, and I believe I've infected them all without realizing it.

I do not really know how to proceed.

The virus is probably triggered by an Autorun file: as I enter the flash disk unit (for istance, E:) the window does not display all the files that are supposed to be stored into it but an odd link.

Sometimes the link looks like a folder - some other times it looks like a disk-unit icon.

 

I've heard that, by clicking on this link, you basically activate the virus, since its path leads to a .vbs file.

 

And I obviously clicked on it several times, since I didn't know about this kind of viruses.

So, I've basically got two problems:

1) trying to get rid of this infection on my PC;
2) finding a way to clean my pen-drives, even if I've to format them.

Please, lend me a hand. What can I do to solve these issues?


Edited by hamluis, 12 December 2015 - 11:34 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:16 AM

Posted 12 December 2015 - 12:33 PM

Hello and welcome to BC,

 

Please download MCShield from the following link:

MCShield -Official download link 
 

  • Double click on MCShield-Setup to install the application.
    Next => I Agree => Next => Install ... per installation click on Run! button.
  • Wait a few seconds to MCShield finish initial HDD scan...
  • Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
  • When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt


Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

MCShield Anti-Malware USB Tool is a lightweight scanner designed to prevent infections transmitted via removable drives (usb, external, camera cards). It's real-time protection is only real-time when you plug-in an external.

 MSChield Documentation & Program Features


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#3 Alchemic

Alchemic
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 12 December 2015 - 10:26 PM

Greetings Severac and thanks for your answer and support.

I performed the scan on my PC and 9 different USB storage pens. Here are the results:
 

 

 

>>> MCShield AllScans.txt <<<

-----------------------------




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<


13/12/2015 4.14.15 > Drive C: - scan started (Volume ~149 GB, NTFS HDD )...


>>> C:\RECYCLER\AAGPMW7PGDORTSSBVZIAKBUEZNTGKGDZ_2.log - Malware > Deleted. (15.12.13. 04.14 AAGPMW7PGDORTSSBVZIAKBUEZNTGKGDZ_2.log.432690; MD5: d41d8cd98f00b204e9800998ecf8427e)


=> Malicious files   : 1/1 deleted.

____________________________________________

::::: Scan duration: 1sec ::::::::::::::::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<


13/12/2015 4.19.01 > Drive E: - scan started (SP UFD U2 ~3832 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<


13/12/2015 4.19.28 > Drive E: - scan started (MARELLA ~1902 MB, FAT32 flash drive )...

>>> E:\autorun.inf > Suspicious > Renamed. (MD5: cc28d43628f5c2e7f2d2359aa2622653)


=> Suspicious files  : 1/1 renamed.

____________________________________________

::::: Scan duration: 3sec ::::::::::::::::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<


13/12/2015 4.19.53 > Drive F: - scan started (PEDRO ~3831 MB, FAT32 flash drive )...

>>> F:\autorun.inf > Suspicious > Renamed. (MD5: 3f152f10d49397ff5aed4c0ae4dd870d)


=> Suspicious files  : 1/1 renamed.

____________________________________________

::::: Scan duration: 1sec ::::::::::::::::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<


13/12/2015 4.20.21 > Drive E: - scan started (SP UFD U2 ~7665 MB, FAT32 flash drive )...

>>> E:\autorun.inf > Suspicious > Renamed. (MD5: 0d715c15ac85f0a0ee868a69fdda6096)


=> Suspicious files  : 1/1 renamed.

____________________________________________

::::: Scan duration: 44sec :::::::::::::::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<


13/12/2015 4.26.55 > Drive E: - scan started (SP UFD U2 ~3832 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<


13/12/2015 6.37.35 > Drive C: - scan started (Volume ~149 GB, NTFS HDD )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<


13/12/2015 6.38.55 > Drive E: - scan started (Lexar ~7480 MB, FAT32 flash drive )...


>>> E:\Lexar (8GB).lnk - Malware > Deleted. (15.12.13. 06.40 Lexar (8GB).lnk.628384; MD5: 88f7b06d576a0a9adcf43cdaae2526f1)

> Resetting attributes: E:\  < Successful.


=> Malicious files   : 1/1 deleted.
=> Hidden folders    : 1/1 unhidden.

____________________________________________

::::: Scan duration: 1min 41sec ::::::::::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<


13/12/2015 6.41.14 > Drive E: - scan started (no label ~1928 MB, FAT flash drive )...



---> Executing generic S&D routine... Searching for files hidden by malware...


---> Items to process: 38

---> E:\danubio.rtf > unhidden.

---> E:\Chimica Fisica - Peter W.Atkins - Zanichelli.pdf > unhidden.

---> E:\calendario_lunare_Gennaio2015.pdf > unhidden.

---> E:\tutte le tv rai.rtf > unhidden.

---> E:\Chi vota  il presidente della repubblica.rtf > unhidden.

---> E:\lettera a telecom.rtf > unhidden.

---> E:\vomito.mp3 > unhidden.

---> E:\2 - Vodafone - ServizioClienti 2 - Torino.odt > unhidden.

---> E:\1 -  Vodafone - ViaJervis Torino (2).odt > unhidden.

---> E:\mobiletrans.exe > unhidden.

---> E:\phone-manager.exe > unhidden.

---> E:\O CHIACHIELLO.rtf > unhidden.

---> E:\gr. def. scuola primaria-  privacy.pdf > unhidden.

---> E:\Grad def Infanzia.pdf > unhidden.

---> E:\dirette tv.rtf > unhidden.

---> E:\traditore.mp3 > unhidden.

---> E:\I  S  E  E    2  0  1  5.rtf > unhidden.

---> E:\ADOBE.rtf > unhidden.

---> E:\ESEMPIO COMPILAZIONE.pdf > unhidden.

---> E:\FAQ.pdf > unhidden.

---> E:\novio ise 2015.rtf > unhidden.

---> E:\TVdream.msi > unhidden.

---> E:\lessare e aromatizzare  il pesce.rtf > unhidden.

---> E:\L O D O Z.rtf > unhidden.

---> E:\spiegaz  scintigrafia.rtf > unhidden.

---> E:\angel food documenti.rtf > unhidden.

---> E:\Carotide e Malattie della Carotide.rtf > unhidden.

---> E:\ricotta fatta in casa.rtf > unhidden.

---> E:\SoftonicDownloader_per_smart-piano.exe > unhidden.

---> E:\virtual piano net.rtf > unhidden.

---> E:\cantone.mp3 > unhidden.

---> E:\durata ricetta.rtf > unhidden.

---> E:\BNL.rtf > unhidden.

---> E:\11  Etichette per Succo di Melagrana - ProntoDaStampare.JPG > unhidden.

---> E:\Nuovo Documento di testo.txt > unhidden.

---> E:\naccnello .mp3 > unhidden.

---> E:\ .zip > unhidden.

---> E:\chiachiello.rtf > unhidden.



>>> E:\danubio.lnk - Malware > Deleted. (15.12.13. 06.41 danubio.lnk.147259; MD5: bc7520df42ccb12e9c7189cba1f9fa43)

>>> E:\Chimica Fisica - Peter W.lnk - Malware > Deleted. (15.12.13. 06.41 Chimica Fisica - Peter W.lnk.936836; MD5: 418194b79658af5e2458d7519bb5529d)

>>> E:\calendario_lunare_Gennaio2015.lnk - Malware > Deleted. (15.12.13. 06.41 calendario_lunare_Gennaio2015.lnk.467305; MD5: db196dadf71808979a3e79df0dbca728)

>>> E:\tutte le tv rai.lnk - Malware > Deleted. (15.12.13. 06.41 tutte le tv rai.lnk.619107; MD5: 642275017c8696478ecf6f858d3e4311)

>>> E:\Chi vota  il presidente della repubblica.lnk - Malware > Deleted. (15.12.13. 06.41 Chi vota  il presidente della repubblica.lnk.184211; MD5: 330a727704750fee007566badb959b3b)

>>> E:\lettera a telecom.lnk - Malware > Deleted. (15.12.13. 06.41 lettera a telecom.lnk.757406; MD5: 5ffe8229253aeeb8ff20cb4479a0faa8)

>>> E:\vomito.lnk - Malware > Deleted. (15.12.13. 06.41 vomito.lnk.650538; MD5: cf0c62efbf497ad29c20c65569fffcb3)

>>> E:\2 - Vodafone - ServizioClienti 2 - Torino.lnk - Malware > Deleted. (15.12.13. 06.41 2 - Vodafone - ServizioClienti 2 - Torino.lnk.594311; MD5: 4c6c9572bb40828943d792a5ef67e262)

>>> E:\1 -  Vodafone - ViaJervis Torino (2).lnk - Malware > Deleted. (15.12.13. 06.41 1 -  Vodafone - ViaJervis Torino (2).lnk.138556; MD5: 5ec59fcb11d54f71db6b93edb9f8c4e2)

>>> E:\mobiletrans.lnk - Malware > Deleted. (15.12.13. 06.41 mobiletrans.lnk.882652; MD5: cfbad87f28d0a5caa115fcee8dcfe35a)

>>> E:\phone-manager.lnk - Malware > Deleted. (15.12.13. 06.41 phone-manager.lnk.387714; MD5: 4055dd64997298a0a23a93ee2934f1ed)

>>> E:\O CHIACHIELLO.lnk - Malware > Deleted. (15.12.13. 06.41 O CHIACHIELLO.lnk.733247; MD5: 242bc63c7f33249b6dcf830910a1bea8)

>>> E:\gr.lnk - Malware > Deleted. (15.12.13. 06.41 gr.lnk.7364; MD5: bb8420f73012d882d0fafce1c861c460)

>>> E:\Grad def Infanzia.lnk - Malware > Deleted. (15.12.13. 06.41 Grad def Infanzia.lnk.312575; MD5: 668b073bcde412862994be21505b2572)

>>> E:\dirette tv.lnk - Malware > Deleted. (15.12.13. 06.41 dirette tv.lnk.304933; MD5: 45ccd6b188e79ebbdf544b5ce15039de)

>>> E:\traditore.lnk - Malware > Deleted. (15.12.13. 06.41 traditore.lnk.324929; MD5: a781b35c8ef7a7beb3c1f12363912a00)

>>> E:\I  S  E  E    2  0  1  5.lnk - Malware > Deleted. (15.12.13. 06.41 I  S  E  E    2  0  1  5.lnk.843766; MD5: 0a27a9c5fd587b976865a9dcec1c17f7)

>>> E:\ADOBE.lnk - Malware > Deleted. (15.12.13. 06.41 ADOBE.lnk.929665; MD5: 588e1292e567e12520badd9c1ae47d93)

>>> E:\ESEMPIO COMPILAZIONE.lnk - Malware > Deleted. (15.12.13. 06.41 ESEMPIO COMPILAZIONE.lnk.409319; MD5: 30e86692798b000f1355ff01803a9a57)

>>> E:\FAQ.lnk - Malware > Deleted. (15.12.13. 06.41 FAQ.lnk.363500; MD5: bbfcd3f5d544ca1ae33cfd41358aee41)

>>> E:\novio ise 2015.lnk - Malware > Deleted. (15.12.13. 06.41 novio ise 2015.lnk.618069; MD5: 92286d0d34c34b0394bc4fb2659c4d8c)

>>> E:\TVdream.lnk - Malware > Deleted. (15.12.13. 06.41 TVdream.lnk.140448; MD5: d1b66d06d3ba2ab21c9b62e5f3018c6d)

>>> E:\lessare e aromatizzare  il pesce.lnk - Malware > Deleted. (15.12.13. 06.41 lessare e aromatizzare  il pesce.lnk.966453; MD5: 316ed87642216e1432a15e5f626b5fe1)

>>> E:\L O D O Z.lnk - Malware > Deleted. (15.12.13. 06.41 L O D O Z.lnk.599691; MD5: 3924382e2a888a3f9327385d390a833e)

>>> E:\spiegaz  scintigrafia.lnk - Malware > Deleted. (15.12.13. 06.41 spiegaz  scintigrafia.lnk.702907; MD5: 4644465920d51c868cf4006b5aa9af85)

>>> E:\angel food documenti.lnk - Malware > Deleted. (15.12.13. 06.41 angel food documenti.lnk.514962; MD5: 59ca0eaa3ca0faf5cafa93cc7e02c618)

>>> E:\Carotide e Malattie della Carotide.lnk - Malware > Deleted. (15.12.13. 06.41 Carotide e Malattie della Carotide.lnk.703629; MD5: fcb9a5cec14b27f8b5ed11c638158ba6)

>>> E:\ricotta fatta in casa.lnk - Malware > Deleted. (15.12.13. 06.41 ricotta fatta in casa.lnk.874979; MD5: f0da45cee7023401729aecf2b43be3ba)

>>> E:\SoftonicDownloader_per_smart-piano.lnk - Malware > Deleted. (15.12.13. 06.41 SoftonicDownloader_per_smart-piano.lnk.222915; MD5: 3284633b69ae23cd39baf0ebd4e3c814)

>>> E:\virtual piano net.lnk - Malware > Deleted. (15.12.13. 06.41 virtual piano net.lnk.87097; MD5: 7f208dffeaf2e61b42a6645858593528)

>>> E:\cantone.lnk - Malware > Deleted. (15.12.13. 06.41 cantone.lnk.792357; MD5: f2f575d20d2c3cd6d01afdb887dd9d57)

>>> E:\durata ricetta.lnk - Malware > Deleted. (15.12.13. 06.41 durata ricetta.lnk.892031; MD5: c2a1a20b1cc644d265b769784f5f3aa7)

>>> E:\BNL.lnk - Malware > Deleted. (15.12.13. 06.41 BNL.lnk.950598; MD5: 8a1c86d6c7524fb9abfc7b2b48da1698)

>>> E:\11  Etichette per Succo di Melagrana - ProntoDaStampare.lnk - Malware > Deleted. (15.12.13. 06.41 11  Etichette per Succo di Melagrana - ProntoDaStampare.lnk.985681; MD5: 280c46599a1e51a1a5d045d54723bba1)

>>> E:\Nuovo Documento di testo.lnk - Malware > Deleted. (15.12.13. 06.41 Nuovo Documento di testo.lnk.273574; MD5: d9f15a0ee4934da1398d30b144c69f6c)

>>> E:\naccnello .lnk - Malware > Deleted. (15.12.13. 06.41 naccnello .lnk.52305; MD5: f1e3de2d09c3a680d859d6797e52712b)

>>> E:\ .lnk - Malware > Deleted. (15.12.13. 06.41  .lnk.990480; MD5: eb5bd22f48beca98c9c5c25b9ffb1eff)

>>> E:\chiachiello.lnk - Malware > Deleted. (15.12.13. 06.41 chiachiello.lnk.55519; MD5: dfd3a9f7c7e94e1b08f07fdd0c9b706d)

>>> E:\ytraccidqf..vbs - Malware > Deleted. (15.12.13. 06.41 ytraccidqf..vbs.581441; MD5: 6203af0a96b7e4c312a35268f447b269)

>>> E:\Masiello.lnk - Malware > Deleted. (15.12.13. 06.41 Masiello.lnk.898283; MD5: 54dc0540be3600f2ef7824e70c35dc1c)

>>> E:\memtest86-iso.lnk - Malware > Deleted. (15.12.13. 06.41 memtest86-iso.lnk.69459; MD5: de2486cc0d5d9883e9f95450254f37f4)

>>> E:\iseee.lnk - Malware > Deleted. (15.12.13. 06.41 iseee.lnk.180765; MD5: 0ab7845f858bf3949a32ae7ceebc6b71)

>>> E:\regisreaz  vodafone.lnk - Malware > Deleted. (15.12.13. 06.41 regisreaz  vodafone.lnk.318617; MD5: 57bbc314bc569514d460abc91d24811b)

>>> E:\nuovo contrat.lnk - Malware > Deleted. (15.12.13. 06.41 nuovo contrat.lnk.563784; MD5: 390edcf9152ad66e2739b500002c8435)

>>> E:\scintilligrafia.lnk - Malware > Deleted. (15.12.13. 06.41 scintilligrafia.lnk.205112; MD5: 882b8f38c82525ba239f703478723e0a)

>>> E:\vesuviana.lnk - Malware > Deleted. (15.12.13. 06.41 vesuviana.lnk.735321; MD5: e26356fe1115866fd3dfd2a5374385b8)

>>> E:\chiachiello o naknello.lnk - Malware > Deleted. (15.12.13. 06.41 chiachiello o naknello.lnk.219523; MD5: c9dc2de4dd6ed746afbc9832ce2651d7)

>>> E:\Nuova cartella.lnk - Malware > Deleted. (15.12.13. 06.41 Nuova cartella.lnk.143748; MD5: c4c218737235fcf2abf86517c7a60418)

>>> E:\1 camicia strap.lnk - Malware > Deleted. (15.12.13. 06.41 1 camicia strap.lnk.905162; MD5: bbd43e96986e8ebe83b5e86f35c46411)

> Resetting attributes: E:\Masiello < Successful.

> Resetting attributes: E:\memtest86-iso < Successful.

> Resetting attributes: E:\iseee < Successful.

> Resetting attributes: E:\regisreaz  vodafone < Successful.

> Resetting attributes: E:\nuovo contrat < Successful.

> Resetting attributes: E:\scintilligrafia < Successful.

> Resetting attributes: E:\vesuviana < Successful.

> Resetting attributes: E:\chiachiello o naknello < Successful.

> Resetting attributes: E:\  < Successful.

> Resetting attributes: E:\Nuova cartella < Successful.

> Resetting attributes: E:\1 camicia strap < Successful.


=> Malicious files   : 49/49 deleted.
=> Hidden folders    : 11/11 unhidden.
=> Hidden files      : 38/38 unhidden.

____________________________________________

::::: Scan duration: 9sec ::::::::::::::::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<


13/12/2015 6.42.31 > Drive E: - scan started (no label ~8064 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<


13/12/2015 6.43.16 > Drive E: - scan started (VOLUME ~1884 MB, FAT flash drive )...

>>> E:\autorun.inf > Action failed.


---> Executing generic S&D routine... Searching for files hidden by malware...


---> Items to process: 15

---> E:\autorun.inf > unhidden.

---> E:\Snack_ Creatività.mp3 > unhidden.

---> E:\Snack_ Credere in_ credere a....mp3 > unhidden.

---> E:\Snack_ Dannata.mp3 > unhidden.

---> E:\Snack_ Detersivi.mp3 > unhidden.

---> E:\Snack_ Differenziare.mp3 > unhidden.

---> E:\Snack_ Domanda per avere.mp3 > unhidden.

---> E:\Snack_ Domanda per sapere.mp3 > unhidden.

---> E:\Snack_ Entropia.mp3 > unhidden.

---> E:\Snack_ Ercole_ un pezzo d'uomo.mp3 > unhidden.

---> E:\Snack_ Figli e figliastri.mp3 > unhidden.

---> E:\Snack_ Furbizia.mp3 > unhidden.

---> E:\Snack_ Guardare le stelle.mp3 > unhidden.

---> E:\Snack_ I nostri tesori.mp3 > unhidden.

---> E:\Snack  ASCOLTA.mp3 > unhidden.



>>> E:\autorun.lnk - Malware > Deleted. (15.12.13. 06.43 autorun.lnk.38937; MD5: f9cff863cf43140232ff75ffbab15427)

>>> E:\Snack_ Creatività.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ Creatività.lnk.576316; MD5: 05dc3131fd1d71895750dc7a0f3519c8)

>>> E:\Snack_ Credere in_ credere a.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ Credere in_ credere a.lnk.106786; MD5: a9457086e4692185aa49fa6c0022ab95)

>>> E:\Snack_ Dannata.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ Dannata.lnk.128094; MD5: 98a4a431f914a830383b42dde762b8fd)

>>> E:\Snack_ Detersivi.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ Detersivi.lnk.699058; MD5: 7387372c35a226e78f9538bd1512c0d9)

>>> E:\Snack_ Differenziare.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ Differenziare.lnk.272253; MD5: 8c134fa845d4b9dc725bbde9874ed80e)

>>> E:\Snack_ Domanda per avere.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ Domanda per avere.lnk.290019; MD5: 3e90a90c2112220eec5828bd0dbb4db6)

>>> E:\Snack_ Domanda per sapere.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ Domanda per sapere.lnk.239651; MD5: d3ee8d989c9d75c71ec4449cc66a53fd)

>>> E:\Snack_ Entropia.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ Entropia.lnk.783896; MD5: 20dbce65fa72fbc6cef2082e61946462)

>>> E:\Snack_ Ercole_ un pezzo d'uomo.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ Ercole_ un pezzo d'uomo.lnk.522133; MD5: d3eb5dd66dcf37ba023aeb29ab86120e)

>>> E:\Snack_ Figli e figliastri.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ Figli e figliastri.lnk.777927; MD5: 6cf875da31fd06133c1f0af13f9d286b)

>>> E:\Snack_ Furbizia.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ Furbizia.lnk.265671; MD5: 5dea67d2c3e42aba1e6d2dd75427b557)

>>> E:\Snack_ Guardare le stelle.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ Guardare le stelle.lnk.646845; MD5: 55dd71a37837e2fc5048731d6469e303)

>>> E:\Snack_ I nostri tesori.lnk - Malware > Deleted. (15.12.13. 06.43 Snack_ I nostri tesori.lnk.827422; MD5: bf7aca9a6952b0b27e27c9b44e2e90a6)

>>> E:\Snack  ASCOLTA.lnk - Malware > Deleted. (15.12.13. 06.43 Snack  ASCOLTA.lnk.819779; MD5: aad6359df683e41653c34781925ba356)

>>> E:\ytraccidqf..vbs - Malware > Deleted. (15.12.13. 06.43 ytraccidqf..vbs.845635; MD5: 6203af0a96b7e4c312a35268f447b269)

>>> E:\AEXRGYH.lnk - Malware > Deleted. (15.12.13. 06.43 AEXRGYH.lnk.109346; MD5: aef19023af697d450a92866ac1e484e8)

>>> E:\AEXRGYH\DFG-2352-26235-2322322-624621221-2622255\Desktop.ini - Malware > Deleted. (15.12.13. 06.43 Desktop.ini.195244; MD5: e783bdd20a976eaeaae1ff4624487420)

>>> E:\DFGDFJJJJDFJDFJGFDJTURTURUTJJF\DFG-2352-26235-2322322-624621221-2622255\Desktop.ini - Malware > Deleted. (15.12.13. 06.43 Desktop.ini.674898; MD5: e783bdd20a976eaeaae1ff4624487420)

> E:\beruhi
> E:\beruhi\gungsmitteln.exe (MD5: 4b51bc8af473fff5e17e3b42a21a90ca)

>>> E:\beruhi - Malware (folder) > Deleted. (15.12.13. 06.43 beruhi.385671)

> E:\AEXRGYH
> E:\AEXRGYH\DFG-2352-26235-2322322-624621221-2622255

>>> E:\AEXRGYH - Malware (folder) > Deleted. (15.12.13. 06.43 AEXRGYH.132916)


=> Malicious files   : 20/20 deleted.
=> Malicious folders : 3/3 deleted.
=> Hidden files      : 15/15 unhidden.

____________________________________________

::::: Scan duration: 14sec :::::::::::::::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<


13/12/2015 6.45.06 > Drive E: - scan started (REGISTRA1GB ~964 MB, FAT flash drive )...



---> Executing generic S&D routine... Searching for files hidden by malware...


---> Items to process: 2

---> E:\SergeLeLama.vbs > unhidden.

---> E:\ytraccidqf..vbs > unhidden.



>>> E:\SergeLeLama.lnk - Malware > Deleted. (15.12.13. 06.45 SergeLeLama.lnk.998898; MD5: 6a574553c35c1c7c8b6c3a8c664f4f22)

>>> E:\ytraccidqf.lnk - Malware > Deleted. (15.12.13. 06.45 ytraccidqf.lnk.696067; MD5: 2ed2c32f169d9c6aaa123f5ce31862cf)

>>> E:\ .lnk - Malware > Deleted. (15.12.13. 06.45  .lnk.101903; MD5: afddef3f5e6a735350d5c0127aafa07b)

>>> E:\SergeLeLama.vbs - Suspicious > Renamed. (MD5: 304439a2e8278f31e4e42dd145c65b48)

> Resetting attributes: E:\  < Successful.


=> Malicious files   : 3/3 deleted.
=> Suspicious files  : 1/1 renamed.
=> Hidden folders    : 1/1 unhidden.
=> Hidden files      : 2/2 unhidden.

____________________________________________

::::: Scan duration: 16sec :::::::::::::::::
____________________________________________



 


Edited by Alchemic, 13 December 2015 - 12:47 AM.


#4 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:16 AM

Posted 13 December 2015 - 03:37 AM

Hello,

 

Do you still have problems?


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#5 Alchemic

Alchemic
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 13 December 2015 - 03:59 AM

Hello there,

 

well, yes and no. The program itself says that there are no problems on the flash disks, as I insert them one by one. However, many of them still exhibit the same problem.

As I enter the disk unit, it displays a link looking like a disk-unit icon, see it for youself:

dcelgi.jpg



By viewing the file path (right-click on the icon, Properties) it leads to rundll32.exe but it seems pretty odd to me. Here's the full string:

%SystemRoot%\system32\rundll32.exe  \\\\\\\\\\\{8E6DD2DA-EE97-42C6-973F-6BB45726AFE7}.{FA8973E3-F759-4347-A50D-0C40B66C3CB0},djXRxv7PT0C9dcM7

Is it really all okay?

Also, many days ago I remember seeing a wscript.exe process, slowing my PC. I shutted it down and I think it never returned, but I'm still not sure everything's fine.

 


Edited by Alchemic, 13 December 2015 - 04:02 AM.


#6 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:16 AM

Posted 13 December 2015 - 04:07 AM

Ok, leave MCShield on your PC for now, we will do other checks. 

------

 

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

§  Flush DNS

§  List content of Hosts

§  List Winsock Entries

§  List last 10 Event Viewer log

§  List Installed Programs

§  List Devices

§  List Users, Partitions and Memory size.

Click Go and post the result (MTB.txt). A copy of MTB.txt will be saved in the same directory the tool is run.

-------

 

Please download Rkill to your Desktop.

There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe
http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
 

§  Double-click on the Rkill desktop icon to run the tool.

§  If using Windows Vista, 7, 8 or 10 right-click on it and choose Run As Administrator.

§  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

§  If not, delete the file, then download and use the one provided in Link 2.

§  Do not reboot until instructed.

§  If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from Safe Mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

--------

 

Please download Malwarebytes Anti-Malware (MBAM) to your desktop.
NOTE. If you already have MBAM 2.0 installed scroll down.

 

§  Double-click mbam-setup-2.x.x.xxxx.exe and follow the prompts to install the program.

§  At the end, be sure a checkmark is placed next to the following:
 

o    Launch Malwarebytes Anti-Malware

o    A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

 

§  Click Finish.

§  On the Dashboard, click the 'Update Now >>' link

§  After the update completes, on Settings tab, set under Detection and Protection next options: 

1. 'Scan for rootkits'

2. Non-Malware Protection, for 'PUP detections', check, 'Threat detections as malware' option.

§  Return to Dashboard, click the 'Scan Now >>' button.

§  A Threat Scan will begin.

§  When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

§  In most cases, a restart will be required.

§  Wait for the prompt to restart the computer to appear, than click on Yes.

If you already have MBAM 2.0 installed:
 

§  On the Dashboard, click the 'Update Now >>' link.

§  After the update completes, on Settings tab, set under Detection and Protection next options: 

1. 'Scan for rootkits'

2. Non-Malware Protection, for 'PUP detections', check, 'Threat detections as malware' option.

§  Return to Dashboard, click the Scan Now >> button.

§  A Threat Scan will begin.

§  When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

§  In most cases, a restart will be required.

§  Wait for the prompt to restart the computer to appear, than click on Yes.

§  After the restart once you are back at your desktop, open MBAM once more.

§  Click on the History tab > Application Logs.

§  Double click on the Scan Log which shows the Date and time of the scan just performed.

§  Click 'Export'.

§  Click 'Copy to Clipboard'

§  Paste the contents of the clipboard into your reply.

------


Edited by severac, 13 December 2015 - 04:08 AM.

I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#7 Alchemic

Alchemic
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 13 December 2015 - 05:54 AM

Hello again,

 

here's MTB logfile:


MiniToolBox by Farbar  Version: 02-11-2015
Ran by Administrator (administrator) on 13-12-2015 at 10:16:04
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Model:  Manufacturer:
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Configurazione IP di Windows



Svuotata la cache del resolver DNS.

========================= Hosts content: =================================
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 14 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 15 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 16 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 17 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 18 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 19 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 20 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 21 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 22 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 23 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 24 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 25 C:\WINDOWS\system32\mswsock.dll [247296] (Microsoft Corporation)
Catalog9 26 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 27 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/13/2015 09:41:44 AM) (Source: Userenv) (User: NT AUTHORITY)
Description: Impossibile registrare lo stato della sessione di Gruppo di criteri risultante. Tentativo di connessione a WMI non riuscito. Non verrà più eseguita alcuna registrazione di Gruppo di criteri risultante per questa applicazione di criteri.

Error: (12/13/2015 07:32:28 AM) (Source: Userenv) (User: NT AUTHORITY)
Description: Impossibile registrare lo stato della sessione di Gruppo di criteri risultante. Tentativo di connessione a WMI non riuscito. Non verrà più eseguita alcuna registrazione di Gruppo di criteri risultante per questa applicazione di criteri.

Error: (12/13/2015 06:37:23 AM) (Source: Userenv) (User: NT AUTHORITY)
Description: Impossibile registrare lo stato della sessione di Gruppo di criteri risultante. Tentativo di connessione a WMI non riuscito. Non verrà più eseguita alcuna registrazione di Gruppo di criteri risultante per questa applicazione di criteri.

Error: (12/13/2015 04:07:37 AM) (Source: Userenv) (User: NT AUTHORITY)
Description: Impossibile registrare lo stato della sessione di Gruppo di criteri risultante. Tentativo di connessione a WMI non riuscito. Non verrà più eseguita alcuna registrazione di Gruppo di criteri risultante per questa applicazione di criteri.

Error: (12/12/2015 10:07:04 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Impossibile registrare lo stato della sessione di Gruppo di criteri risultante. Tentativo di connessione a WMI non riuscito. Non verrà più eseguita alcuna registrazione di Gruppo di criteri risultante per questa applicazione di criteri.

Error: (12/12/2015 10:06:33 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Impossibile registrare lo stato della sessione di Gruppo di criteri risultante. Tentativo di connessione a WMI non riuscito. Non verrà più eseguita alcuna registrazione di Gruppo di criteri risultante per questa applicazione di criteri.

Error: (12/12/2015 09:42:57 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Impossibile registrare lo stato della sessione di Gruppo di criteri risultante. Tentativo di connessione a WMI non riuscito. Non verrà più eseguita alcuna registrazione di Gruppo di criteri risultante per questa applicazione di criteri.

Error: (12/12/2015 09:42:14 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Impossibile registrare lo stato della sessione di Gruppo di criteri risultante. Tentativo di connessione a WMI non riuscito. Non verrà più eseguita alcuna registrazione di Gruppo di criteri risultante per questa applicazione di criteri.

Error: (12/12/2015 09:35:40 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Impossibile registrare lo stato della sessione di Gruppo di criteri risultante. Tentativo di connessione a WMI non riuscito. Non verrà più eseguita alcuna registrazione di Gruppo di criteri risultante per questa applicazione di criteri.

Error: (12/12/2015 09:34:18 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Impossibile registrare lo stato della sessione di Gruppo di criteri risultante. Tentativo di connessione a WMI non riuscito. Non verrà più eseguita alcuna registrazione di Gruppo di criteri risultante per questa applicazione di criteri.


System errors:
=============
Error: (12/13/2015 10:16:04 AM) (Source: DCOM) (User: MAXI-1BE355E6A5)
Description: DCOM ha ricevuto l'errore "%%1058" durante il tentativo di avviare il servizio winmgmt con gli argomenti ""
per eseguire il server
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error: (12/13/2015 09:53:44 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM ha ricevuto l'errore "%%1058" durante il tentativo di avviare il servizio winmgmt con gli argomenti ""
per eseguire il server
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error: (12/13/2015 09:53:44 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM ha ricevuto l'errore "%%1058" durante il tentativo di avviare il servizio winmgmt con gli argomenti ""
per eseguire il server
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error: (12/13/2015 09:53:44 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM ha ricevuto l'errore "%%1058" durante il tentativo di avviare il servizio winmgmt con gli argomenti ""
per eseguire il server
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error: (12/13/2015 09:53:44 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM ha ricevuto l'errore "%%1058" durante il tentativo di avviare il servizio winmgmt con gli argomenti ""
per eseguire il server
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error: (12/13/2015 09:53:44 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM ha ricevuto l'errore "%%1058" durante il tentativo di avviare il servizio winmgmt con gli argomenti ""
per eseguire il server
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error: (12/13/2015 09:53:44 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM ha ricevuto l'errore "%%1058" durante il tentativo di avviare il servizio winmgmt con gli argomenti ""
per eseguire il server
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error: (12/13/2015 09:53:44 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM ha ricevuto l'errore "%%1058" durante il tentativo di avviare il servizio winmgmt con gli argomenti ""
per eseguire il server
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error: (12/13/2015 09:53:44 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM ha ricevuto l'errore "%%1058" durante il tentativo di avviare il servizio winmgmt con gli argomenti ""
per eseguire il server
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error: (12/13/2015 09:52:14 AM) (Source: DCOM) (User: MAXI-1BE355E6A5)
Description: DCOM ha ricevuto l'errore "%%1058" durante il tentativo di avviare il servizio winmgmt con gli argomenti ""
per eseguire il server
{8BC3F05E-D86B-11D0-A075-00C04FB68820}


Microsoft Office Sessions:
=========================
Error: (12/13/2015 09:41:44 AM) (Source: Userenv)(User: NT AUTHORITY)
Description:

Error: (12/13/2015 07:32:28 AM) (Source: Userenv)(User: NT AUTHORITY)
Description:

Error: (12/13/2015 06:37:23 AM) (Source: Userenv)(User: NT AUTHORITY)
Description:

Error: (12/13/2015 04:07:37 AM) (Source: Userenv)(User: NT AUTHORITY)
Description:

Error: (12/12/2015 10:07:04 PM) (Source: Userenv)(User: NT AUTHORITY)
Description:

Error: (12/12/2015 10:06:33 PM) (Source: Userenv)(User: NT AUTHORITY)
Description:

Error: (12/12/2015 09:42:57 PM) (Source: Userenv)(User: NT AUTHORITY)
Description:

Error: (12/12/2015 09:42:14 PM) (Source: Userenv)(User: NT AUTHORITY)
Description:

Error: (12/12/2015 09:35:40 PM) (Source: Userenv)(User: NT AUTHORITY)
Description:

Error: (12/12/2015 09:34:18 PM) (Source: Userenv)(User: NT AUTHORITY)
Description:


=========================== Installed Programs ============================

3nity CD DVD BURNER 2.0.1 (HKLM\...\{70E0BA9E-5978-4E83-A269-77BDB7A79F23}_is1) (Version:  - 3nity Softwares)
Adobe Flash Player 20 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 20.0.0.228 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 20.0.0.235 - Adobe Systems Incorporated)
Aggiornamento della protezione per Windows XP (KB923789) (HKLM\...\KB923789) (Version:  - Microsoft Corporation)
Aggiornamento rapido per Windows XP (KB942288-v3) (HKLM\...\KB942288-v3) (Version: 3 - Microsoft Corporation)
Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version:  - )
Balabolka (HKLM\...\Balabolka) (Version: 2.05 - Ilya Morozov)
CCleaner (HKLM\...\CCleaner) (Version: 5.00 - Piriform)
eMule (HKLM\...\eMule) (Version:  - )
Er Finestra (HKLM\...\Er Finestra) (Version: 2.5.1.0 - DaNieLz Works 2002)
EVEREST Ultimate Edition v5.50 (HKLM\...\EVEREST Ultimate Edition_is1) (Version: 5.50 - Lavalys, Inc.)
Foxit Reader (HKLM\...\Foxit Reader_is1) (Version: 6.1.5.624 - Foxit Corporation)
Free Screen Video Recorder (HKLM\...\Free Screen Video Recorder_is1) (Version: 3.0.9.1019 - DVDVideoSoft Ltd.)
Free YouTube Download version 3.0.815 (HKLM\...\Free YouTube Download_is1) (Version:  - DVDVideoSoft Ltd..)
Google Books Downloader version 2.5 (HKLM\...\{216729B6-014A-F413-814F-F17F74FBA113}_is1) (Version: 2.5 - GBOOKSDOWNLOADER.COM)
Google Chrome (HKLM\...\Google Chrome) (Version: 47.0.2526.80 - Google Inc.)
Google Earth (HKLM\...\{817750FA-EC6A-485D-9901-0683AE6FFDF1}) (Version: 7.1.5.1557 - Google)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.29.1 - Google Inc.) Hidden
HP USB Disk Storage Format Tool (HKLM\...\{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}) (Version:  - )
Java 8 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Java Auto Updater (HKLM\...\{4A03706F-666A-4037-7777-5F2748764D10}) (Version: 2.8.45.14 - Oracle Corporation) Hidden
K-Lite Codec Pack 11.5.3 Full (HKLM\...\KLiteCodecPack_is1) (Version: 11.5.3 - )
Lernout & Hauspie TruVoice American English TTS Engine (HKLM\...\tv_enua) (Version:  - )
MCShield ::Anti-Malware Tool:: (HKLM\...\MCShield) (Version: 3.0.5.28 - MyCity)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile - Language Pack (ITA) (HKLM\...\Microsoft .NET Framework 4 Client Profile ITA Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended - Language Pack (ITA) (HKLM\...\Microsoft .NET Framework 4 Extended ITA Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM\...\{90850410-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Server Speech Recognition Language - TELE (en-US) (HKLM\...\{66D57636-BD4B-402F-9E7D-5E89C28C8136}) (Version: 11.0.7400.335 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Speech Platform SDK (x86) v11.0 (HKLM\...\{A946A6CC-E9F2-44A8-9A8D-095C756AF4EB}) (Version: 11.0.7400.345 - Microsoft Corporation)
Microsoft Speech Recognition Engine 4.0 (English) (HKLM\...\MSCSR) (Version:  - )
Microsoft User-Mode Driver Framework Feature Pack 1.9 (HKLM\...\Wudf01009) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Mozilla Firefox 42.0 (x86 it) (HKLM\...\Mozilla Firefox 42.0 (x86 it)) (Version: 42.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 42.0.0.5780 - Mozilla)
MSVC80_x86_v2 (HKLM\...\{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}) (Version: 1.0.3.0 - Nokia) Hidden
MSVC90_x86 (HKLM\...\{AF111648-99A1-453E-81DD-80DBBF6DAD0D}) (Version: 1.0.1.2 - Nokia) Hidden
nLite 1.4.9.1 (HKLM\...\nLite_is1) (Version: 1.4.9.1 - Dino Nuhagic (nuhi))
Nokia Connectivity Cable Driver (HKLM\...\{29373274-977E-413C-A4DE-DC0F8E80C429}) (Version: 7.1.172.0 - Nokia)
Nokia Suite (HKLM\...\{0C808377-8C23-44ED-9016-05F42E6D4900}) (Version: 3.8.30.0 - Nokia) Hidden
Nokia Suite (HKLM\...\Nokia Suite) (Version: 3.8.30.0 - Nokia)
Panda USB Vaccine 1.0.1.4 (HKLM\...\{55A41219-9B22-4098-BAE7-AE289B3C569A}_is1) (Version:  - Panda Security)
PE Builder 3.1.10 (HKLM\...\PE Builder_is1) (Version:  - Bart Lagerweij)
Popcorn Time (HKLM\...\Popcorn Time_is1) (Version: 5.4.0.0 - Popcorn Time)
Realtek AC'97 Audio (HKLM\...\{FB08F381-6533-4108-B7DD-039E11FBC27E}) (Version: 5.12 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 1.99 - Realtek Semiconductor Corp.)
RogueKiller version 10 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 10 - Adlice Software)
Skype™ 7.4 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.4.102 - Skype Technologies S.A.)
SopCast 1.1.0 (HKLM\...\SopCast) (Version: 1.1.0 - )
Tweak UI (HKLM\...\Tweak UI 2.10) (Version:  - )
Undelete 360 (HKLM\...\Undelete 360_is1) (Version:  - File Recovery Ltd.)
VC80CRTRedist - 8.0.50727.6195 (HKLM\...\{933B4015-4618-4716-A828-5289FC03165F}) (Version: 1.2.0 - DivX, Inc) Hidden
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WanMiniport1st (HKLM\...\{A9D65D46-3708-4F5B-9117-0199C7098D11}) (Version:  - )
WebFldrs XP (HKLM\...\{350C9410-3D7C-4EE8-BAA9-00BCB3D54227}) (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
WinRAR 5.30 beta 2 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.30.2 - win.rar GmbH)
Youtube Downloader HD v. 2.9.9.20 (HKLM\...\Youtube Downloader HD_is1) (Version:  - YoutubeDownloaderHD.com)

=========================
Windows Management Instrumentation service is not running. Could not scan devices
=========================


========================= Memory info: ===================================

Percentage of memory in use: 32%
Total physical RAM: 2014.95 MB
Available physical RAM: 1359.63 MB
Total Virtual: 2582.06 MB
Available Virtual: 2079.63 MB

========================= Partitions: =====================================

2 Drive c: (Volume) (Fixed) (Total:149.05 GB) (Free:89.2 GB) NTFS
4 Drive e: (SP UFD U2) (Removable) (Total:7.49 GB) (Free:7.46 GB) FAT32

========================= Users: ========================================

Account utente per \\MAXI-1BE355E6A5

Administrator            ASPNET                   Guest                    
HelpAssistant            IUSR_MAXI-1BE355E6A5     IWAM_MAXI-1BE355E6A5     
SUPPORT_388945a0         
Esecuzione comando riuscita.


**** End of log ****
 

Here's rKill logfile: I downloaded rKill from the first link and it worked perfectly at the first try, without having need to go on Safe Mode:

 

Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/13/2015 10:19:48 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\SOUNDMAN.EXE (PID: 1912) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Reparse Point/Junctions Found (Most likely legitimate)!

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]

Checking Windows Service Integrity:

 * Strumentazione gestione Windows (winmgmt) is not Running.
   Startup Type set to: Disabled

 * Centro sicurezza PC (wscsvc) is not Running.
   Startup Type set to: Disabled

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 12/13/2015 10:21:11 AM
Execution time: 0 hours(s), 1 minute(s), and 23 seconds(s)

 

And here's MBAM logfile. You should be able to notice it detected a .vbs worm, that's probably the cause of my USB flash storage disks infection, since I think I've already seen that name (and that extension) on a USB pen drive, days ago.


Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 13/12/2015
Scan Time: 10.38.33
Logfile: MBAM txt.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.13.03
Rootkit Database: v2015.12.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 402893
Time Elapsed: 49 min, 12 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Agent.PL, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|1785421575, "C:\Documents and Settings\All Users\msenqrxhw.exe", Quarantined, [2671594bf5960b2b31f7b8049270b14f]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 9
Ransom.Agent.ED, C:\Documents and Settings\Administrator\Desktop\carte di bab 06Settembre 2015\Vari File Babbo - Graduatorie - Telecom - Altro\Novicorp-WinToFlash-0-7-0054-beta[1].zip, Quarantined, [781f168ed4b71a1c50276d25d22f9e62],
PUP.Optional.InstallCore, C:\Documents and Settings\Administrator\Desktop\carte di bab 06Settembre 2015\Vari File Babbo - Graduatorie - Telecom - Altro\mediaplayer_update.exe, Quarantined, [a1f6eeb6305bc96db08581ce44bd52ae],
PUP.Optional.InstallCore, C:\Documents and Settings\Administrator\Desktop\carte di bab 06Settembre 2015\Vari File Babbo - Graduatorie - Telecom - Altro\programmi\audacity.exe, Quarantined, [2374bbe9187386b0b311b579af52dd23],
PUP.Optional.InstallCore, C:\Documents and Settings\Administrator\Desktop\carte di bab 06Settembre 2015\Vari File Babbo - Graduatorie - Telecom - Altro\programmi\Malavida_Download_Manager.exe, Quarantined, [9cfb495b711aed4944ee168c3cc826da],
PUP.Optional.InstallCore, C:\Documents and Settings\Administrator\Desktop\carte di bab 06Settembre 2015\Vari File Babbo - Graduatorie - Telecom - Altro\programmi\sopcast.exe, Quarantined, [f2a5683c494280b611bf5af4b1503fc1],
PUP.Optional.Spigot, C:\Documents and Settings\Administrator\Desktop\carte di bab 06Settembre 2015\Vari File Babbo - Graduatorie - Telecom - Altro\programmi\VGA Driver Ati 8.33.exe, Quarantined, [296eccd8d8b34cea290e3b679f659967],
Ransom.Agent.ED, C:\Documents and Settings\Administrator\Desktop\carte di bab 06Settembre 2015\Vari File Babbo - Graduatorie - Telecom - Altro\BABBINO xp3264-v1084.53.0809.2011\Novicorp-WinToFlash-0-7-0054-beta.zip, Quarantined, [bfd8b2f27e0d62d485f2e9a9fb0610f0],
Trojan.Agent.PL, C:\Documents and Settings\All Users\msenqrxhw.exe, Delete-on-Reboot, [2671594bf5960b2b31f7b8049270b14f],
Worm.Jenxcus, C:\Documents and Settings\Administrator\Impostazioni locali\temp\ytraccidqf..vbs, Quarantined, [5641a6fe6c1fc96d10690e9607fdde22],

Physical Sectors: 0
(No malicious items detected)


(end)
 



#8 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:16 AM

Posted 13 December 2015 - 08:23 AM

Let's do a scan with Kaspersky, since MBAM found trojans and worm on your PC.

 

Kaspersky Virus Removal Tool

Please download Kaspersky Virus Removal Tool from here.

§  Run KVRT.exe.

§  Read the EULA, then select Accept.

§  Wait for Kaspersky Virus Removal Tool to initialize.

§  In the main screen, select Change parameters, place a checkmark in System drive, then click OK.

§  Click Start scan.

§  Wait for Kaspersky Virus Removal Tool to complete scanning.

§  When the scan is finished, select Neutralize all for all detected objects.

§  Close Kaspersky Virus Removal Tool when done.

Informe me if something is detected.

-------

 

Please download AdwCleaner by Xplode onto your desktop.

§  Close all open programs and internet browsers.

§  Double click on adwcleaner.exe to run the tool.

§  In EULA window click I agree.

§  In Options uncheck Reset Winsock settings.

§  Click on Scan button.

§  When the scan has finished click on Cleaning button.

§  Your computer will be rebooted automatically. A text file will open after the restart.

§  Please post the contents of that logfile with your next reply.

§  You can find the logfile at C:\AdwCleaner[C1].txt as well.

---------

 

Please download Junkware Removal Tool  to your desktop.

§  Shut down your protection software now to avoid potential conflicts.

§  Run the tool by double-clicking it. If you are using Windows Vista, 7, 8 or 10; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

§  The tool will open and start scanning your system.

§  Please be patient as this can take a while to complete depending on your system's specifications.

§  On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

§  Post the contents of JRT.txt into your next message.

---------


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#9 Alchemic

Alchemic
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 13 December 2015 - 11:06 PM

Hi again severac,

 

1) KVRT: well, KasperSky Virus Removal Tool detected about 300 threats. I don't know how to export a logfile from it, if you need me to copy down the names or taking a screenshot, just let me know.
However, most of them are "not-a-virus-Adware" and are quarantined in a AdwCleaner folder, so they do not seem to be particularly dangerous.
Yet, I noticed some Trojans and Worm:Vbs:Dinihou.a ...and they are pretty similar to the ones we found in MBAM logfile.

2) JRT: at first, AdwCleaner didn't load and it kept me giving the "Send Error Report" pop-up. So, I launched JRT first and it was really fast.  Here's the logfile:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Microsoft Windows XP x86
Ran by Administrator (Administrator) on 14/12/2015 at  4.31.54,82
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 2

Successfully deleted: C:\WINDOWS\hgfs.sys (File)
Successfully deleted: C:\WINDOWS\prleth.sys (File)



Registry: 2

Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\BDMWrench (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 14/12/2015 at  4.33.46,28
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




3) AdwCleaner: I don't know why, but AdwCleaner finally worked. I gave it a try while I was writing you this message - thinking I'd have to tell you about the error - and it worked. To be honest, I've been using AdwCleaner in the past weeks, before meeting you here on BleepingComputer: I'm aware of the usefulness of this software to get rid of toolbars and unwanted web-redirections. I hope this does not interfere with our current observations.
Anyway, here's the logfile I got after the automatic restart:


# AdwCleaner v5.025 - Creato file registro eventi 14/12/2015 in 04:54:34
# Aggiornato 13/12/2015 da Xplode
# Database : 2015-12-13.2 [Server]
# Sistema operativo : Microsoft Windows XP Service Pack 3 (x86)
# Nome utente : Administrator - MAXI-1BE355E6A5
# In esecuzione da : C:\Documents and Settings\Administrator\Desktop\AdwCleaner.exe
# Opzione : Pulizia
# Supporto : http://toolslib.net/forum

***** [ Servizi ] *****

[-] Servizio Eliminato : bd0001
[-] Servizio Eliminato : bd0002
[-] Servizio Eliminato : BDMWrench

***** [ Cartelle ] *****


***** [ File ] *****


***** [ DLLs ] *****


***** [ Collegamenti ] *****


***** [ Attività pianificate ] *****


***** [ Registry ] *****

[-] Chiave Eliminata : HKCU\Software\Microsoft\Tinstalls

***** [ Browser web ] *****


*************************

:: Chiavi "Tracing" eliminatas
:: Impostazioni Winsock azzerate

########## EOF - C:\AdwCleaner\AdwCleaner[C17].txt - [913 byte] ##########
 


Edited by Alchemic, 13 December 2015 - 11:07 PM.


#10 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:16 AM

Posted 13 December 2015 - 11:39 PM

If you have KVRT log, please copy/paste or take a screenshot and upload it to sendspace.com


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#11 Alchemic

Alchemic
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 14 December 2015 - 12:02 AM

The logfile is a .ENC1 file. Is this actually normal? The program did not generate a conventional txt logfile.



#12 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:16 AM

Posted 14 December 2015 - 03:06 AM

That is normal. No problem. I thought you have copied it. 

 

-------

Do you still have problems? 

 

It is worm malware which spread through USB. What it doing now is moving your Files/Folder in a hidden Folder and create fake shortcuts having malicious code.

It is possible that your all machines maybe infected in which you plugged your USB. If you clean your USB drive in your computer and plugin it into another computer (having worm) will keep making those shortcuts.

You have to clean all machines in which you plug your USB.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#13 Alchemic

Alchemic
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 14 December 2015 - 04:04 AM

I do not intend to waste your time, Severac, but the problem is that I cannot open this file and copy/paste its content. There are more than 450 lines and I do not think that providing you a not fully readable series of screenshots would be really helpful.

Anyway, if I got it right, you're suggesting me to simply scan all of my USB Flash Disks AND my two PCs with KasperSky - and that should solve the problem, right?


Edited by Alchemic, 14 December 2015 - 04:22 AM.


#14 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:16 AM

Posted 14 December 2015 - 04:32 AM

Anyway, if I got it right, you're suggesting me to simply scan all of my USB Flash Disks AND my two PCs with KasperSky - and that should solve the problem, right?

 

Well yes, you should install MCShield on all your computers to make sure you will not be reinfected with worms again and again. And you can scan with Kaspersky or some other AV solution that you use on other PCs. 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#15 Alchemic

Alchemic
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 14 December 2015 - 10:22 AM

Hello again,

 

well, things seem to be going much better. I tried re-inserting the USB flash drives in my pc (after having controlled them with McShield and having analyzed them with KasperSky) and now they look clean.

I re-scanned my PC with KasperSky and it only found 24 threats, all of them contained in the System Volume Information folder. I neutralized them all, even if some of them displayed the writing "Cure Failed". I made you some screens (now, with only 24 lines, it's much easier).

 

2805wec.jpg
Actions performed:

99qnol.jpg

 

2977mg.jpg
However, since - as you can see - they are contained in the System Volume Information folder, after having neutralized them, I disabled the automatic system restore point creation (deleting all the older ones until today) and then reactivated it. I think this should have got rid of them.

I guess we're done. What do you think? :D

Many thanks for your help and your patience! =)


Edited by Alchemic, 14 December 2015 - 10:24 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users