Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with shortcut virus that works just on usb drivers added to laptop


  • This topic is locked This topic is locked
9 replies to this topic

#1 renascentist

renascentist

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 07 April 2017 - 02:54 AM

Hello! I have a nasty virus that came into my laptop on a stick. The idea is that it works when i put another usb into my laptop, it makes shortcuts to all the folders in it and also there is a popup coming up after (i will paste a picture of it). When i don't have usb inserted or my ipod shuffle it doesn't say anything, the popup doesn't come up. Strange is that if i insert my external hard drive of 500GB it doesn't behave like the other ones, actually it doesn't do anything to it.

 

I tried to use Farbar recovery tool, but it freezes at some point after searching throw my files. What should i do next?

 

Thanx!

Attached Files



BC AdBot (Login to Remove)

 


#2 renascentist

renascentist
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 07 April 2017 - 03:31 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by RENASCENTIST (administrator) on SPACESHEEP (07-04-2017 12:27:07)
Running from C:\Users\RENASCENTIST\Downloads
Loaded Profiles: RENASCENTIST (Available Profiles: RENASCENTIST)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Native Instruments GmbH) C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\btplayerctrl.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [115048 2011-09-16] (Renesas Electronics Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3734029409-597488573-2934098840-1000\...\Run: [iexplore] => C:\Users\RENASCENTIST\AppData\Local\Temp\uco\svchost.exe [168960 2009-07-14] (Microsoft Corporation) <===== ATTENTION
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{3DA4AA3B-CFF8-4890-AB22-4F850877E40C}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{91F34862-F765-47C3-9982-79D9A2EBAAD6}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: aez9n7st.default
FF ProfilePath: C:\Users\RENASCENTIST\AppData\Roaming\Mozilla\Firefox\Profiles\aez9n7st.default [2017-04-07]
FF Session Restore: Mozilla\Firefox\Profiles\aez9n7st.default -> is enabled.
FF Extension: (Disable Prefetch) - C:\Users\RENASCENTIST\AppData\Roaming\Mozilla\Firefox\Profiles\aez9n7st.default\features\{1a7643ac-c03a-42fc-a5a1-513383922d5c}\disable-prefetch@mozilla.org.xpi [2017-04-05]
FF Extension: (Site Deployment Checker) - C:\Program Files (x86)\Mozilla Firefox\browser\features\deployment-checker@mozilla.org.xpi [2017-04-06] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_25_0_0_127.dll [2017-03-26] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_127.dll [2017-03-26] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-01-18] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2836296 2016-12-14] (ESET)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [272688 2012-06-25] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3325232 2012-06-25] (Intel® Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [270912 2017-02-05] (DT Soft Ltd)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [132272 2017-01-17] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [180544 2017-01-17] (ESET)
R1 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [70960 2017-01-17] (ESET)
S3 ffusb2audio; C:\Windows\System32\DRIVERS\ffusb2audio.sys [127280 2013-09-25] (Focusrite Audio Engineering Limited.)
S3 NvnUsbAudio; C:\Windows\System32\DRIVERS\nvnusbaudio.sys [54000 2015-06-10] (Novation DMS Ltd.)
S3 XONE_DX; C:\Windows\System32\Drivers\XONE_DX.sys [422640 2011-08-16] (Ploytec GmbH)
S3 XONE_DXM; C:\Windows\System32\drivers\XONE_DXM.sys [31984 2011-08-16] (Ploytec GmbH)
S3 XONE_DX_WDM; C:\Windows\System32\drivers\XONE_DXW.sys [54000 2011-08-16] (Ploytec GmbH)
U1 aswbdisk; no ImagePath
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-07 11:44 - 2017-04-07 11:44 - 00000000 ____D C:\Users\RENASCENTIST\AppData\Local\ESET
2017-04-07 11:39 - 2017-04-07 11:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2017-04-07 11:39 - 2017-04-07 11:39 - 00000000 ____D C:\ProgramData\ESET
2017-04-07 11:39 - 2017-04-07 11:39 - 00000000 ____D C:\Program Files\ESET
2017-04-07 11:29 - 2017-04-07 11:29 - 03139200 _____ (ESET) C:\Users\RENASCENTIST\Downloads\eset_nod32_antivirus_live_installer.exe
2017-04-07 10:15 - 2017-04-07 10:55 - 00021417 _____ C:\Users\RENASCENTIST\Downloads\Addition.txt
2017-04-07 10:14 - 2017-04-07 12:28 - 00007377 _____ C:\Users\RENASCENTIST\Downloads\FRST.txt
2017-04-07 10:14 - 2017-04-07 12:27 - 00000000 ____D C:\FRST
2017-04-07 10:13 - 2017-04-07 10:14 - 02424832 _____ (Farbar) C:\Users\RENASCENTIST\Downloads\FRST64.exe
2017-04-07 09:40 - 2017-04-07 09:40 - 00158300 _____ C:\Users\RENASCENTIST\Downloads\RkU37300505.zip
2017-04-07 09:35 - 2017-04-07 09:35 - 00602112 _____ (OldTimer Tools) C:\Users\RENASCENTIST\Downloads\OTL.exe
2017-04-06 20:32 - 2017-04-07 11:35 - 00000000 ____D C:\Program Files\Common Files\AV
2017-04-06 20:31 - 2017-04-06 20:31 - 00992960 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2017-04-06 20:31 - 2017-04-06 20:31 - 00921280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll
2017-04-06 20:27 - 2017-04-07 11:35 - 00000000 ____D C:\Program Files\AVAST Software
2017-04-06 20:21 - 2017-04-07 11:35 - 00000000 ____D C:\ProgramData\AVAST Software
2017-04-06 17:13 - 2017-04-06 20:34 - 00000023 _____ C:\Windows\ODBCINST.INI
2017-04-06 17:13 - 2017-04-06 17:13 - 00000000 ____D C:\ProgramData\IBM
2017-04-06 17:12 - 2017-04-06 17:12 - 00000000 ____D C:\Users\RENASCENTIST\Documents\DB2LOG
2017-04-06 14:51 - 2017-04-06 14:51 - 59272008 _____ (Malwarebytes ) C:\Users\RENASCENTIST\Downloads\mb3-setup-consumer-3.0.6.1469-1096.exe
2017-04-06 14:39 - 2017-04-06 14:39 - 00000000 ____D C:\Users\RENASCENTIST\Downloads\autorunexterminator-1.8
2017-04-06 11:42 - 2017-04-06 17:00 - 00000000 ____D C:\Program Files (x86)\AVG
2017-04-06 11:26 - 2017-04-06 17:00 - 00000000 ____D C:\ProgramData\Avg
2017-04-06 11:25 - 2017-04-06 16:59 - 00000000 ____D C:\Users\RENASCENTIST\AppData\Local\AvgSetupLog
2017-04-06 11:25 - 2017-04-06 13:18 - 00000000 ____D C:\Users\RENASCENTIST\AppData\Local\Avg
2017-04-06 09:01 - 2017-04-06 09:01 - 00000000 ____D C:\Users\RENASCENTIST\Documents\tracks on the wishlist
2017-04-05 11:50 - 2017-04-05 11:50 - 00000064 _____ C:\Users\RENASCENTIST\Desktop\123.txt
2017-04-04 22:23 - 2017-04-04 22:23 - 00000133 _____ C:\Users\RENASCENTIST\Desktop\necesare.txt
2017-04-03 18:12 - 2017-04-06 17:00 - 00000000 ____D C:\Users\RENASCENTIST\AppData\LocalLow\uTorrent
2017-04-02 15:24 - 2017-04-02 15:24 - 00954230 _____ C:\Users\RENASCENTIST\Downloads\www.subs.ro_the-wire-sezonul-4-2002.zip
2017-04-02 15:23 - 2017-04-02 15:34 - 00000000 ____D C:\Users\RENASCENTIST\Downloads\The.Wire.S01.1080p.BluRay.x264-ROVERS
2017-04-02 15:17 - 2017-04-03 18:12 - 00000000 ____D C:\Users\RENASCENTIST\Downloads\The.Wire.S01.720p.WEB-DL.DD5.1.H.264-NTb
2017-03-30 22:26 - 2017-03-30 22:26 - 00000000 ____D C:\Windows\usb-audio.deXONE_DX
2017-03-30 22:26 - 2017-03-30 22:26 - 00000000 ____D C:\Users\RENASCENTIST\Downloads\Xone+DX+64bit+Driver+Firmware+2.9.30
2017-03-30 22:26 - 2011-08-16 23:13 - 00422640 _____ (Ploytec GmbH) C:\Windows\system32\Drivers\xone_dx.sys
2017-03-30 22:26 - 2011-08-16 23:13 - 00054000 _____ (Ploytec GmbH) C:\Windows\system32\Drivers\XONE_DXW.sys
2017-03-30 22:26 - 2011-08-16 23:13 - 00031984 _____ (Ploytec GmbH) C:\Windows\system32\Drivers\XONE_DXM.sys
2017-03-30 22:25 - 2017-03-30 22:25 - 01356283 _____ C:\Users\RENASCENTIST\Downloads\Xone+DX+64bit+Driver+Firmware+2.9.30.zip
2017-03-29 22:07 - 2017-03-29 22:07 - 00000500 _____ C:\Users\RENASCENTIST\Desktop\carti.txt
2017-03-29 14:17 - 2017-03-29 14:17 - 00008405 _____ C:\Users\RENASCENTIST\Documents\puncte cadastru.xlsx
2017-03-27 23:02 - 2017-03-27 23:03 - 50766760 _____ C:\Users\RENASCENTIST\Downloads\torbrowser-install-6.5.1_en-US.exe
2017-03-26 01:47 - 2017-03-26 20:45 - 00001259 _____ C:\Users\RENASCENTIST\Documents\traxxxx.txt
2017-03-20 21:38 - 2017-03-20 21:57 - 00000000 ____D C:\Users\RENASCENTIST\Downloads\Metropolis.1927.DVDRip.XviD-SSCT
2017-03-13 17:34 - 2017-03-13 17:43 - 00000000 ____D C:\Users\RENASCENTIST\Downloads\Amanda.Knox.2016.720p.WEBRip.X264-DEFLATE
2017-03-13 02:07 - 2017-03-13 02:07 - 00000000 ____D C:\Users\RENASCENTIST\Downloads\K-PAX.2001.BRRip.Xvid.AC3.RoSubbed-playXD
2017-03-11 00:48 - 2017-03-11 00:50 - 141674753 _____ C:\Users\RENASCENTIST\Downloads\Deep'a & Biri - Basic Cycle.zip
2017-03-09 15:30 - 2017-03-09 15:30 - 00000000 ____D C:\Users\RENASCENTIST\AppData\Roaming\Nero
2017-03-09 15:25 - 2017-03-09 15:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero
2017-03-09 15:25 - 2017-03-09 15:25 - 00000000 ____D C:\Program Files (x86)\Nero
2017-03-09 15:17 - 2017-03-09 15:17 - 00000000 ____D C:\Users\RENASCENTIST\Downloads\Nero Burning ROM & Nero Express 2016 v17.0.8000 RePack by MKN
2017-03-09 00:15 - 2017-03-09 15:17 - 00000000 ____D C:\Users\RENASCENTIST\Downloads\Copycat.1995.BDRip.x264.RoSubbed-playSD

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-07 11:55 - 2017-02-07 14:10 - 00000000 ____D C:\Users\RENASCENTIST\AppData\LocalLow\Mozilla
2017-04-07 11:45 - 2009-07-14 08:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-04-07 11:40 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\inf
2017-04-07 09:33 - 2009-07-14 08:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2017-04-06 22:49 - 2017-02-05 20:53 - 00000000 ____D C:\Users\RENASCENTIST\AppData\Roaming\vlc
2017-04-06 20:33 - 2017-01-27 14:28 - 00000000 ____D C:\temp
2017-04-06 17:21 - 2017-02-07 15:11 - 00000000 ____D C:\Users\RENASCENTIST\AppData\Roaming\uTorrent
2017-04-06 14:35 - 2017-02-05 19:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-04-06 13:31 - 2017-02-10 21:59 - 00000000 ____D C:\Windows\Minidump
2017-04-06 13:31 - 2017-02-05 21:36 - 00000000 ____D C:\ProgramData\Native Instruments
2017-04-06 13:31 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\system32\sysprep
2017-04-06 09:33 - 2017-02-08 15:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2017-04-06 08:34 - 2009-07-14 07:45 - 00021072 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-04-06 08:34 - 2009-07-14 07:45 - 00021072 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-04-04 15:58 - 2009-07-14 08:08 - 00032626 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-03-26 00:03 - 2017-02-08 01:09 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-03-26 00:03 - 2017-02-08 01:09 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-03-26 00:03 - 2017-02-08 01:09 - 00000000 ____D C:\Windows\system32\Macromed
2017-03-26 00:02 - 2017-02-08 01:09 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-03-26 00:02 - 2017-02-08 01:08 - 00000000 ____D C:\Users\RENASCENTIST\AppData\Local\Adobe

==================== Files in the root of some directories =======

2017-04-06 14:41 - 2017-04-06 14:42 - 0002394 _____ () C:\Users\RENASCENTIST\AppData\Roaming\ICARE.LOG

Files to move or delete:
====================
C:\Users\RENASCENTIST\AppData\Local\Temp\uco\svchost.exe


Some files in TEMP:
====================
2012-11-30 13:24 - 2012-11-30 13:24 - 2685440 _____ (International Business Machines Corporation) C:\Users\RENASCENTIST\AppData\Local\Temp\setup.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll
[2010-11-21 06:24] - [2017-02-05 18:55] - 1008640 ____A (Microsoft Corporation) 2C353B6CE0C8D03225CAA2AF33B68D79

C:\Windows\SysWOW64\User32.dll
[2010-11-21 06:24] - [2017-02-05 18:55] - 0833024 ____A (Microsoft Corporation) 861C4346F9281DC0380DE72C8D55D6BE

C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-04-03 11:04

==================== End of FRST.txt ============================


Edited by renascentist, 07 April 2017 - 04:29 AM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:13 PM

Posted 08 April 2017 - 08:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-3734029409-597488573-2934098840-1000\...\Run: [iexplore] => C:\Users\RENASCENTIST\AppData\Local\Temp\uco\svchost.exe [168960 2009-07-14] (Microsoft Corporation) <===== ATTENTION
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
U1 aswbdisk; no ImagePath
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\RENASCENTIST\AppData\Local\Temp\uco\svchost.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixldog.txt and let me know what problem persists.

Include that Addition.txt file that was created by the Farbar tool.
I suspect that some other malware commands may have been added to your system.


p.s.
Read this article. If you make a change to your computer settings please let me know what.
https://www.quora.com/Folders-in-my-pendrive-appear-as-shortcuts-when-connected-to-my-PC-What-is-the-problem

#4 renascentist

renascentist
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 10 April 2017 - 05:10 AM

eventually i re-installed my windows because the virus spread over my computer too. thanx a lot for your help! right now, what should i do with the infected usbs for using them again? i got windows 10 right now. how could i permanently format them without taking the virus again?



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:13 PM

Posted 10 April 2017 - 06:55 AM

Download and Run FlashDisinfector

You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

#6 renascentist

renascentist
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 10 April 2017 - 10:01 AM

the software doesn't work, i tried to download the application also from other site and doesn't run when i click it, with the antivirus turned off



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:13 PM

Posted 10 April 2017 - 10:27 AM

I just downloaded the application from the link I gave you.

Check in your download folder if it's there.

Or possibly your virus protections software is sending it to it's quarantine folder.

#8 renascentist

renascentist
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 10 April 2017 - 10:39 AM

i find the application on my computer, i double click on it, i accept when it asks me if i trust the download and then nothing happens. i ve disabled windows defender for a while



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:13 PM

Posted 11 April 2017 - 07:55 AM

Please run the Farbar tool one more time.

Copy and paste the FRST and Addition.txt with your next reply.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:13 PM

Posted 17 April 2017 - 08:27 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users