Jump to content

Recommended Posts

When I plug my USB on my computer, a virus hides my files and creates a shortcut called "My removable device(112G)".

If I check shortcut's properties it shows this path "C:\WINDOWS\system32\rundll32.exe ~$WON.FAT32,_rev@16 desktop.ini R3T TLS " ".

please help.

i cant seem to gain the logs from DSS, it hangs at about 75% completed. any other way ?

Link to post
Share on other sites

Hello arifamin and welcome to MalwareBytes forum.

Let me suggest, if you're an MBAM customer, you contact the consumer help desk here.

If you are in an organization or a corporate customer, contact Corporate Support for assistance.

IF you do that, do let me know.

What Windows version is on this system? XP, Vista, Windows 7, Windows 8 ? It helps to know which one is installed?

What antivirus program is installed on this system? Please tell us.

You likely need to turn off your antivirus before trying to start the DDS tool.

By the way, that USB flash-drive must be infected. So uplug it and secure it somewhere and do NOT use it --- until & unless we give the all clear.

We will need a DDS log at some point before we get too far along.

For now, do as much of the following as you can. And by the way, always Copy & Paste the contents of your logs inline within main-body of reply.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

When all done, rkill.txt log file will be on your desktop. Copy & Paste contents of Rkill.txt into a reply.

More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html

Step 2

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7 / 8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Do NOT press any Fix button.
  • Exit/Close RogueKiller

Link to post
Share on other sites

How is it going ? Are you still with us ?

Hi Maurice

I have same problem with my external Hard Disc

i cannot see my files inside of my hard disc and there is a shorcut of my hard disc inside hdd

i have done processes that you said and i am sending reports

first report

Program started at: 03/09/2013 12:11:49 AM in x86 mode.

Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.

Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 03/09/2013 12:11:58 AM

Execution time: 0 hours(s), 0 minute(s), and 9 seconds(s)

Second Report

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : Altan [Admin rights]

Mode : Scan -- Date : 03/09/2013 00:14:31

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:8555) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[299] : NtRequestWaitReplyPort @ 0x8307BA0A -> HOOKED (Unknown @ 0x8E4C8BD0)

SSDT[316] : NtSetContextThread @ 0x8311B637 -> HOOKED (Unknown @ 0x8E4C8BCB)

SSDT[347] : NtSetSecurityObject @ 0x8303F725 -> HOOKED (Unknown @ 0x8E4C8BD5)

SSDT[368] : NtSystemDebugControl @ 0x830C35E2 -> HOOKED (Unknown @ 0x8E4C8BDA)

S_SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8E4C8BEE)

S_SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8E4C8BF3)

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3250410AS ATA Device +++++

--- User ---

[MBR] 6f57a0fb6fb157c91bb492ca6f083277

[bSP] 6f94ad563cc62284c21420da70d7a99e : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 49999 Mo

1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 102398310 | Size: 188465 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_03092013_02d0014.txt >>

RKreport[1]_S_03092013_02d0014.txt

Link to post
Share on other sites

@ Standartuye

In this sub-forum, the policy is not to do any "me too / piggy-backing".

One member only per thread. Start your own new topic or contact the Consumer Help Desk if you have MBAM PRO.

Let me suggest, if you're an MBAM customer, you contact the consumer help desk here.

If you are in an organization or a corporate customer, contact Corporate Support for assistance.

Otherwise, Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Follow this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Please post there the contents of MBAM scan log & the DDS logs

Don't post your logs here.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.