Partition virus?

[jeffg]

Ack... I put a USB thumb drive in my computer today after it recently being on my girlfriends computer, scanned it with MBAM and Avira, nothing found.

However, now the other main External drive I have, a 750GB maxtor, has the 'unknown' icon next to it and while the Drive Name is like it was before, when I look at the USB drive in the Maxtor manager program it has a bunch of Kanji characters or something for the Partition name. In addition, if I open up the (Vista) Drive Manager it immediately says the drive needs to have its MBR fixed before it is usable. Note that USB thumb drive is no longer connected.

I ran a full MBAM scan and nothing came up, I ran HiJack This (downloaded today) and here are both of the logs. Note the MBAM scan was run on the C: drive, but the E: USB drive doesnt seem to scan. It doesnt complain, it just finishes right away without scanning anything on E:... same for Avira AntiVir.

I attached (I think) a screen shot of the Maxtor Manager and that scary partition name. Also NOTE: I'm pretty sure the characters have changed since the last time I looked at it! e.g. I know that it didnt end it 'CU'. This is scaring the bejeezus outta me... I thought I was so careful.

Please help if possible. I thank you.

HIJACK THIS log:

-------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:19:51 AM, on 4/2/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\SecureCRT\SecureCRT.EXE

C:\Users\jeffg\AppData\Roaming\Google\Google Talk\googletalk.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\taskeng.exe

C:\Windows\explorer.exe

C:\Program Files\Password Agent\PwAgent.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [googletalk] C:\Users\jeffg\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe

O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe

--

End of file - 8394 bytes

MBAM log: selected C:\

-------------------------------------------------

Malwarebytes' Anti-Malware 1.35

Database version: 1933

Windows 6.0.6001 Service Pack 1

4/2/2009 12:54:40 PM

mbam-log-2009-04-02 (12-54-40).txt

Scan type: Full Scan (C:\|)

Objects scanned: 415379

Time elapsed: 1 hour(s), 31 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

MBAM log: selected E:\

-------------------------------------------------

Malwarebytes' Anti-Malware 1.35

Database version: 1933

Windows 6.0.6001 Service Pack 1

4/2/2009 10:54:22 AM

mbam-log-2009-04-02 (10-54-22).txt

Scan type: Full Scan (E:\|)

Objects scanned: 58630

Time elapsed: 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[AdvancedSetup]

Can you put the USB Thumb drive back into the other computer and see what it looks like. Is there any special encryption software running on your Girlfriend's computer?

If neither computer can read the disk then it would appear something has happened to damage the data structure.

[jeffg]

The USB thumb drive reads fine on my GF computer and on my mac laptop.

But that thumb drive isn't my main concern now... its my partition name on my other backup drive, my maxtor USB external.

Even though MBAM log says it scanned all those files for the E:\ scan above, it didnt do anything on E:... it scanned a bunch of stuff on the C:\ drive (which I figured was standard critical stuff that it scans regardless of which drive you pick) and then finished saying it found nothing.

But as you can see from the screen shot, that 750MB drives partition has some asian characters (kanji? chinese? not sure) and I remember partition virii from a while back and thought 'oh no'...

Finally finished an Avira scan... Avira Antivir is giving me a:

Master Boot sector HD1

[WARNING] System error [20001]:

[iNFO] please restart search with Admin rights

Boot sector 'E:\'

[WARNING] System error [999]: Error performing operation.

[iNFO] please restart with Admin rights

But I havent found anything for those exact errors yet via Google searches...

.....

So if neither MBAM or AntiVir (or Hijack) can actually access the drive... they cant see if its a virus...

However, the drive is currently MOUNTED and I can select it in the explorer and see the files/folders...

Should I go to Avira forums for the above? or is there any other scanners you think I can run?

[AdvancedSetup]

Sort of a catch 22. It could be a hardware glitch. If it is a partition related virus don't really want to reboot, but it could just be hardware/memory/software glitch.

Try to unmount and then unplug the drive. Then shut down your main computer since AV and MBAM say it's clean. Leave it powered off for a couple minutes. Then start it back up with the USB external still disconnected. Then rescan the PC with AV and Updated MBAM. Then assuming all is still clean attach the USB External drive again and see if you're still having the same issue or not.

If you are then click on Start and in the search box type CMD and in the menu Right click on CMD and choose Run As Administrator.

Then type in the following assuming the USB External is still the E: volume.

CHKDSK E: /F

If it asks to unmount it to run the disk check say yes.

[jeffg]

Hi,

Well, I basically did what you advised and I think I am OK. The external drive had to fix stuff in the partition table, so I'm not sure if something was there or not... Did a full scan of the drive with Avira last night and will run MBAM on it shortly, but Avira found nothing alarming.

Is it possible that a virus has already hid itself from even the scanners? Yeah, I know I'm super paranoid, but I guess I'm just wondering how much you can do before youre *sure* your not infected. The more I read about rootkits the more alarmed I get...

I've seen some posts online about the virus hiding in System Restore and you need to disable that before you scan, and possibly also scan in safe mode? Would that be worth doing?

Thanks for your help. Hoping it was a driver glitch but I think I might install Zone Alarm again or something so I see every little outgoing complaint. (which usually confuses me more. )

[AdvancedSetup]

If the disk check fixed it then it was probably just a bad write to the disk or the MFT

You can do scans with a couple of online scanner to help you feel better.

Free - Live Online Scanning Sites

Trend Micro

[AdvancedSetup]

So you all set now?

[AdvancedSetup]

Please post a status update.

Thanks

[jeffg]

Hi,

Sorry for delays. Busy weekend. I ran a couple other scans and nothing found.

Guess it was a glitch, but I'll post back if anything crops up.

Thanks for helping out.

[AdvancedSetup]

Okay, great. Glad all is okay for you now.

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.