1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Can't explore drives using double click command

Discussion in 'Virus & Other Malware Removal' started by cromaczs07, Dec 11, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    Problems encountered:
    1. can't double click open drives
    2. when double clicked, CMIII will run in the backround
    3. it is reflected in the process as svchosts.exe

    Attached are:
    HJT and Combo fix logs.

    Thanks for your attention and help
     

    Attached Files:

  2. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,551
    First Name:
    José
    Hi, cromaczs07 :)

    Welcome.
    • Insert your Flash drives into the computer.
    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    Code:
    File::
    F:\krag.exe
    F:\svchosts.exe
    D:\svchosts.exe
    G:\ntdelect.com
    C:\Windows\maskrider2001.vbs
    C:\Documets and Settings\rdp_acda\Local Sttings\Temp\iogiomriELLE.dll
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "svchosts"=-
    "svchosts.exe"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvspml]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d6a0ded-3e37-11dc-9371-00112f0592d9}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{184f1c4b-9d8b-11dc-93f1-00055d30a4dc}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{420f7b1d-3995-11dc-936c-00112f0592d9}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf28bea7-dcf3-11db-92d0-00112f0592d9}]
    
    [​IMG]

    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.. Please post the reports. No need to attach them.
     
  3. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    ComboFix 07-12-09.1 - rdp_acda 2007-12-12 12:02:55.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.62 [GMT 8:00]
    Running from: C:\Documents and Settings\rdp_acda\Desktop\ComboFix(2).exe
    Command switches used :: C:\Documents and Settings\rdp_acda\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\Documets and Settings\rdp_acda\Local Sttings\Temp\iogiomriELLE.dll
    C:\Windows\maskrider2001.vbs
    D:\svchosts.exe
    F:\krag.exe
    F:\svchosts.exe
    G:\ntdelect.com
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    D:\svchosts.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
    .

    2007-12-11 17:02 . 2007-12-11 17:02 <DIR> d-------- C:\Program Files\Lavasoft
    2007-12-11 17:02 . 2007-12-11 17:02 <DIR> d-------- C:\Documents and Settings\rdp_acda\Application Data\Lavasoft
    2007-12-10 10:02 . 2007-12-10 10:02 <DIR> d-------- C:\Documents and Settings\Administrator.SED-RACHELLE\Application Data\Yahoo! Messenger
    2007-12-04 16:31 . 2006-10-27 16:26 69,632 --a------ C:\WINDOWS\system32\vuins32.dll
    2007-12-04 16:31 . 2007-09-21 19:24 43,520 --a------ C:\WINDOWS\system32\drivers\fetnd5bv.sys
    2007-12-03 13:15 . 2007-12-06 17:25 <DIR> d-------- C:\Documents and Settings\rdp_acda\Application Data\SAS
    2007-11-28 09:40 . 2007-11-28 09:40 <DIR> d-------- C:\Documents and Settings\rdp_acda\WINDOWS
    2007-11-21 17:04 . 2001-10-17 20:59 25,434 -ra------ C:\WINDOWS\system32\drivers\DLKRTS.SYS
    2007-11-21 16:23 . 2007-11-21 16:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
    2007-11-20 04:30 . 2007-11-20 04:31 753,664 --a------ C:\WINDOWS\system32\$$TEMP$$.~~~
    2007-11-17 16:46 . 2007-11-17 17:19 356 --a------ C:\WINDOWS\pdf2word.INI
    2007-11-17 16:45 . 2007-11-17 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CTdeveloping
    2007-11-17 16:42 . 2007-11-17 16:42 <DIR> d-------- C:\Documents and Settings\rdp_acda\Application Data\CTdeveloping
    2007-11-17 16:01 . 2007-11-17 16:59 <DIR> d-------- C:\Program Files\PDF Editor 2
    2007-11-17 16:01 . 2007-11-17 16:01 74,752 --a------ C:\WINDOWS\cadkasdeinst01e.exe
    2007-11-15 15:35 . 2007-11-15 15:35 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
    2007-11-15 15:32 . 2007-11-15 15:32 <DIR> d-------- C:\WINDOWS\system32\Logfiles
    2007-11-15 15:32 . 2007-11-15 15:36 <DIR> d-------- C:\Inetpub

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-12 01:05 --------- d-----w C:\Program Files\Rainlendar2
    2007-12-12 01:00 --------- d-----w C:\Program Files\Symantec AntiVirus
    2007-12-06 13:31 23,888 ----a-w C:\Documents and Settings\rdp_acda\Application Data\GDIPFONTCACHEV1.DAT
    2007-12-06 09:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-12-06 09:04 --------- d-----w C:\Program Files\Kiran's Typing Tutor
    2007-11-07 04:01 --------- d-----w C:\Program Files\NCH Swift Sound
    2007-10-29 13:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
    2007-10-29 13:50 --------- d-----w C:\Documents and Settings\rdp_acda\Application Data\NCH Swift Sound
    2007-03-29 03:47 5,812,560 ----a-w C:\Program Files\objectdock_freeware.exe
    2007-03-28 08:29 3,201,211 ----a-w C:\Program Files\Rainlendar-Pro-2.0.2.exe
    2007-03-28 04:08 6,006,832 ----a-w C:\Program Files\Firefox Setup 2.0.0.3.exe
    2007-07-24 02:16 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( [email protected]_16.41.33.38 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-12-11 08:37:15 215,752 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    + 2007-12-12 01:03:32 215,753 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
    "Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-01-01 21:31]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2004-08-06 15:33]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
    "PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56]

    C:\Documents and Settings\Rachelle\Start Menu\Programs\Startup\
    Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-03-28 14:44:37]

    C:\Documents and Settings\rdp_acda\Start Menu\Programs\Startup\
    PopChat.exe [1999-01-30 03:36:42]
    Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-03-28 14:44:37]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-04-02 08:37:25]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
    WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-03-29 10:27:32]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
    C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 14:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

    R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
    R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTS.SYS
    R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
    S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc
    S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc
    S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc
    S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b44df05-1f98-11dc-933e-00112f0592d9}]
    \Shell\Auto\command - setup.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f99eb424-2927-11dc-934e-00112f0592d9}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe maskrider2001.vbs

    .
    **************************************************************************

    catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-12 12:05:40
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-12-12 12:06:38
    C:\ComboFix2.txt ... 2007-12-11 16:42
    .
    --- E O F ---


    Logfile of HijackThis v1.99.1
    Scan saved at 12:37, on 2007-12-12
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Rainlendar2\Rainlendar2.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Documents and Settings\rdp_acda\Start Menu\Programs\Startup\PopChat.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    \Sed-marco\March2007 USB COPY\others\Tools\HijackThis.exe
    C:\WINDOWS\system32\dumprep.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENPH/SAOS01?FORM=TOOLBR
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: PopChat.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = philrice.local
    O17 - HKLM\Software\..\Telephony: DomainName = philrice.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = philrice.local
    O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  4. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,551
    First Name:
    José
    Hi, cromaczs07 :)

    We need to obtain the location of a file Added by the VBS.Solow.C worm, maskrider2001.vbs. It is a flash drive infection.

    Please insert your flash drives. Download the enclosed folder. Save and extract its contents to the desktop. It is a batch file. Once extracted double click on the QueryMountpoints.bat file and post back the report it shall produce.
     

    Attached Files:

  5. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    i cant post the log. its too long. i attached it, instead. Thanks J!
     

    Attached Files:

  6. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,551
    First Name:
    José
    Please insert your flash drives.

    Then download the enclosed folder. Save and extract its contents to the desktop. It is a batch file. Once extracted, double click on the batch file and post back the resulting report.

    You can run this batch file on every computer in your network running XP. Make sure the flash drives are inserted. It will delete all autoruns entries from C:\ thru G:\.

    Keep me posted.
     

    Attached Files:

  7. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    Thanks J!

    However, some of our pcs have more that G:\ drives. May i request for a batch file with higher range? maybe up to J:\. Thanks!
     
  8. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    one thing more J!

    One of the flash drives that i've inserted to one of our computers is infected. it's a in G:\(removeable disk)
     
  9. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,551
    First Name:
    José
    Run the QueryMountPoints.bat on this computer and post its report.

    The enclosed file will remove all autoruns up to J:\
     

    Attached Files:

  10. cromaczs07

    cromaczs07 Thread Starter

    Joined:
    Feb 20, 2006
    Messages:
    310
    Thank you.

    here are my observations:

    1. if a flash drive is infected, the batch file you've created will declare that a drive/flashdrive is infected.
    my interpretation: it was not cleaned, it is still infected.
    my solution: run the combo fix

    2. infected flashdrives will continue to be infected even reformatted

    3. combo fix is good in deleting autoruns
     
  11. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,551
    First Name:
    José
    Let me fix this for you.

    1. The batchfile will delete the autorun file that calls for the infected files. It does does not detect infected files at all.

    2. If the flash drive is formated, it should also kill any malware within.

    3. Combofix is a powerful tool that should not be used without proper supervision.

    That sounds better. Best wishes! [​IMG]
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/661061

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice