User Tag List

Results 1 to 16 of 16

Thread: Funny pen-drive problem!

  1. #1

    Default Funny pen-drive problem!

    Hello all:


    I am having a weird problem with USB pen-drives at my office.


    Facts
    ------


    Due to some limitations in the office network (that we are working on), we move data thru pen-drives. This is also to train staff initially to an automated environment. Some EOD (end of day) data has to be moved via a PD frm server to processing computers.


    Problem
    --------
    1) New transcend 4gb pen-drive suddenly shows no data - even when data has been copied an checked frm the server. When put in the processing machine, some folders are just gone! Folder icons are changed with a small arrow on their lower left. This was yesterday.


    2) Today - as soon as the PD is inserted Eset AV finds a virus and quarantines or deletes the folders to be transferred.


    3) We tried recopying the files from the server; got the message - folder already exists, do you want to overwrite? But opening the PD we do not see any files at all. Tried hiding/unhiding - shows nothing.


    4) Updated AV, cleaned the machines. Cleaned PD even formatted it. Same thing happens all over again. We copy from server, take to processing machine. AV deletes files/folders. When we try recopy, we get the overwrite message! There is nothing seen on the PD. The PD however easily copies other files.


    5) Two of our older PDs - APACER 4gb and a TRANSCEND 2gb had the same probs. I thought it is disc error. I am guessing some kind of virus in the server. The server is very old and last IT officer never used a proper AV.

    DO u guys think it is a virus?
    What would be an AV for server running WIN 2000?
    Free?

    Suggestions are welcome.

  2. #2
    Member
    • SadmanBD's Gadgets
      • Motherboard:
      • Asus Sabertooth X58
      • CPU:
      • RAM:
      • A-Data 3x2GB 1333 MHz @ 1331 MHz (1.5v)
      • Hard Drive:
      • Hitachi Deskstar 1TB 7200RPM 32MB SATA 3.0Gb/s | Seagate Barracuda 1TB 7200RPM 64MB SATA 6.0Gb/s
      • Graphics Card:
      • 2x Sapphire 270X Vapor-X 2GB GDDR5
      • Display:
      • Asus VX229H 21.5" LED IPS
      • Sound Card:
      • Realtek ALC892 8-Channel Audio (on-board)
      • Speakers/HPs:
      • Microlab SOLO 7C / A4Tech HS-100 | VSonic GR02 Bass Edition | Monoprice 9927
      • Keyboard:
      • Newmen E370
      • Mouse:
      • A4Tech D-70FX
      • Controller:
      • Genius F-1000
      • Power Supply:
      • XFX 850W Core Edition
      • Optical Drive:
      • USB Devices:
      • Transcend 4GB Pendrive and billionton Bluetooth Device
      • UPS:
      • Luminous Solo 1000VA
      • Operating System:
      • Windows 8.1 Pro WMC
      • Comment:
      • Primary Rig ;)
      • ISP:
      • ReignICT
      • Download Speed:
      • 416 kB/s
      • Upload Speed:
      • 416 kB/s
    SadmanBD's Avatar
    Join Date
    Jan 2011
    Location
    Dhaka
    Posts
    1,587

    Default Re: Funny pen-drive problem!

    Try avast or Avira. Don't know about ClamWin but its totally free.

  3. #3
    Member
    • Ra's al Ghul's Gadgets
      • Motherboard:
      • Gigabyte MA78LMT
      • CPU:
      • AMD FX4300
      • RAM:
      • 4GB DDR3 1600Mhz
      • Hard Drive:
      • 160GB Samsung + 500GB Toshiba
      • Graphics Card:
      • Sapphire R7 250
      • Display:
      • Samsung 920NW
      • Sound Card:
      • Creative Audigy 4
      • Speakers/HPs:
      • F&D 5.1
      • Keyboard:
      • A4Tech regular
      • Mouse:
      • A4Tech
      • Controller:
      • DiLong Gamepad
      • Power Supply:
      • Thermaltake Smart 530W
      • Optical Drive:
      • Asus 16X DVD Rom + Samsung DVD Burner
      • Operating System:
      • Windows 7 64bit
      • ISP:
      • Link3
      • Download Speed:
      • 42-90
      • Upload Speed:
      • 24
      • Console:
      • 128
    Ra's al Ghul's Avatar
    Join Date
    Jan 2010
    Posts
    161

    Default Re: Funny pen-drive problem!

    Win 7 ba Server 2008 hoile try Microsoft Security Essentials, ami akhon porjonto getting good results.

  4. #4
    Member
    • Fox Mulder's Gadgets
      • Motherboard:
      • Gigabyte GA-Z77-D3H Rev 1.1 (Currently dead) | Intel DH55TC
      • CPU:
      • Core i5 3470 @ 3.8 Ghz (Currently not used) | intel Core i7 860 @ 3.3 GHz
      • RAM:
      • Corsair Vengeance 1600 MHz 2x4GB
      • Hard Drive:
      • Western Digital Blue 1 Terrabyte
      • Graphics Card:
      • Sapphire HD 7950 Vapor-X OC With Boost 3GB GDDR5 || Gigabyte GTX 680 Windforce 4GB
      • Display:
      • Philips 191EL 19" LED @77 Hz
      • Sound Card:
      • Creative Sound Blaster Live! 24 Bit
      • Keyboard:
      • Corsair K70 RGB
      • Mouse:
      • A4Tech 2X Click
      • Power Supply:
      • Thermaltake Smart 650W Modular
      • Optical Drive:
      • Samsung DVD Writer
      • UPS:
      • Spark Power (!) 1200VA
      • Operating System:
      • Windows 10 Build 10162
      • Comment:
      • It gets the job done!
      • ISP:
      • BracNet
      • Download Speed:
      • 1 Mbps
      • Upload Speed:
      • 1 Mbps
    Fox Mulder's Avatar
    Join Date
    Jul 2009
    Location
    I don't live in a city.
    Posts
    5,182

    Default Re: Funny pen-drive problem!

    Microsoft Security Essentials FTW

  5. #5
    Member
    • Rakin7's Gadgets
      • Motherboard:
      • ASUS Z77 Sabertooth
      • CPU:
      • Watercooled Intel Sandy Bridge Core i5 2500k
      • RAM:
      • Corsair Vengeance 1600MHz 2x4GB
      • Hard Drive:
      • Samsung F4 2TB and Crucial M4 128GB SSD
      • Graphics Card:
      • Sapphire HD7970 Vapor-X 3GB GHz Edition flashed to R9 280X
      • Display:
      • Asus MS228H 21.5 LED Full HD 1080p and Sony Bravia CX520 32
      • Sound Card:
      • ASUS Xonar Essence STX
      • Speakers/HPs:
      • Beyerdynamic DT770 Pro 250 Ohms
      • Keyboard:
      • Thermaltake Meka G1 Mechnical Keyboard
      • Mouse:
      • Razer Deathadder 2013
      • Power Supply:
      • Thermaltake Smart M850
      • UPS:
      • Powerpac 1200VA backed up by Generator
      • Operating System:
      • Windows 8 x64 with Media Center
      • ISP:
      • Link3 2.5 Mbps
      • Download Speed:
      • 325 KB/s
      • Upload Speed:
      • 325 KB/s
    Rakin7's Avatar
    Join Date
    Apr 2011
    Location
    Dhaka
    Posts
    3,840

    Default Re: Funny pen-drive problem!

    Kaspersky 2012 w/ Trail Resetter.

  6. #6
    Member
    • 's Gadgets
      • Motherboard:
      • Asus P5KPL-AM
      • CPU:
      • Dual Core E5400
      • RAM:
      • Transcend + Kingston = 4 GB DDR2
      • Hard Drive:
      • 250 GB Hitachi Deskstar T7K250 + Samsung F3 500 GB
      • Graphics Card:
      • Built-In
      • Display:
      • AOC F22 22"
      • Sound Card:
      • Realtek
      • Speakers/HPs:
      • Creative Live 4.1/Logitech G35
      • Keyboard:
      • A4Tech
      • Mouse:
      • Delux
      • Power Supply:
      • Thermaltake Lite Power 400 Watts
      • Optical Drive:
      • BUSTED !
      • USB Devices:
      • Transcend 16GB
      • UPS:
      • DigitalX 650VA
      • Operating System:
      • Windows 8 Pro x64
      • Comment:
      • Gave up on PC......at least for now
      • ISP:
      • IS PROS
      • Download Speed:
      • Average: 24 Kbps
      • Upload Speed:
      • Average: 24 Kbps
      • Console:
      • 16
    йЦммєя³¹'s Avatar
    Join Date
    Apr 2009
    Location
    +23° 45' 10.07", +90° 23' 5.39"
    Posts
    1,932

    Default Re: Funny pen-drive problem!

    Most Viruses,Malwares,etc. are transferred from devices to devices through Removable Media
    so, i'm guessing it's virus
    u can try Sunbelt's Vipre Antivirus
    it's hard to get with crack and stuff but damn useful and effective
    01000010011000010111101001101001011011100110011101100001001000010010000100100001 001000000011101001010000

  7. #7

    Default Re: Funny pen-drive problem!

    Quote Originally Posted by EyE SpeeD | DeViL View Post
    Kaspersky 2012 w/ Trail Resetter.
    Thanks - will this work on a server?

    ---------- Post added at 11:57 ---------- Previous post was at 11:56 ----------

    Quote Originally Posted by SadmanBD View Post
    Try avast or Avira. Don't know about ClamWin but its totally free.
    Thanks. Tried AVAST Server edition free version. Did not find any viruses. Clamwin I know abt, but very feeble cleaning ability.

    ---------- Post added at 11:57 ---------- Previous post was at 11:57 ----------

    Quote Originally Posted by romulus_ut3 View Post
    Microsoft Security Essentials FTW
    MSE probably does not work on WINDOWS 2000. Does it?

    ---------- Post added at 11:58 ---------- Previous post was at 11:57 ----------

    Quote Originally Posted by Ra's al Ghul View Post
    Win 7 ba Server 2008 hoile try Microsoft Security Essentials, ami akhon porjonto getting good results.
    Thanks Winserver 2008 is protected by NOD32.

    ---------- Post added at 13:39 ---------- Previous post was at 11:58 ----------

    For MSessentials - genuine windows is required. Our older servers are otherwise.

    I have some more info. Every time I copy files frm the old server to the proc machines, the pen-drive does an auto-run. NOD32 av flashes saying Win2 Dorkbot.D worm found as threat and cleaned by deleting - quarantined. After cleaning each time, the same thing happens when the PD is inserted.

    How do I get rid of this permanently?

    So I am still not seeing particular type of folders even when they are copied in the PD.
    And NOD32 catches the worm, cleans it, deletes the files and cycle keeps going on.

  8. #8
    Member
    • Rakin7's Gadgets
      • Motherboard:
      • ASUS Z77 Sabertooth
      • CPU:
      • Watercooled Intel Sandy Bridge Core i5 2500k
      • RAM:
      • Corsair Vengeance 1600MHz 2x4GB
      • Hard Drive:
      • Samsung F4 2TB and Crucial M4 128GB SSD
      • Graphics Card:
      • Sapphire HD7970 Vapor-X 3GB GHz Edition flashed to R9 280X
      • Display:
      • Asus MS228H 21.5 LED Full HD 1080p and Sony Bravia CX520 32
      • Sound Card:
      • ASUS Xonar Essence STX
      • Speakers/HPs:
      • Beyerdynamic DT770 Pro 250 Ohms
      • Keyboard:
      • Thermaltake Meka G1 Mechnical Keyboard
      • Mouse:
      • Razer Deathadder 2013
      • Power Supply:
      • Thermaltake Smart M850
      • UPS:
      • Powerpac 1200VA backed up by Generator
      • Operating System:
      • Windows 8 x64 with Media Center
      • ISP:
      • Link3 2.5 Mbps
      • Download Speed:
      • 325 KB/s
      • Upload Speed:
      • 325 KB/s
    Rakin7's Avatar
    Join Date
    Apr 2011
    Location
    Dhaka
    Posts
    3,840

    Default Re: Funny pen-drive problem!

    Quote Originally Posted by REVx View Post
    Thanks - will this work on a server?

    ---------- Post added at 11:57 ---------- Previous post was at 11:56 ----------



    Thanks. Tried AVAST Server edition free version. Did not find any viruses. Clamwin I know abt, but very feeble cleaning ability.

    ---------- Post added at 11:57 ---------- Previous post was at 11:57 ----------



    MSE probably does not work on WINDOWS 2000. Does it?

    ---------- Post added at 11:58 ---------- Previous post was at 11:57 ----------



    Thanks Winserver 2008 is protected by NOD32.

    ---------- Post added at 13:39 ---------- Previous post was at 11:58 ----------

    For MSessentials - genuine windows is required. Our older servers are otherwise.

    I have some more info. Every time I copy files frm the old server to the proc machines, the pen-drive does an auto-run. NOD32 av flashes saying Win2 Dorkbot.D worm found as threat and cleaned by deleting - quarantined. After cleaning each time, the same thing happens when the PD is inserted.

    How do I get rid of this permanently?

    So I am still not seeing particular type of folders even when they are copied in the PD.
    And NOD32 catches the worm, cleans it, deletes the files and cycle keeps going on.
    Should work haven't tried though.

  9. #9

    Default Re: Funny pen-drive problem!

    Is there anything out there that will get rid of this Win32 DORKBOT.D worm? Really playing a number on our systems.

  10. #10
    Member
    • SadmanBD's Gadgets
      • Motherboard:
      • Asus Sabertooth X58
      • CPU:
      • RAM:
      • A-Data 3x2GB 1333 MHz @ 1331 MHz (1.5v)
      • Hard Drive:
      • Hitachi Deskstar 1TB 7200RPM 32MB SATA 3.0Gb/s | Seagate Barracuda 1TB 7200RPM 64MB SATA 6.0Gb/s
      • Graphics Card:
      • 2x Sapphire 270X Vapor-X 2GB GDDR5
      • Display:
      • Asus VX229H 21.5" LED IPS
      • Sound Card:
      • Realtek ALC892 8-Channel Audio (on-board)
      • Speakers/HPs:
      • Microlab SOLO 7C / A4Tech HS-100 | VSonic GR02 Bass Edition | Monoprice 9927
      • Keyboard:
      • Newmen E370
      • Mouse:
      • A4Tech D-70FX
      • Controller:
      • Genius F-1000
      • Power Supply:
      • XFX 850W Core Edition
      • Optical Drive:
      • USB Devices:
      • Transcend 4GB Pendrive and billionton Bluetooth Device
      • UPS:
      • Luminous Solo 1000VA
      • Operating System:
      • Windows 8.1 Pro WMC
      • Comment:
      • Primary Rig ;)
      • ISP:
      • ReignICT
      • Download Speed:
      • 416 kB/s
      • Upload Speed:
      • 416 kB/s
    SadmanBD's Avatar
    Join Date
    Jan 2011
    Location
    Dhaka
    Posts
    1,587

    Default Re: Funny pen-drive problem!

    Quote Originally Posted by REVx View Post
    Is there anything out there that will get rid of this Win32 DORKBOT.D worm? Really playing a number on our systems.
    Hitman Pro try korte paren. R dorkar hole pendrive e kono rescue tool burn kore then usb theke pc open kore dekte paren.

    ---------- Post added at 20:32 ---------- Previous post was at 20:18 ----------

    ComboFix use kore deken to.

  11. #11

    Default Re: Funny pen-drive problem!

    Quote Originally Posted by SadmanBD View Post
    Hitman Pro try korte paren. R dorkar hole pendrive e kono rescue tool burn kore then usb theke pc open kore dekte paren.

    ---------- Post added at 20:32 ---------- Previous post was at 20:18 ----------

    ComboFix use kore deken to.
    Thanks a lot. Hitman I heard of. Combofix er kotha ami net eo deksi. Kintu eitar manual e bola asey eita bebohar kortey geley naki ekjon experienced lok lagbey shaathey? Is that true?

  12. #12
    Member
    • SadmanBD's Gadgets
      • Motherboard:
      • Asus Sabertooth X58
      • CPU:
      • RAM:
      • A-Data 3x2GB 1333 MHz @ 1331 MHz (1.5v)
      • Hard Drive:
      • Hitachi Deskstar 1TB 7200RPM 32MB SATA 3.0Gb/s | Seagate Barracuda 1TB 7200RPM 64MB SATA 6.0Gb/s
      • Graphics Card:
      • 2x Sapphire 270X Vapor-X 2GB GDDR5
      • Display:
      • Asus VX229H 21.5" LED IPS
      • Sound Card:
      • Realtek ALC892 8-Channel Audio (on-board)
      • Speakers/HPs:
      • Microlab SOLO 7C / A4Tech HS-100 | VSonic GR02 Bass Edition | Monoprice 9927
      • Keyboard:
      • Newmen E370
      • Mouse:
      • A4Tech D-70FX
      • Controller:
      • Genius F-1000
      • Power Supply:
      • XFX 850W Core Edition
      • Optical Drive:
      • USB Devices:
      • Transcend 4GB Pendrive and billionton Bluetooth Device
      • UPS:
      • Luminous Solo 1000VA
      • Operating System:
      • Windows 8.1 Pro WMC
      • Comment:
      • Primary Rig ;)
      • ISP:
      • ReignICT
      • Download Speed:
      • 416 kB/s
      • Upload Speed:
      • 416 kB/s
    SadmanBD's Avatar
    Join Date
    Jan 2011
    Location
    Dhaka
    Posts
    1,587

    Default Re: Funny pen-drive problem!

    Quote Originally Posted by REVx View Post
    Thanks a lot. Hitman I heard of. Combofix er kotha ami net eo deksi. Kintu eitar manual e bola asey eita bebohar kortey geley naki ekjon experienced lok lagbey shaathey? Is that true?
    Ami nije use korsilam. Kono prob hoi nai. Just use korar age windows restore point create kore rekhen.

  13. #13
    Member
    • avas911's Gadgets
      • Motherboard:
      • Gigabyte GA-EG41MF-US2H
      • CPU:
      • Intel Pentium Dual Core E6500 2.9 GHz 2MB L2 1066MHz FSB
      • RAM:
      • 2x2GB 800 MHz Apecer at 5-5-5-15
      • Hard Drive:
      • OCZ Vertex 3 120GB Sata III & Samsung 103SJ 1 TB F3
      • Graphics Card:
      • Sapphire ATI RADEON HD6850 1GB GDDR5
      • Display:
      • Philips 107S7 17" at [email protected]
      • Sound Card:
      • Built In Realtek ALC883
      • Speakers/HPs:
      • Creative SBS A200 / Cosonic Generic / Logitech Ultimate Ears 200vi/SoundMAGIC E10M IEM
      • Keyboard:
      • A4Tech
      • Mouse:
      • A4Tech X7 XL-747H 3600 DPI
      • Controller:
      • None
      • Power Supply:
      • Delta GPS-500AB A 500W
      • Optical Drive:
      • Asus 16x IDE DVD R
      • USB Devices:
      • Transcend 500 8GB & Corsair Survivor USB 3.0 16GB & Samsung Class 10 16GB mSDHC
      • UPS:
      • Rahimafrooz 600VA Premium
      • Operating System:
      • Win7 Ultimate 64Bit
      • Comment:
      • Slow in gaming
      • ISP:
      • Link3 512
      • Download Speed:
      • 70
      • Upload Speed:
      • 70
    avas911's Avatar
    Join Date
    Nov 2008
    Location
    Mohammadpur
    Posts
    4,251

    Default Re: Funny pen-drive problem!

    I think this is an WORM.

    SO first i will try to explain how this kinda worms works. And after that how you can recover files.


    How they WORK:
    These Worms do the following things to make sure it spreads.

    1. It will change the attribute of the folders you copied on the PD the following ways. It will make it hidden so you cant see it normally and also make it system folder/file.

    The reason is simple. To hide the original file folder from the user.

    2. After that they do any of the following things.

    a. Create a shortcut to that folder with the same name. Thats why you see a arrow in the bottom left corner of an icon. It is a shortcut. And if you see the properties of that icon you will see that its size it 4KB (which is normal cluster size. May differ if you change your cluster size during formatting. Mine is 500B for C: and 64KB for other drives).

    b. Create a shortcut to a hidden executable file (Mostly EXE or COM or BAT or PIF. In case of BAT it will have another executable file.) with the icon of your file/folder.

    C. Create a executable file in your file/folder name with the icon of the file/folder you copied.

    This serves the biggest purpose. Most people will never check the file/folder properties and extension if the file icon is the same and OK.
    So when you double click it it activates the executable files and infiltrates your PC. This is one of the ways PD viruses migrates from PCs to PCs.
    And this also opens the proper folder. Although its hidden. So the user cant notice that his PD has been compromised. but you will notice that the folder will open in a different window. Not in the PD window. because it opens that path using DOS usually.
    Once more into the fray
    Into the last good fight I’ll ever know

    Live and die on this day
    Live and Die on this day

  14. #14

    Default Re: Funny pen-drive problem!

    Quote Originally Posted by avas911 View Post
    I think this is an WORM.

    SO first i will try to explain how this kinda worms works. And after that how you can recover files.


    How they WORK:
    These Worms do the following things to make sure it spreads.

    1. It will change the attribute of the folders you copied on the PD the following ways. It will make it hidden so you cant see it normally and also make it system folder/file.

    The reason is simple. To hide the original file folder from the user.

    2. After that they do any of the following things.

    a. Create a shortcut to that folder with the same name. Thats why you see a arrow in the bottom left corner of an icon. It is a shortcut. And if you see the properties of that icon you will see that its size it 4KB (which is normal cluster size. May differ if you change your cluster size during formatting. Mine is 500B for C: and 64KB for other drives).

    b. Create a shortcut to a hidden executable file (Mostly EXE or COM or BAT or PIF. In case of BAT it will have another executable file.) with the icon of your file/folder.

    C. Create a executable file in your file/folder name with the icon of the file/folder you copied.

    This serves the biggest purpose. Most people will never check the file/folder properties and extension if the file icon is the same and OK.
    So when you double click it it activates the executable files and infiltrates your PC. This is one of the ways PD viruses migrates from PCs to PCs.
    And this also opens the proper folder. Although its hidden. So the user cant notice that his PD has been compromised. but you will notice that the folder will open in a different window. Not in the PD window. because it opens that path using DOS usually.
    Thanks @avas911 . Though I have researched abt the worm and found out things frm the internet similar to what u said - u explained it more easily.
    And yes - these r the problems I am having at the moment. Yes the folder has been opening in a diff window, using DOS, etc.
    All the symptoms match!

    Now - suggest a remedy without having to rebuild servers and clients.


    The eset Nod32 we have - they find and erase the worms all the time. But the autorun, keeps the worm alive.
    I tried AVAST for servers (free version) to no avail.
    Malwarebyte - removed many, but not this worm.
    Spybot- search and destroy - not much result.

    I ended up having an Eset Nod32 message saying Win32 Dorkbot.D worm is in operating memory!

    Kaspersky might help?

    Tomorrow I am prepared to clean all machines using COMBOFIX and HITMAN PRO. I'll let u guys know of the results.


    ---------- Post added at 00:40 ---------- Previous post was at 00:40 ----------

    Quote Originally Posted by SadmanBD View Post
    Ami nije use korsilam. Kono prob hoi nai. Just use korar age windows restore point create kore rekhen.
    Did u get good results using ComboFix?
    Do u know how to clean pen-drive with comboFix?

  15. #15
    Member
    • SadmanBD's Gadgets
      • Motherboard:
      • Asus Sabertooth X58
      • CPU:
      • RAM:
      • A-Data 3x2GB 1333 MHz @ 1331 MHz (1.5v)
      • Hard Drive:
      • Hitachi Deskstar 1TB 7200RPM 32MB SATA 3.0Gb/s | Seagate Barracuda 1TB 7200RPM 64MB SATA 6.0Gb/s
      • Graphics Card:
      • 2x Sapphire 270X Vapor-X 2GB GDDR5
      • Display:
      • Asus VX229H 21.5" LED IPS
      • Sound Card:
      • Realtek ALC892 8-Channel Audio (on-board)
      • Speakers/HPs:
      • Microlab SOLO 7C / A4Tech HS-100 | VSonic GR02 Bass Edition | Monoprice 9927
      • Keyboard:
      • Newmen E370
      • Mouse:
      • A4Tech D-70FX
      • Controller:
      • Genius F-1000
      • Power Supply:
      • XFX 850W Core Edition
      • Optical Drive:
      • USB Devices:
      • Transcend 4GB Pendrive and billionton Bluetooth Device
      • UPS:
      • Luminous Solo 1000VA
      • Operating System:
      • Windows 8.1 Pro WMC
      • Comment:
      • Primary Rig ;)
      • ISP:
      • ReignICT
      • Download Speed:
      • 416 kB/s
      • Upload Speed:
      • 416 kB/s
    SadmanBD's Avatar
    Join Date
    Jan 2011
    Location
    Dhaka
    Posts
    1,587

    Default Re: Funny pen-drive problem!

    Quote Originally Posted by REVx View Post
    Did u get good results using ComboFix?
    Do u know how to clean pen-drive with comboFix?
    Ya amar pc r virus destroy korte parsilo ComboFix jeta onno kono Anti-Virus khujei pai nai. But pen-drive clean kora jai kivabe eta diye ami jani na. You can also use Hijack This and post the result here.

  16. #16

    Default Re: Funny pen-drive problem!

    Here is COMBOFIX log. Would anyone pls help interpret?

    ComboFix 11-10-19.01 - Acount 10/19/2011 13:04:13.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1632 [GMT 6:00]
    Running from: I:\ComboFix.exe
    AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Acount\Application Data\10A.tmp
    c:\documents and settings\Acount\Application Data\117.tmp
    c:\documents and settings\Acount\Application Data\11A.tmp
    c:\documents and settings\Acount\Application Data\11B.tmp
    c:\documents and settings\Acount\Application Data\11D.tmp
    c:\documents and settings\Acount\Application Data\1BF.tmp
    c:\documents and settings\Acount\Application Data\1C0.tmp
    c:\documents and settings\Acount\Application Data\1C1.tmp
    c:\documents and settings\Acount\Application Data\1D2.tmp
    c:\documents and settings\Acount\Application Data\1D3.tmp
    c:\documents and settings\Acount\Application Data\1D4.tmp
    c:\documents and settings\Acount\Application Data\267A.tmp
    c:\documents and settings\Acount\Application Data\2718.tmp
    c:\documents and settings\Acount\Application Data\29D8.tmp
    c:\documents and settings\Acount\Application Data\33EF.tmp
    c:\documents and settings\Acount\Application Data\5D8.tmp
    c:\documents and settings\Acount\Application Data\5D9.tmp
    c:\documents and settings\Acount\Application Data\5DA.tmp
    c:\documents and settings\Acount\Application Data\5DB.tmp
    c:\documents and settings\Acount\Application Data\5DFB.tmp
    c:\documents and settings\Acount\Application Data\5DFC.tmp
    c:\documents and settings\Acount\Application Data\5DFD.tmp
    c:\documents and settings\Acount\Application Data\BD3D.tmp
    c:\documents and settings\Acount\Application Data\BD3E.tmp
    c:\documents and settings\Acount\Application Data\BD3F.tmp
    c:\documents and settings\Acount\Application Data\D9.tmp
    c:\documents and settings\Acount\Application Data\E3.tmp
    c:\documents and settings\Acount\Application Data\E4.tmp
    c:\documents and settings\Acount\Application Data\E5.tmp
    c:\documents and settings\Acount\WINDOWS
    c:\windows\system32\Cache
    c:\windows\system32\d3d9caps.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-19 to 2011-10-19 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-19 06:41 . 2011-10-19 06:48 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-10-19 06:41 . 2011-10-19 06:41 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-10-19 06:38 . 2011-10-19 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-10-18 09:34 . 2011-10-18 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-10-18 08:32 . 2011-10-18 08:32 -------- d-----w- c:\documents and settings\Acount\Application Data\Malwarebytes
    2011-10-18 08:32 . 2011-10-18 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-10-18 07:13 . 2011-10-18 07:13 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-10-16 09:15 . 2011-10-16 09:15 -------- d-----w- c:\windows\IIS Temporary Compressed Files
    2011-10-16 09:13 . 2001-08-23 17:00 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll
    2011-10-16 09:12 . 2011-10-16 09:15 -------- d-----w- C:\Inetpub
    2011-10-16 09:12 . 2011-10-16 09:12 -------- d-----w- c:\windows\system32\Logfiles
    2011-10-13 06:52 . 2011-10-13 06:52 -------- d-----w- c:\documents and settings\Acount\Application Data\TeamViewer
    2011-10-13 06:49 . 2004-08-05 16:17 17216 ----a-r- c:\windows\system32\drivers\ax88772.sys
    2011-10-11 08:23 . 2004-08-03 18:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2011-10-11 08:23 . 2004-08-03 18:56 21504 ----a-w- c:\windows\system32\hidserv.dll
    2011-10-11 08:23 . 2004-08-03 16:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
    2011-10-11 08:23 . 2004-08-03 16:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
    2011-10-11 08:23 . 2004-08-03 17:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2011-10-11 08:23 . 2004-08-03 17:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-10-08 09:06 . 2007-10-24 02:53 283648 ----a-w- c:\windows\uninst.exe
    2011-10-05 07:55 . 2011-10-05 07:55 -------- d-----w- c:\documents and settings\Acount\Local Settings\Application Data\Mozilla
    2011-10-02 07:30 . 2004-08-03 16:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
    2011-10-02 07:30 . 2004-08-03 16:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
    2011-09-27 09:30 . 2006-10-26 13:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
    2011-09-27 09:30 . 2006-10-26 13:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
    2011-09-27 09:29 . 2011-09-27 09:29 -------- d-----w- c:\program files\Microsoft Works
    2011-09-27 09:28 . 2011-09-27 09:28 -------- d-----w- c:\program files\Microsoft.NET
    2011-09-27 09:26 . 2011-09-27 09:26 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2011-09-27 09:26 . 2011-09-27 09:26 -------- d-----w- c:\windows\SHELLNEW
    2011-09-27 09:25 . 2011-09-27 09:25 -------- d-----w- c:\documents and settings\Acount\Local Settings\Application Data\Microsoft Help
    2011-09-27 09:25 . 2011-09-27 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2011-09-27 09:25 . 2011-09-27 09:25 -------- d-----r- C:\MSOCache
    2011-09-27 08:29 . 2011-09-27 08:37 -------- d-----w- c:\documents and settings\Acount\Application Data\IrfanView
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-24 2145000]
    "Omnipage"="d:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Authorize dApplications\List]
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    .
    R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/24/2010 8:31 PM 114984]
    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/24/2010 8:33 PM 95872]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/24/2010 8:31 PM 810120]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 SetupNTGLM7X;SetupNTGLM7X;\??\h:\ntglm7x.sys --> h:\NTGLM7X.sys [?]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = hxxp://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=VOB
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.61.62 180.149.11.25
    FF - ProfilePath - c:\documents and settings\Acount\Application Data\Mozilla\Firefox\Profiles\lk3y5k6i.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-19 13:06
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]
    @DACL=(02 0000)
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23a2f3b0-da9c-11e0-bfd6-002421dc39a7}]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5 f,
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23a2f3b1-da9c-11e0-bfd6-002421dc39a7}]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5 f,
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{36e37a72-d9fb-11e0-bfd5-002421dc39a7}]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5 f,
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475a1604-dc40-11e0-bfd1-a55d7a8fa825}]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5 f,
    5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b248b882-e7fc-11e0-bfef-002421dc39a7}]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{daf1c68a-dc6e-11e0-b752-806d6172696f}]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,f f,
    ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{daf1c68b-dc6e-11e0-b752-806d6172696f}]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{daf1c68c-dc6e-11e0-b752-806d6172696f}]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{daf1c68d-dc6e-11e0-b752-806d6172696f}]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    "_LabelFromReg"="Backup"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{daf1c68e-dc6e-11e0-b752-806d6172696f}]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    [HKEY_USERS\S-1-5-21-1343024091-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{daf1c68f-dc6e-11e0-b752-806d6172696f}]
    @DACL=(02 0000)
    "BaseClass"="Drive"
    .
    Completion time: 2011-10-19 13:07:54
    ComboFix-quarantined-files.txt 2011-10-19 07:07
    .
    Pre-Run: 34,657,996,800 bytes free
    Post-Run: 34,633,695,232 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    [spybotsd]
    timeout.old=30
    .
    - - End Of File - - F78E10FA21D72BD47B39438C71C3BF2E

    ---------- Post added at 23:49 ---------- Previous post was at 13:34 ----------

    Using COMBOFIX and others have solved the probs somewhat.

    But every time, I use NOD32 to do an in-depth scan on the pen-drive, I can see those infected folders in the displayed directory tree. They do not go away after the scan. After the scan they are not seen in the PD when seen from windows explorer.

    However, the problem seems to have stopped for the time being.

    My question now - how do I clean the PD of those folders? Or will they stay on and on?

Similar Threads

  1. Sale (Used) Apacer 8GB Pen drive
    By acE.Shanny in forum Shop - Gadgets
    Replies: 6
    Last Post: October 23rd, 2010, 18:45
  2. USB Stick Pen Drive
    By йЦммєя³¹ in forum XBOX
    Replies: 3
    Last Post: October 6th, 2010, 04:02
  3. Sale (New) pen drive
    By chainsaw in forum Shop - Gadgets
    Replies: 18
    Last Post: March 1st, 2010, 20:00
  4. Apacer Pen Drive...
    By minitt in forum Others PC Hardware
    Replies: 38
    Last Post: December 11th, 2009, 01:57
  5. Formatting PEN DRIVE/USB FLASH DRIVE
    By s.a_rocky in forum Miscellaneous Topics
    Replies: 18
    Last Post: July 25th, 2009, 00:10

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 0.35914 seconds with 14 queries.