Jump to content

$RECYCLE.BIN & System Volume Information


Recommended Posts

I just got a new computer and I wanted to make sure not to give it any virus so I scanned my external hard drive with bitdefender and it found nothing so just to make sure I vaccinated it and take the opportunity to rescan it using usbfix which found a virus in the $RECYCLE.BIN hidden folder (both on my computer and the external hard drive) that bitdefender did not find. So I ran the deleting tool successfully and restart a scan and it found the virus again.

from what I read online $RECYCLE.BIN and SVI are legitimate Windows folders however I'm pretty sure there's something exploiting them and if they're Windows folders I don't think they should be on my external drive, is that right?

Also my dad told me he had a virus in a hidden folder in the root directory that bitdefender did not detect but his work's AV found so I guess it's the same thing

thanks in advance

ps: I'm french, sorry for my english

so I still don't know if this was a false positive from usbfix or not but since I'm an impatient moron I managed to delete both folders from my external drive following this:

reboot.pro/topic/17025-prevent-system-restore-points-on-an-external-drive/

usbfix still finds an infection on C: and D: but not on the external one anymore

attach.txt

---

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft® Windows Vista™ Édition Familiale Premium

Boot Device: \Device\HarddiskVolume3

Install Date: 08/09/2011 11:17:43

System Uptime: 23/02/2013 13:44:11 (25 hours ago)

.

Motherboard: Dell Inc. | | 0M277C

Processor: Intel® Core2 Duo CPU T5670 @ 1.80GHz | U2E1 | 1801/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 139 GiB total, 2,627 GiB free.

D: is FIXED (NTFS) - 10 GiB total, 6,08 GiB free.

E: is CDROM ()

F: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP374: 05/02/2013 22:26:18 - Point de contrôle planifié

RP375: 06/02/2013 11:50:19 - Windows Update

RP376: 08/02/2013 10:06:25 - Windows Update

RP377: 09/02/2013 16:06:11 - Point de contrôle planifié

RP378: 10/02/2013 16:13:07 - Point de contrôle planifié

RP379: 12/02/2013 14:40:35 - Windows Update

RP380: 13/02/2013 03:51:05 - Installation du package de pilote logiciel : Apple, Inc. Contrôleurs de bus USB

RP381: 13/02/2013 03:51:33 - Installation du package de pilote logiciel : Apple Cartes réseau

RP382: 13/02/2013 03:52:41 - Installed iTunes

RP383: 14/02/2013 03:00:14 - Windows Update

RP384: 15/02/2013 14:54:22 - Windows Update

RP385: 16/02/2013 07:07:34 - Point de contrôle planifié

RP386: 20/02/2013 19:06:02 - Windows Update

RP387: 22/02/2013 12:11:47 - Windows Update

RP388: 23/02/2013 15:04:38 - Point de contrôle planifié

.

==== Installed Programs ======================

.

1.0.1.16

7-Zip 9.20

Ableton Live 8

Adobe AIR

Adobe Flash Player 11 Plugin

Adobe Help Manager

Adobe Illustrator CS6

Adobe Photoshop CS6

Adobe Reader X (10.1.1) - Français

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ASIO4ALL

µTorrent

AVG Anti-Rootkit Free

Baldur's Gate II - Shadows of Amn

Bonjour

Clementine

CodeBlocks

Configuration DivX

Corel Painter 12

Corel Painter 12 - IPM

DAEMON Tools Lite

DAEMON Tools Toolbar

Dell Resource CD

Détection de l'application Winamp

ffdshow v1.1.3631 [2010-11-15]

FL Studio 10

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Deskjet 3070 B611 series - Enquête sur l'amélioration du produit

HP Deskjet 3070 B611 series Aide

iCloud

IconHandler 32 bit

IL Download Manager

Intel® Graphics Media Accelerator Driver

iTunes

Java Auto Updater

Java 6 Update 26

Laptop Integrated Webcam Driver (1.01.01.0529)

Last.fm 1.5.4.27091

Logiciel de base du périphérique HP Deskjet 3070 B611 series

Malwarebytes Anti-Malware version 1.70.0.1100

Max 5.1.9

Microsoft .NET Framework 3.5 Language Pack SP1 - fra

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Client Profile FRA Language Pack

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft_VC80_CRT_x86

Microsoft_VC90_CRT_x86

Module linguistique Microsoft .NET Framework 3.5 SP1- fra

Module linguistique Microsoft .NET Framework 4 Client Profile FRA

Mozilla Firefox 15.0 (x86 en-US)

Mozilla Maintenance Service

Mozilla Thunderbird (7.0.1)

OpenOffice.org 3.3

OpenOffice.org 3.3 Language Pack (French)

Opera 12.12

Painter 12 - Content

Painter 12 - Core

Painter 12 - EN

Painter 12 - Painter

Painter 12 - Setup Files

PDF Settings CS6

QuickTime

SeaMonkey 2.14.1 (x86 en-US)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Module linguistique Microsoft .NET Framework 4 Client Profile FRA (KB2478663)

Security Update for Module linguistique Microsoft .NET Framework 4 Client Profile FRA (KB2518870)

Skype™ 5.5

Synaptics Pointing Device Driver

Ubisoft Game Launcher

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

UsbFix By El Desaparecido

VC80CRTRedist - 8.0.50727.6195

VLC media player 1.1.11

Winamp

WinHTTrack Website Copier 3.46-1

.

==== End Of File ===========================

dds.txt

---

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 7.0.6001.18639 BrowserJavaVersion: 1.6.0_26

Run by Jupke at 14:06:55 on 2013-02-24

Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6001.1.1252.33.1036.18.2038.917 [GMT 1:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Windows\Explorer.exe

C:\Windows\system32\SLsvc.exe

C:\Program Files\Opera\opera.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\System32\svchost.exe -k secsvcs

.

============== Pseudo HJT Report ===============

.

uWindow Title = Windows Internet Explorer

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - c:\program files\daemon tools toolbar\DTToolbar.dll

TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - c:\program files\daemon tools toolbar\DTToolbar.dll

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun

uRun: [AdobeBridge] <no file="">

mRun: [OEM13Mon.exe] c:\windows\OEM13Mon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [AdobeCS6ServiceManager] "c:\program files\common files\adobe\cs6servicemanager\CS6ServiceManager.exe" -launchedbylogin

mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\users\jupke\appdata\roaming\micros~1\windows\startm~1\programs\startup\alerte~1.lnk - c:\windows\system32\RunDll32.exe

uPolicies-Explorer: NoDriveAutoRun = dword:3

uPolicies-Explorer: NoDriveTypeAutoRun = dword:0

mPolicies-Explorer: NoDriveAutoRun = dword:3

mPolicies-Explorer: NoDriveTypeAutoRun = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: NameServer = 212.27.40.241 212.27.40.240

TCP: Interfaces\{2B45E950-9DAF-4D5E-8DBA-E46EF483D347} : DHCPNameServer = 212.27.40.241 212.27.40.240

TCP: Interfaces\{928A77CE-23CA-4006-9E32-8E44672769CA} : DHCPNameServer = 212.27.40.241 212.27.40.240

Notify: igfxcui - igfxdev.dll

LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\jupke\appdata\roaming\mozilla\firefox\profiles\1cgtk256.default\

FF - prefs.js: browser.startup.homepage - hxxps://ixquick.com/eng/

FF - prefs.js: keyword.URL - hxxps://ixquick.com/do/metasearch.pl?language=english&cat=web&query=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\software\update\1.2.201.0\npSoftwareOneClick8.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_149.dll

FF - ExtSQL: 2013-02-08 23:17; {DDC359D1-844A-42a7-9AA1-88A850A938A8}; c:\users\jupke\appdata\roaming\mozilla\firefox\profiles\1cgtk256.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi

.

============= SERVICES / DRIVERS ===============

.

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-11-14 34176]

R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2012-3-6 3968]

R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2007-3-5 7424]

R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2008-5-28 235840]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\sdfssvc.exe --> c:\program files\spybot - search & destroy 2\SDFSSvc.exe [?]

S3 DESVUSB;Dell service driver;c:\windows\system32\drivers\desrvusb.sys [2007-5-11 17536]

S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

S3 WPFFontCache_v0400;Cache de police de Windows Presentation Foundation 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2013-02-22 11:13:42 6954968 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{85559781-9b54-4a48-a86c-ff416d8f7dcc}\mpengine.dll

2013-02-13 02:55:07 -------- d-----w- c:\program files\iPod

.

==================== Find3M ====================

.

2013-02-08 22:46:54 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-02-08 22:46:54 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-01-17 00:28:58 232336 ------w- c:\windows\system32\MpSigStub.exe

2012-12-14 15:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 14:07:19,61 ===============</no></video>

Link to post
Share on other sites

Hello chinichi.

Is this really a very new computer from the store? or is this a second-hand computer from someone else?

A very new computer should have zero malware, you'll agree.

Your logs showed some peer-to-peer filesharing apps: µTorrent

Remove (uninstall) that and any other peer-to-peer and confirm that for me.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Forum policy on peer-to-peer-programs:

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

http://forums.malwarebytes.org/index.php?showtopic=97700

Step 2

Disable CD-ROM Emulation Software:

Please download the following tool DeFogger to your desktop.

◦Double click DeFogger to run the tool.

◦The application window will appear

◦Click the Disable button to disable your CD Emulation drivers.

◦Click Yes to continue

◦A 'Finished!' message will appear

◦Click OK

◦DeFogger will now ask to reboot the machine - click OK

◦IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

◦Do not re-enable these drivers until otherwise instructed.

Step 3

Download and Save McAfee Stinger to your Desktop

http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Close all browsers before starting. Disable your antivirus program and anti-malware,if any.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

On Windows 7 & Vista systems, Right Click stinger-icon.gif and select Run as Administrator.

On XP, double-click to start it.

The GUI interface will look like this

stinger2.png

The C drive is the default for scanning.

Press the Preferences button. In the top right-block "On virus detection", click Rename

In the bottom block "Heuristic network check for suspicious files" select High

Click the Scan Now button.

When done, use the File menu and select Save report to file

Stinger.txt is the log report and will be saved to your Desktop. I will need a copy of that log.

RE-Enable your anti-virus program.

Stinger is a standalone utility used to detect and remove specific malware. It is not a full scan for all types of malware or viruses.

It is not intended as virus protection.

Step 4

Download Dr.Web CureIt to the desktop.

The download is nearly 104.6 MB in size

  • Turn OFF your antivirus program.
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Turn off any other add-on security app {if you have them} like MBAM File System Protection.
  • If this system is Windows 8/7 or VISTA, then Right-click on Drweb-cureit-9_zpsa6b7b265.gifdrweb-cureit.exe and select Run as Administrator.
  • Otherwise, on Windows XP, doubleclick on drweb-cureit.exe file to start the tool.
  • You will see a screen similar to this:
    Drweb-cureit-1_zps34a2f747.gif
    Click the checkbox to participate, and then click on Continue button.
  • Next
    Drweb-cureit-2_zpsee7bdcb6.gif
    Click on Select onjects for scanning
  • Next
    Drweb-cureit-3_zps137b4332.gif
    Put a checkmark by clicking on the boxes as shown.
    Do not select Temporary files or System Restore points.
    Then click on Start scanning button
  • The scan in progress will be shown like this
    Drweb-cureit-4_zps211037d0.gif
  • IF something is detected, you will see a screen similar to this
    Drweb-cureit-5_zpsd7be6acf.gif
    For each item "detected", click on the Action column down arrow, like this
    Drweb-cureit-8_zpsb099f9d5.gif
    Your options will be Cure or Ignore
    IF you see an item that you are very sure is ok, then un-check the checkbox for that item.
    Typically, you will keep the Cute default.
    Then click on the Neutralize button.
  • When the actions are completed, you will see this
    Drweb-cureit-7_zpsd290a127.gif
  • Click on the green Open Report line. It will pop-up the report in NOTEPAD.
    Save the report to your desktop. The report will be called Cureit.log
  • While in NOTEPAD, do a CTRL+A to Copy all to clipboard.
  • You should be able to get back to your forum topic, start a new reply,
    click 1 time in the box
    and do a CTRL+V (Paste}
    into reply.
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Cureit.log you saved previously in your next reply.
    ONLY if the log is too large, then you may "attach" it.

Re-Enable your antivirus program when all done.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.