Everything began on Friday, when I plugged my USB Flash drive into the PC of my colleague. He had a malware on PC. It infected my flash drive. My flash drive infected my pc, pc of my wife and pc of my mother in law (we have visited her yesterday).
I though what could I do to remove the malware as soon as possible, before it turned into a terrible monster like ransomware etc. One good idea crossed my mind. I could restore windows to a state before the event. So I did it on the PC of my wife and I think it helped. I tested it with a Flash Drive and the drive was not infected anymore. I hope it will stay clean. I will keep my eye on it.
Now I want to do same on my pc and the pc of my mother in law.
@Pondus thank you for recommending Flash Drive guard MCShield. It is a great software. will install it everywhere.
Well, to be honest I have no idea what it is. This is my wife’s laptop and she got it from her brother 2 years ago.
I think her brother installed something and then uninstalled and this is some leftover from his software. She didn’t install it.
To avoid misunderstandings let me explain again what happened to which PC. There were 3 PCs infected, but some of them work fine now:
PC1
PC of my wife. I have restored windows to an earlier state. Now all seems to be OK. The strange behavior with USB Flash Drives does not occur anymore.
PC2
My work PC. I have recovered a Windows Backup. Now all seems to be OK. The strange behavior with USB Flash Drives does not occur anymore.
PC3
PC of my mother in law. I was not able to restore windows to an earlier state. There was no earlier state saved. I was not able to recover a Windows backup. There were no backup created. The PC is still infected. The strange behavior with USB Flash Drives still occurs every time I insert a new flash drive.
So I made on the PC3 the same installations as for the pc of my wife and attached here logs (for PC3). PC3 is definitively still infected.
M C S h i e l d : : A n t i - M a l w a r e T o o l : : h t t p : / / w w w . m c s h i e l d . n e t /
v 3 . 0 . 5 . 2 8 / D B : 2 0 1 6 . 2 . 2 1 . 1 / W i n d o w s 8 . 1 < < <
1 4 . 0 2 . 2 0 1 7 2 1 : 3 9 : 4 7 > D r i v e C : - s c a n s t a r t e d ( n o l a b e l ~ 7 4 G B , N T F S H D D ) . . .
= > T h e d r i v e i s c l e a n .
1 4 . 0 2 . 2 0 1 7 2 1 : 3 9 : 4 8 > D r i v e D : - s c a n s t a r t e d ( N A N A ~ 3 9 1 G B , N T F S H D D ) . . .
= > T h e d r i v e i s c l e a n .
M C S h i e l d : : A n t i - M a l w a r e T o o l : : h t t p : / / w w w . m c s h i e l d . n e t /
v 3 . 0 . 5 . 2 8 / D B : 2 0 1 6 . 2 . 2 1 . 1 / W i n d o w s 8 . 1
1 4 . 0 2 . 2 0 1 7 2 2 : 4 8 : 1 5 > D r i v e F : - s c a n s t a r t e d ( n o l a b e l ~ 1 9 9 9 M B , F A T f l a s h d r i v e
F : \ V o l u m e I n f o r m a t i o n . e x e - S u s p i c i o u s > R e n a m e d . ( M D 5 : 8 0 6 8 b 6 a 4 7 7 b 5 8 8 6 8 a 4 9 3 f f a 6 d f 3 9 a 2 7 d )
= > S u s p i c i o u s f i l e s : 1 / 1 r e n a m e d .
: : : : : S c a n d u r a t i o n : 1 2 s e c : : : : : : : : : : : : : : : : :
M C S h i e l d : : A n t i - M a l w a r e T o o l : : h t t p : / / w w w . m c s h i e l d . n e t /
v 3 . 0 . 5 . 2 8 / D B : 2 0 1 6 . 2 . 2 1 . 1 / W i n d o w s 8 . 1 < < <
1 4 . 0 2 . 2 0 1 7 2 2 : 5 6 : 5 3 > D r i v e F : - s c a n s t a r t e d ( n o l a b e l ~ 1 9 9 9 M B , F A T f l a s h d r i v e ) . . .
= > T h e d r i v e i s c l e a n .
M C S h i e l d : : A n t i - M a l w a r e T o o l : : h t t p : / / w w w . m c s h i e l d . n e t /
v 3 . 0 . 5 . 2 8 / D B : 2 0 1 6 . 2 . 2 1 . 1 / W i n d o w s 8 . 1 < < <
1 5 . 0 2 . 2 0 1 7 2 0 : 0 7 : 1 0 > D r i v e C : - s c a n s t a r t e d ( n o l a b e l ~ 7 4 G B , N T F S H D D
= > T h e d r i v e i s c l e a n .
1 5 . 0 2 . 2 0 1 7 2 0 : 0 7 : 1 0 > D r i v e D : - s c a n s t a r t e d ( N A N A ~ 3 9 1 G B , N T F S H D D ) . . .
= > T h e d r i v e i s c l e a n .
This may not fix all the errors on this system but it will be a start.
Did you know that System Restore is disabled?
If you did not do this intentionally, please check the following:
Go to Start and type System in the search box.
Click on System (under Control Panel or Settings) and then on System Protection.
Click on Configure and then select Turn on system protection.
Click Apply and then OK.
In the System Protection screen, is Protection now On for the drive?
FIRST >>>>
Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):
KMSpico
To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.
Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.
Well the strange behavior with USB Flash Drives does not occur anymore. But I do not know if the malware is still somewhere in the system. :-\ How can I detect it?
And I have one important question. How can I protect my USB Drive from malware in the future? I have to use it everyday on many different PCs of my colleagues. Sometimes they have viruses.
