I tried the two steps in the first reply and here are the requested logs attached down.
It’s worth noting that the MCShield tool has unhided the hidden folders then I’ve formated the flash drive, but when I insert the flash
again I came with the same problem (hidden files even if there are no files and a shortcut to rundll32.exe that is named with my flash original name).
[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.
… … … … … …
Open notepad and copy/paste the text present inside the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Save notepad as fixlist.txt NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
… … … … … …
Reboot your computer and re-run FRST, just click on Scan button and attach here freesh FRST.txt logreport.
Ok, this looks much better now. Malware is inactive but let’s clean up the remains using the big guy now.
Download ComboFixfrom here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully. note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
MCShield worked perfectly and didn’t find any malware no matter how many times I remove and insert my flash drive,
the shortcut of the flash drive inside my drive has never appeared again.
I have another flash drive with the same problem if I scan it with MCShield will MCShield fix it?
Can you give me more information about the malware (how I got infected and with what files and is this malware very common).
You had malware that is nestled under “NT style” reg keys and use the legit winlogon.exe to executed himself .
Malicious loading file that was ranning was placed in temp folder.
MCShield doesn’t work at the level of malware signatures , but it’s targeting them using known malware methods of abuse.
Therefore, MCS it is able to successfully deal with all world-wide known USB based malware.
On Windows7 or Vista you may use Start Search field if Run is not available.
[*] In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
[*] then click OK (or press Enter ).
Wait for the uninstall process is complete.
Re-run OTL and click on CleanUp! button.
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone. Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.
I recommended you to keep and use MCShield if you will.
You may download MCShield from one of the following links:
As I wrote above, it will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
But one more last question please, how the malware got nested under “NT style” reg keys in the first place?
and how Malicious loading file was placed in temp folder you’ve talked about?
Forgive me for asking too much but I need to understand how those malware came into my machine to be more protective in the future
All malware are using so-called “security holes” in Windows OS to take advantage of some poorly / bad / large-scale written code in some legitimate application to launch their malicious code.
Windows trying to patch to them known security holes ( you know that as Windows Update) and thereby to prevent the known malware to spread in the future. Legitimate applications do the same thing. AV hunts dropers and malware sample or to be more precisely their binary code to create the signature for some malware variant.
Your malware is a variant of the worm. Worm is malicious program that spreads via network or via removable drives exploiting security holes in any operating system or legit program.
Certainly it has been manage to advantage some known or unknown security hole to us, or it was launched from the side of your hands to be executed. I don’t know how he did it.
Any malware must have some sort of trigger, something that will load malware itself. In most cases, the malware starts user (in this or other way) and they do not even aware of that.
For example: Are you aware when you install some toolbar? And you’ve did installed that toolbar, It did not come from 'heaven.
Malware writers find a way to abuse an some action / operation. Windows & AV vendors seek to patch the hole and to add malware to signatures. Then malware authors write or improve their malware code to use another hole in some legit application or OS, and so on …
The purpose of malware is to exploit security hole in order to be installed without the user’s knowledge and executes a malicious act and trying to stay undetected by the side of user or security softwares. That is why the struggle between good and evil is eternal …
All malware are using so-called "security holes" in Windows OS to take advantage of some poorly / bad / large-scale written code in some legitimate application to launch their malicious code.
list of security holes here… click the orange arrow to the right, or google the CVE name fore more info.