hope this can be help. my thumb drive won’t open and there is a pop up saying G:>start /d “.\System Volume Information\Kaspersky Internet Security 2017” taskhosts.exe
See here https://forum.avast.com/index.php?topic=194892.0
Scroll all the way down to Specific Infection Logs … follow instructions for MCShield
This log you copy and paste here … not attach ( only MCSield logs)
Do not plug thumb drive until you install MCShield but first do this.
- Open Notepad (click Start button → type notepad.exe → press Enter)
- Copy text from code block below and paste it into Notepad
VirusTotal: C:\Users\User\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe;C:\Users\User\AppData\Local\Temp\jow2dzfa.dll
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsvc.lnk [2017-12-04]
ShortcutTarget: spoolsvc.lnk -> C:\Users\User\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe (No File)
Task: {DEB54F2F-08A7-4B1C-B63C-7C4845FA1934} - System32\Tasks\App Explorer => C:\Users\User\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [2017-12-22] (SweetLabs, Inc) <==== ATTENTION
HKU\S-1-5-21-176347147-2586957089-2691104427-1001\...\MountPoints2: {2ae92697-92cb-11e7-8180-ccb0dad6d454} - "G:\AutoRun.exe"
HKU\S-1-5-21-176347147-2586957089-2691104427-1001\...\MountPoints2: {5dc65b0b-3086-11e7-8029-ccb0dad6d454} - "F:\AutoRun.exe"
HKU\S-1-5-21-176347147-2586957089-2691104427-1001\...\MountPoints2: {68be13b2-14f3-11e7-bfbc-ccb0dad6d454} - "F:\StartUse.exe"
HKU\S-1-5-21-176347147-2586957089-2691104427-1001\...\MountPoints2: {ce574921-2505-11e7-bff5-ccb0dad6d454} - "F:\Setup.exe" /s
- Go to File → Save As
- Make sure that UTF-8 is selected as Encoding (left side of Save button)
- Save it as fixlist.txt on Desktop
- Open again FRST and click on button Fix
- Wait until FRST finishes
- fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
Fix result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by User (29-01-2018 15:48:53) Run:1
Running from D:\Users\Desktop
Loaded Profiles: User (Available Profiles: User)
Boot Mode: Normal
fixlist content:
VirusTotal: C:\Users\User\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe;C:\Users\User\AppData\Local\Temp\jow2dzfa.dll
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsvc.lnk [2017-12-04]
ShortcutTarget: spoolsvc.lnk → C:\Users\User\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe (No File)
Task: {DEB54F2F-08A7-4B1C-B63C-7C4845FA1934} - System32\Tasks\App Explorer => C:\Users\User\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [2017-12-22] (SweetLabs, Inc) <==== ATTENTION
HKU\S-1-5-21-176347147-2586957089-2691104427-1001.…\MountPoints2: {2ae92697-92cb-11e7-8180-ccb0dad6d454} - “G:\AutoRun.exe”
HKU\S-1-5-21-176347147-2586957089-2691104427-1001.…\MountPoints2: {5dc65b0b-3086-11e7-8029-ccb0dad6d454} - “F:\AutoRun.exe”
HKU\S-1-5-21-176347147-2586957089-2691104427-1001.…\MountPoints2: {68be13b2-14f3-11e7-bfbc-ccb0dad6d454} - “F:\StartUse.exe”
HKU\S-1-5-21-176347147-2586957089-2691104427-1001.…\MountPoints2: {ce574921-2505-11e7-bff5-ccb0dad6d454} - “F:\Setup.exe” /s
VirusTotal: C:\Users\User\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe => https://www.virustotal.com/file/c1a248a1227900a11c1a2c32a80af50f1482b18099374f3e7464ddc216ec345f/analysis/1516973612/
VirusTotal: C:\Users\User\AppData\Local\Temp\jow2dzfa.dll => https://www.virustotal.com/file/e423663fdd4cfce9ed88fd4c7a9c6a754271ae1c8a7c59b173e1065ffbc9c8b5/analysis/1517212137/
C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsvc.lnk => moved successfully
C:\Users\User\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon{DEB54F2F-08A7-4B1C-B63C-7C4845FA1934} => could not remove key. ErrorCode1: 0x00000002
“HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{DEB54F2F-08A7-4B1C-B63C-7C4845FA1934}” => removed successfully
C:\Windows\System32\Tasks\App Explorer => moved successfully
“HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\App Explorer” => removed successfully
“HKU\S-1-5-21-176347147-2586957089-2691104427-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{2ae92697-92cb-11e7-8180-ccb0dad6d454}” => removed successfully
HKLM\Software\Classes\CLSID{2ae92697-92cb-11e7-8180-ccb0dad6d454} => key not found
“HKU\S-1-5-21-176347147-2586957089-2691104427-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5dc65b0b-3086-11e7-8029-ccb0dad6d454}” => removed successfully
HKLM\Software\Classes\CLSID{5dc65b0b-3086-11e7-8029-ccb0dad6d454} => key not found
“HKU\S-1-5-21-176347147-2586957089-2691104427-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{68be13b2-14f3-11e7-bfbc-ccb0dad6d454}” => removed successfully
HKLM\Software\Classes\CLSID{68be13b2-14f3-11e7-bfbc-ccb0dad6d454} => key not found
“HKU\S-1-5-21-176347147-2586957089-2691104427-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{ce574921-2505-11e7-bff5-ccb0dad6d454}” => removed successfully
HKLM\Software\Classes\CLSID{ce574921-2505-11e7-bff5-ccb0dad6d454} => key not found
==== End of Fixlog 15:49:07 ====
Now install MCShield and follow instructions for it in:
What to do next?
Have you done MCShield instructions?
this?
Nope, see Reply #4 and follow instructions.
or reply #1
Andy Abel post:8:this?
Nope, see Reply #4 and follow instructions.
Just to help clear this up as OP seems confused.
SPECIFIC INFECTIONS LOGS
additional programme to run and install if you have used an infected USB stick
Please download installation for MCShield and save to your desktop and install the tool;
( installation is a classic “Next > Next > I Agree > …> Finish” way )
Please wait for a sec. it will initially run a scan and show the result as a toaster by the system clock;
Then in the control centre select scanner and tick Always unhide items on flash drives;
Plug in the drive and MCShield will start the malware scan …
Get the log which will be in Logs menu, AllScans.txt tab. Just click Save button and log will be located at your Desktop.
[/quote]
this one?
this one?
NO, that log belongs to malwarebytes. Have you downloaded and installed MCShield ?
See my first post above, also see picture in post by Michael (alan1998) above
alternative you can download it from here >> http://www.mcshield.net/download.html
when installed, you plug in your USB thumb drive. MCShield will then popup and scan the drive and a log will be created
This log you COPY / PASTE here
sory got confuse…LoL
I said copy paste log … NOT ATTACH
a forum issue make the MCShield log look like chinese when attached
MCShield AllScans.txt <<<
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<
6/2/2018 9:47:27 PM > Drive C: - scan started (Acer ~118 GB, NTFS HDD )…
=> The drive is clean.
6/2/2018 9:47:27 PM > Drive D: - scan started (Data ~932 GB, NTFS HDD )…
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<
6/2/2018 9:47:55 PM > Drive G: - scan started (REMAX ~31185 MB, FAT32 flash drive )…
G:\desktop.ini - Malware > Deleted. (18.02.06. 21.50 desktop.ini.131298; MD5: 739da77de6495aec13fd86c35450fc48)
=> Malicious files : 1/1 deleted.
::::: Scan duration: 2min 40sec ::::::::::::
Good. Is your problem solved now?
Sass Drake will give additional instructions when back online
Flash drive seems to be clen now after MCS scan. What is system and flash drive status now?