External Hard Drives infected by LNK:FakeFolder-B [Trj] - First Seps? THANKS!

[derekrlew]

Hello All -

I was crushed to discover that being a good guy and lending my Seagate and Toshiba 1TB external portable hard drives to a friend was a HUGE mistake.

I got them back, plugged them in to my laptop with current free Avast running on it - and  LNK:FakeFolder-B [Trj] had added a .lnk extension to all my folders.

Avast moved them into quaratine (Good!)

But now I am wondering what the heck to do. I apologize for being such a rookie - but this is my first serious virus ever (twenty plus years of windows....).

I willing to sacrafice this laptop temporarily to the virus - as I have moved all my important files off.

But what is my next step?  The files on the hard drives are still there according to checking the properties tab when plugged into laptop.

Do I un-quarantine the files and then run a full scan?

Are the files in my hard drives permanently infected? Can they be saved for use in another computer?

Sorry to ask such basic questions - but I really need a starting point.  The laptop that I used to check the hard drives seems to be working the same as before I plugged the infected HD's in - and I did a Full Scan after and did not see anything like  LNK:FakeFolder-B [Trj] on it.

Thanks for ANY guidance! Derek

[essexboy]

Hi first download and install MCShield

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

[derekrlew]

Thanks so much!  I will try it - but it will take time for a newbie to figure it out.  I will do my best and post results.  I work on a ship and have internet once a week. 

Thanks again!

[derekrlew]

Thanks Essexboy -

It didn't take too long so I got MCShield on the laptop.  Here are the results- but I don't think it scanned all my files as it happened so quick -

Wondering if the quarantine is affecting it?  The last scan I did after turning computer off and on again and enabling the "show hidden folders  box as instructed.

When I try to look at the external hard drive in Windows it still does not display any folders - however it does show that 900gb is used on the disc in "properties:

Thanks!  Any hints on the next step?  Now I have to get back on ship but I will be checking in throughout the week.  THANK YOU!

>>> MCShield AllScans.txt <<<

-----------------------------




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.4.27 / DB: 2014.2.9.1 / Windows 7 <<<


2/13/2014 2:20:41 PM > Drive C: - scan started (no label ~100 GB, NTFS HDD )...



=> The drive is clean.


2/13/2014 2:20:42 PM > Drive D: - scan started (no label ~123 GB, NTFS HDD )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.4.27 / DB: 2014.2.9.1 / Windows 7 <<<


2/13/2014 2:22:10 PM > Drive G: - scan started (TOSHIBA EXT ~1397 GB, NTFS HDD )...


>>> G:\RECYCLER\0xFFD12566.exe - Malware > Deleted. (14.02.13. 14.22 0xFFD12566.exe.153668; MD5: 043c8e3fc9e3021091a8c27406f89f86)


=> Malicious files   : 1/1 deleted.

____________________________________________

::::: Scan duration: 1sec ::::::::::::::::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.4.27 / DB: 2014.2.9.1 / Windows 7 <<<





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.4.27 / DB: 2014.2.9.1 / Windows 7 <<<


2/13/2014 2:33:54 PM > Drive G: - scan started (TOSHIBA EXT ~1397 GB, NTFS HDD )...



=> The drive is clean.

[Pondus]

Here are the results- but I don't think it scanned all my files as it happened so quick -

it only look for malware that use removable drives to spread   

info here  http://mcshield.net/

this is what MCShield found on your drive
https://www.virustotal.com/en/file/9540889164ff3f218e8105872ecd54814adbc206ec7e646e42dbe0ca0abbdc72/analysis/

essexboy will soon be back....

[essexboy]

Yep the next step is now to see what else is on the system..  To that end there will be two programmes to run, whenever you have the time

• Download RogueKiller  and save it on your desktop.
   
  NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
  
  
• Quit all programs
• Start RogueKiller.exe.
  
• Wait until Prescan has finished ... 
•     Click on Scan

   
 

• Wait for the end of the scan. 
• The report has been created on the desktop. 
• Click on the Delete button.

     

• The report has been created on the desktop.

• Next click on the ShortcutsFix   
  
  
• The report has been created on the desktop.

Please attach:    All RKreport.txt text files located on your desktop.

THEN

Download OTL  to your Desktop
Secondary link

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Select All Users
  
• Select LOP and Purity
• Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach  both logs

[derekrlew]

WoW!  Greetings from Nassau - and MC Shield really came through -

It found exact same malware as in the first log posted on the second drive.

On the third drive it found the same as above PLUS:



MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.4.27 / DB: 2014.2.9.1 / Windows 7 <<<


2/14/2014 1:16:37 AM > Drive E: - scan started (FreeAgent GoFlex Drive ~932 GB, NTFS HDD )...

>>> E:\autorun.inf > Legitimate file.

>>> E:\The Monuments Men Mobi.lnk.vir - Malware > Deleted. (14.02.14. 01.16 The Monuments Men Mobi.lnk.vir.962414; MD5: 432302bcffe72e30e37b89fb1de56137)

>>> E:\RECYCLER\0xFFD12566.exe - Malware > Deleted. (14.02.14. 01.16 0xFFD12566.exe.345863; MD5: 043c8e3fc9e3021091a8c27406f89f86)


=> Malicious files   : 2/2 deleted.

____________________________________________

::::: Scan duration: 2sec ::::::::::::::::::
____________________________________________


So the LNK Virus was there!

Now I will follow the steps you have laid out for me above.

THANKS!  Who knows what else I will find...

But I am one grateful sailor.

All the best, D

[derekrlew]

WoW!  Greetings from Nassau - and MC Shield really came through -

It found exact same malware as in the first log posted on the second drive.

On the third drive it found the same as above PLUS:



MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.4.27 / DB: 2014.2.9.1 / Windows 7 <<<


2/14/2014 1:16:37 AM > Drive E: - scan started (FreeAgent GoFlex Drive ~932 GB, NTFS HDD )...

>>> E:\autorun.inf > Legitimate file.

>>> E:\The Monuments Men Mobi.lnk.vir - Malware > Deleted. (14.02.14. 01.16 The Monuments Men Mobi.lnk.vir.962414; MD5: 432302bcffe72e30e37b89fb1de56137)

>>> E:\RECYCLER\0xFFD12566.exe - Malware > Deleted. (14.02.14. 01.16 0xFFD12566.exe.345863; MD5: 043c8e3fc9e3021091a8c27406f89f86)


=> Malicious files   : 2/2 deleted.

____________________________________________

::::: Scan duration: 2sec ::::::::::::::::::
____________________________________________


So the LNK Virus was there!

Now I will follow the steps you have laid out for me above.

THANKS!  Who knows what else I will find...

But I am one grateful sailor.

All the best, D

[essexboy]

Also scan any USB sticks that you have with MCShield .. Just plug them in and it will scan

[derekrlew]

Hello Essex Boy and All -

Okay - I downloaded OTL and am attaching the results to this post as requested.

Man oh Man - 30% of my memory sticks and sd cards had infections!  MC Shield took care of all of them - THANKS!

Please let me know any additional recommended steps.

Computer is definitely working better on the whole thanks!

I figured out the "reveal hidden folders" deal on Windows 7 - so all the missing folders from the virus are there and appear with "faded" folder icons in Windows Explorer.  The missing folders are clean - I double checked by doing a full scan with Avast again.

I can't thank you enough for all the help Essex Boy!

I hope the OTL attachments come through.

All the best - D

[essexboy]

Could you attach the main log please, it should be in the same location as OTL

[Pondus]

Please let me know any additional recommended steps.

do you share those USB stick/memory cards with the rest of the guys on the ship you are?
they should all install MCShield.    www.mcshield.net

[derekrlew]

I have already told a bunch of people about MC Shield!

I am re-attaching - thanks so much!

D

[essexboy]

OK lets clear the rest of the rubbish..  On completion can you let me know how the computer is behaving

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=fa8b961d-5421-456b-bc31-c6332f7788a5&searchtype=ds&q={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2504091
IE - HKU\S-1-5-21-2028180166-77370576-1325634286-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=fa8b961d-5421-456b-bc31-c6332f7788a5&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-2028180166-77370576-1325634286-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=fa8b961d-5421-456b-bc31-c6332f7788a5&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-2028180166-77370576-1325634286-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2504091&CUI=UN31995429822749722
IE - HKU\S-1-5-21-2028180166-77370576-1325634286-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=fa8b961d-5421-456b-bc31-c6332f7788a5&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-2028180166-77370576-1325634286-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=fa8b961d-5421-456b-bc31-c6332f7788a5&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-2028180166-77370576-1325634286-1000\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKU\S-1-5-21-2028180166-77370576-1325634286-1000\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2504091
IE - HKU\S-1-5-21-2028180166-77370576-1325634286-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=109935&babsrc=SP_ss&mntrId=126b3a300000000000000025d3a296cc
IE - HKU\S-1-5-21-2028180166-77370576-1325634286-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2504091
FF - prefs.js..browser.search.defaultthis.engineName: "Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?CUI=UN29101315784595170&ctid=CT2504091&SearchSource=13"
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=2&CUI=UN29101315784595170&UM=&q="
[2012/12/12 23:28:24 | 000,002,432 | ---- | M] () -- C:\Users\Queen Gaddy\AppData\Roaming\Mozilla\Firefox\Profiles\cyepkemj.default\searchplugins\babylon1.xml
[2012/05/22 10:11:46 | 000,000,879 | ---- | M] () -- C:\Users\Queen Gaddy\AppData\Roaming\Mozilla\Firefox\Profiles\cyepkemj.default\searchplugins\conduit.xml
[2012/12/11 10:18:28 | 000,002,399 | ---- | M] () -- C:\Users\Queen Gaddy\AppData\Roaming\Mozilla\Firefox\Profiles\cyepkemj.default\searchplugins\Web Search.xml
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {9194649F-7143-4308-90C1-D6A35B0E354E} - No CLSID value found.
O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-2028180166-77370576-1325634286-1000\..\Toolbar\WebBrowser: (Vuze Remote Toolbar) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
[2009/12/25 16:01:26 | 000,000,000 | -HSD | M] -- C:\Users\Queen Gaddy\AppData\Roaming\.#
[2012/05/27 10:08:44 | 000,000,000 | ---D | M] -- C:\Users\Queen Gaddy\AppData\Roaming\Babylon

:Files
C:\Program Files\Vuze_Remote

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.
  

[derekrlew]

Hello Essexboy (Grandmaster/Yoda/Genie)

I think I may have indavertently screwed up-

When I connected to the internet today Avast recommended that I clean up my Browser - and I removed three questionable toolbars.

When I tried to run the custom code you sent me for OTL it was getting hung up on one of the missing toolbars (I think...It got stuck for 20 minutes and I finally gave up)

Should I run the OTL scan again and attach the reports as per the original instructions above?

THANKS!  If you so instruct, I will do this when I get back to ship and plug into AC and let it run all night if I have to.

BTW - I will be telling the IT guys on ship about MCShield - wonder if they know about it....

All the best - D