Something creates volumeInformation.exe on my USB Flash Drive - how to prevent ?

[REDACTED]

Well, to be honest I have no idea what it is. This is my wife’s laptop and she got it from her brother 2 years ago.
I think her brother installed something and then uninstalled and this is some leftover from his software. She didn't install it.

To avoid misunderstandings let me explain again what happened to which PC. There were 3 PCs infected, but some of them work fine now:

PC1
 PC of my wife. I have restored windows to an earlier state. Now all seems to be OK. The strange behavior with USB Flash Drives does not occur anymore.
 

PC2 
My work PC. I have recovered a Windows Backup. Now all seems to be OK. The strange behavior with USB Flash Drives does not occur anymore.


PC3 
PC of my mother in law. I was not able to restore windows to an earlier state. There was no earlier state saved. I was not able to recover a Windows backup. There were no backup created. The PC is still infected. The strange behavior with USB Flash Drives still occurs every time I insert a new flash drive.


So I made on the PC3 the same installations as for the pc of my wife and attached here logs (for PC3). PC3 is definitively still infected.

[Pondus]

MCShield log must be Copy/Paste. A forum issue make it look like chinese gibbely gobbel when attached

[REDACTED]

MCShield log must be Copy/Paste. A forum issue make it look like chinese gibbely gobbel when attached

PC3(!) McShield LOG:

> > >   M C S h i e l d   A l l S c a n s . t x t   < < < 
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 M C S h i e l d   : : A n t i - M a l w a r e   T o o l : :   h t t p : / / w w w . m c s h i e l d . n e t / 
 > > >   v   3 . 0 . 5 . 2 8   /   D B :   2 0 1 6 . 2 . 2 1 . 1   /   W i n d o w s   8 . 1   < < < 
 1 4 . 0 2 . 2 0 1 7   2 1 : 3 9 : 4 7   >   D r i v e   C :   -   s c a n   s t a r t e d   ( n o   l a b e l   ~ 7 4   G B ,   N T F S   H D D   ) . . . 
 = >   T h e   d r i v e   i s   c l e a n . 

 1 4 . 0 2 . 2 0 1 7   2 1 : 3 9 : 4 8   >   D r i v e   D :   -   s c a n   s t a r t e d   ( N A N A   ~ 3 9 1   G B ,   N T F S   H D D   ) . . . 
 = >   T h e   d r i v e   i s   c l e a n . 

 M C S h i e l d   : : A n t i - M a l w a r e   T o o l : :   h t t p : / / w w w . m c s h i e l d . n e t / 
 > > >   v   3 . 0 . 5 . 2 8   /   D B :   2 0 1 6 . 2 . 2 1 . 1   /   W i n d o w s   8 . 1 

 1 4 . 0 2 . 2 0 1 7   2 2 : 4 8 : 1 5   >   D r i v e   F :   -   s c a n   s t a r t e d   ( n o   l a b e l   ~ 1 9 9 9   M B ,   F A T   f l a s h   d r i v e
 > > >   F : \ V o l u m e I n f o r m a t i o n . e x e   -   S u s p i c i o u s   >   R e n a m e d .   ( M D 5 :   8 0 6 8 b 6 a 4 7 7 b 5 8 8 6 8 a 4 9 3 f f a 6 d f 3 9 a 2 7 d ) 
 = >   S u s p i c i o u s   f i l e s     :   1 / 1   r e n a m e d . 
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
 : : : : :   S c a n   d u r a t i o n :   1 2 s e c   : : : : : : : : : : : : : : : : : 
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

 M C S h i e l d   : : A n t i - M a l w a r e   T o o l : :   h t t p : / / w w w . m c s h i e l d . n e t /
 > > >   v   3 . 0 . 5 . 2 8   /   D B :   2 0 1 6 . 2 . 2 1 . 1   /   W i n d o w s   8 . 1   < < <
 1 4 . 0 2 . 2 0 1 7   2 2 : 5 6 : 5 3   >   D r i v e   F :   -   s c a n   s t a r t e d   ( n o   l a b e l   ~ 1 9 9 9   M B ,   F A T   f l a s h   d r i v e   ) . . .
 = >   T h e   d r i v e   i s   c l e a n . 

 M C S h i e l d   : : A n t i - M a l w a r e   T o o l : :   h t t p : / / w w w . m c s h i e l d . n e t / 
 > > >   v   3 . 0 . 5 . 2 8   /   D B :   2 0 1 6 . 2 . 2 1 . 1   /   W i n d o w s   8 . 1   < < < 
 1 5 . 0 2 . 2 0 1 7   2 0 : 0 7 : 1 0   >   D r i v e   C :   -   s c a n   s t a r t e d   ( n o   l a b e l   ~ 7 4   G B ,   N T F S   H D D 
 = >   T h e   d r i v e   i s   c l e a n .

 1 5 . 0 2 . 2 0 1 7   2 0 : 0 7 : 1 0   >   D r i v e   D :   -   s c a n   s t a r t e d   ( N A N A   ~ 3 9 1   G B ,   N T F S   H D D   ) . . . 
 = >   T h e   d r i v e   i s   c l e a n . 
 

[dbrisendine]

This may not fix all the errors on this system but it will be a start.

Did you know that System Restore is disabled?

If you did not do this intentionally, please check the following:

Go to Start and type System in the search box.
Click on System (under Control Panel or Settings) and then on System Protection.
Click on Configure and then select Turn on system protection.
Click Apply and then OK.
In the System Protection screen, is Protection now On for the drive?


FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

KMSpico

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. 

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


SECOND >>>>

Fix with Farbar Recovery Scan Tool
This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable. Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

[REDACTED]

Here it is. The Fixlog for PC3.

[dbrisendine]

Let's go for the stubborn folder once again ....


Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[REDACTED]

Here it is. The 2nd Fixlog for PC3.

[dbrisendine]

How is the system acting now?

[REDACTED]

How is the system acting now?

Well the strange behavior with USB Flash Drives does not occur anymore.  But I do not know if the malware is still somewhere in the system.  How can I detect it?

And I have one important question.  How can I protect my USB Drive from malware in the future? I have to use it everyday on many different PCs of my colleagues. Sometimes they have viruses.

[Pondus]

But I do not know if the malware is still somewhere in the system.  How can I detect it?

If it is there @dbrisendine will tell you

How can I protect my USB Drive from malware in the future?

Install and use MCShield  >>  http://www.mcshield.net

[REDACTED]

How can I protect my USB Drive from malware in the future?

Install and use MCShield  >>  http://www.mcshield.net

McShield is great. I have installed it everywhere. It protects a PC from malware coming from the USB Drive.

But how could one protect the USB Drive from malware on the PC?

For example if I plug my USB Drive into an infected PC of somebody and then take it to another not infected PC of somebody else I am infecting it.

[Pondus]

For example if I plug my USB Drive into an infected PC of somebody and then take it to another not infected PC of somebody else I am infecting it.

Plug it in to a computer with MCShield first or install MCShield before you plug in the USB drive

Note that MCShield only target those type of malware that use removable drives to spread, so to detect other types you need to scan it with your antivirus

[dbrisendine]

Let's use a second opinion scanner for one last check (but the FRST logs don't show anything major)....

Go to Emsisoft and download the Emsisoft Free Emergency Kit from here.

• Double click on the EmsisoftEmergencyKit.exe file and then click on Extract to unpack the files (the default directory of C:\EEK is fine).
• Go to the new directory and right click on Start Emergency Kit Scanner.exe and choose 'Run as Administrator'.
• Once the scanner loads, click on 1.Update to check for and load the current updates.
• When the updates are finished, click on Malware Scan in the 2. Scan box.
• Please enable the PUP detection option.  (The Kit may ask about this after it is loading updates or right when the scan starts; it will only ask once, so enable it when the Kit asks.)
• If the scan finds anything, it will open a scan finding window.  Please click on View Report; copy this report and paste it here in reply post.
• Please close the Emergency Kit Scanner program now.

[REDACTED]

Here it is, the EEK Scan Report for PC3:


Emsisoft Emergency Kit - Version 12.0
Last update: 25.02.2017 16:08:04
User account: DESKTOP-HUINQM3\hp
Computer name: DESKTOP-HUINQM3
OS version: Windows 10x64

Scan settings:

Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\, D:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start:   25.02.2017 16:10:08
C:\ORIS\ExcellToXml.exe    detected: Gen:Trojan.Heur.VP2.cm0@aCs4jkii (B) [krnl.xmd]
C:\Program Files (x86)\IncrediMail\Bin\AE\aeldr.exe    detected: Application.AdConnect (A) [285718]

Scanned   246160
Found   2

Scan end:   25.02.2017 16:56:46
Scan time:   0:46:38

[REDACTED]

I think the Gen:Trojan.Heur.VP2.cm0@aCs4jkii is FP. It was in a folder of our accounting software. I think it is part of the software. It is an old file created in year 2015. I have checked it with VT. Here is the link:

https://virustotal.com/en/file/97d042df98339a28a35c13c1bc6de4d53e84a0176ede8b06955f1b65b8051468/analysis/1488025095/