virus problem on thumb drive

[REDACTED]

hope this can be help. my thumb drive won't open and there is a pop up saying G:\>start /d ".\System Volume Information\Kaspersky Internet Security 2017" taskhosts.exe

[Pondus]

See here   https://forum.avast.com/index.php?topic=194892.0

Scroll all the way down to Specific Infection Logs ... follow instructions for MCShield

This log you copy and paste here ... not attach ( only MCSield logs)

[Sass Drake]

Do not plug thumb drive until you install MCShield but first do this.

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

VirusTotal: C:\Users\User\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe;C:\Users\User\AppData\Local\Temp\jow2dzfa.dll
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsvc.lnk [2017-12-04]
ShortcutTarget: spoolsvc.lnk -> C:\Users\User\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe (No File)
Task: {DEB54F2F-08A7-4B1C-B63C-7C4845FA1934} - System32\Tasks\App Explorer => C:\Users\User\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [2017-12-22] (SweetLabs, Inc) <==== ATTENTION
HKU\S-1-5-21-176347147-2586957089-2691104427-1001\...\MountPoints2: {2ae92697-92cb-11e7-8180-ccb0dad6d454} - "G:\AutoRun.exe"
HKU\S-1-5-21-176347147-2586957089-2691104427-1001\...\MountPoints2: {5dc65b0b-3086-11e7-8029-ccb0dad6d454} - "F:\AutoRun.exe"
HKU\S-1-5-21-176347147-2586957089-2691104427-1001\...\MountPoints2: {68be13b2-14f3-11e7-bfbc-ccb0dad6d454} - "F:\StartUse.exe"
HKU\S-1-5-21-176347147-2586957089-2691104427-1001\...\MountPoints2: {ce574921-2505-11e7-bff5-ccb0dad6d454} - "F:\Setup.exe" /s

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[REDACTED]

Fix result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by User (29-01-2018 15:48:53) Run:1
Running from D:\Users\Desktop
Loaded Profiles: User (Available Profiles: User)
Boot Mode: Normal
==============================================

fixlist content:
*****************
VirusTotal: C:\Users\User\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe;C:\Users\User\AppData\Local\Temp\jow2dzfa.dll
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsvc.lnk [2017-12-04]
ShortcutTarget: spoolsvc.lnk -> C:\Users\User\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe (No File)
Task: {DEB54F2F-08A7-4B1C-B63C-7C4845FA1934} - System32\Tasks\App Explorer => C:\Users\User\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [2017-12-22] (SweetLabs, Inc) <==== ATTENTION
HKU\S-1-5-21-176347147-2586957089-2691104427-1001\...\MountPoints2: {2ae92697-92cb-11e7-8180-ccb0dad6d454} - "G:\AutoRun.exe"
HKU\S-1-5-21-176347147-2586957089-2691104427-1001\...\MountPoints2: {5dc65b0b-3086-11e7-8029-ccb0dad6d454} - "F:\AutoRun.exe"
HKU\S-1-5-21-176347147-2586957089-2691104427-1001\...\MountPoints2: {68be13b2-14f3-11e7-bfbc-ccb0dad6d454} - "F:\StartUse.exe"
HKU\S-1-5-21-176347147-2586957089-2691104427-1001\...\MountPoints2: {ce574921-2505-11e7-bff5-ccb0dad6d454} - "F:\Setup.exe" /s
*****************

VirusTotal: C:\Users\User\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe => https://www.virustotal.com/file/c1a248a1227900a11c1a2c32a80af50f1482b18099374f3e7464ddc216ec345f/analysis/1516973612/
VirusTotal: C:\Users\User\AppData\Local\Temp\jow2dzfa.dll => https://www.virustotal.com/file/e423663fdd4cfce9ed88fd4c7a9c6a754271ae1c8a7c59b173e1065ffbc9c8b5/analysis/1517212137/
C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsvc.lnk => moved successfully
C:\Users\User\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{DEB54F2F-08A7-4B1C-B63C-7C4845FA1934} => could not remove key. ErrorCode1: 0x00000002
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DEB54F2F-08A7-4B1C-B63C-7C4845FA1934}" => removed successfully
C:\Windows\System32\Tasks\App Explorer => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\App Explorer" => removed successfully
"HKU\S-1-5-21-176347147-2586957089-2691104427-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae92697-92cb-11e7-8180-ccb0dad6d454}" => removed successfully
HKLM\Software\Classes\CLSID\{2ae92697-92cb-11e7-8180-ccb0dad6d454} => key not found
"HKU\S-1-5-21-176347147-2586957089-2691104427-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5dc65b0b-3086-11e7-8029-ccb0dad6d454}" => removed successfully
HKLM\Software\Classes\CLSID\{5dc65b0b-3086-11e7-8029-ccb0dad6d454} => key not found
"HKU\S-1-5-21-176347147-2586957089-2691104427-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{68be13b2-14f3-11e7-bfbc-ccb0dad6d454}" => removed successfully
HKLM\Software\Classes\CLSID\{68be13b2-14f3-11e7-bfbc-ccb0dad6d454} => key not found
"HKU\S-1-5-21-176347147-2586957089-2691104427-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ce574921-2505-11e7-bff5-ccb0dad6d454}" => removed successfully
HKLM\Software\Classes\CLSID\{ce574921-2505-11e7-bff5-ccb0dad6d454} => key not found

==== End of Fixlog 15:49:07 ====

[Sass Drake]

Now install MCShield and follow instructions for it in:

https://forum.avast.com/index.php?topic=194892.0

[REDACTED]

What to do next?

[Pondus]

What to do next?

Have you done MCShield  instructions?

[REDACTED]

this?

[Asyn]

this?

Nope, see Reply #4 and follow instructions.

[Pondus]

this?

Nope, see Reply #4 and follow instructions.

or reply #1

[Michael (alan1998)]

this?

Nope, see Reply #4 and follow instructions.

Just to help clear this up as OP seems confused.

SPECIFIC INFECTIONS LOGS

==============================

# additional programme to run and install if you have used an infected USB stick

Please download installation for MCShield and save to your desktop and install the tool;
( installation is a classic "Next > Next > I Agree > ...> Finish" way )
Please wait for a sec. it will initially run a scan and show the result as a toaster by the system clock;
Then in the control centre select scanner and tick Always unhide items on flash drives;

Plug in the drive and MCShield will start the malware scan ...
Get the log which will be in Logs menu, AllScans.txt tab. Just click Save button and log will be located at your Desktop.
[/quote]

[REDACTED]

this one?

[Pondus]

this one?

NO, that log belongs to malwarebytes. Have you downloaded and installed MCShield ?   

See my first post above, also see picture in post by Michael (alan1998) above

alternative you can download it from here  >>  http://www.mcshield.net/download.html
when installed, you plug in your USB thumb drive. MCShield will then popup and scan the drive and a log will be created
This log you COPY / PASTE here

[REDACTED]

sory got confuse..LoL

[Pondus]

I said copy paste log .... NOT ATTACH

a forum issue make the MCShield log look like chinese when attached