Hey guys, I got a problem, I'll just start of by saying, This might sound stupid cause no-one i know has ever heard of any thing like this. Well 1= everytime i plug in a USB to my PC, it installs or loads a hidden .exe file in there, And when i delete it, When i put my usb in there again after taking it out it's there again, But comes in a different name, its been RUNDLE.exe,WINAMP.exe,EXPLORER.exe, And a whole lot of other names, And always in CAPITAL, And i know its not the exe from my system files cause its still in the Windows directory, And it is not in Capital letters,
I just ignored it all for a while until now, I tried to install ableton Live 8.1.1 and after installation. When i try to run the program it starts to load and then i get a message saying..... "Static initializer not called"
So i emailed Ableton Support team and after a few emails, They came to a conclusion that, Something has changed the live file, or hooked on to it or something, They believe it could be a virus or something along those lines. Thats what they said they can tel from the Live LOG file. So with This Post i will attach the Live LOG file, also i will attach the HIJACK THIS LOG file as well to help you guys help ME.
But before i do i will Put down my specs.

ASUS M51Sn LAPTOP,Intel CORE2DUO T9300 2.5 ghz, 3GB RAM
250GB HDD, NVIDIA 9500M GS 512 GRAPHICS CARD
WIFI(DISABLED)TV TUNER(DISABLED)

NOTE= Upon opening my usb to attach the files there those exe files i was talking about but cause i'm at the library right now, There Antivirus program has detected a virus. The Pop message reads

""""Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: W32.Sality.AE
File: E:\BXPM.exe
Location: E:
Computer: 7FN8M1S
User: NTPublic
Action taken: Pending Side Effects Analysis : Access denied
Date found: Wednesday, 3 March 2010 10:19:35 AM"""

<a href="/images/attachments/1/Log2DANI%20WEB4HELP.txt">Log2DANI WEB4HELP.txt</a>

Anyways, Thanks in ADVANCE GUYS, I hope i can finally fix these problems. PEACE OUT

Recommended Answers

All 4 Replies

Hey guys, I got a problem, I'll just start of by saying, This might sound stupid cause no-one i know has ever heard of any thing like this. Well 1= everytime i plug in a USB to my PC, it installs or loads a hidden .exe file in there, And when i delete it, When i put my usb in there again after taking it out it's there again, But comes in a different name, its been RUNDLE.exe,WINAMP.exe,EXPLORER.exe, And a whole lot of other names, And always in CAPITAL, And i know its not the exe from my system files cause its still in the Windows directory, And it is not in Capital letters,
I just ignored it all for a while until now, I tried to install ableton Live 8.1.1 and after installation. When i try to run the program it starts to load and then i get a message saying..... "Static initializer not called"
So i emailed Ableton Support team and after a few emails, They came to a conclusion that, Something has changed the live file, or hooked on to it or something, They believe it could be a virus or something along those lines. Thats what they said they can tel from the Live LOG file. So with This Post i will attach the Live LOG file, also i will attach the HIJACK THIS LOG file as well to help you guys help ME.
But before i do i will Put down my specs.

ASUS M51Sn LAPTOP,Intel CORE2DUO T9300 2.5 ghz,  3GB RAM
            250GB HDD,  NVIDIA 9500M GS 512 GRAPHICS CARD
             WIFI(DISABLED)TV TUNER(DISABLED)

NOTE, Upon opening my usb to attach the files there those exe files i was talking about but cause i'm at the library right now, There Antivirus program has detected a virus. The Pop message reads

""""Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: W32.Sality.AE
File: E:\BXPM.exe
Location: E:
Computer: 7FN8M1S
User: NTPublic
Action taken: Pending Side Effects Analysis : Access denied
Date found: Wednesday, 3 March 2010  10:19:35 AM"""
[ATTACH]13895[/ATTACH]

Anyways, Thanks in ADVANCE GUYS, I hope i can finally fix these problems. PEACE OUT

Anyways guys, i uploaded 2 Log files, Ableton live and Hijack This but i can only see the live one so I'm attaching the Hijack this LOG file here............

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:46:53 AM, on 3/03/2010
Platform: Unknown Windows (WinNT 6.01.3004)
Boot mode: Normal

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Wimp\Wimp.exe
C:\Program Files\Winamp\winamp.exe
C:\Users\G-MoTell\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.rocketdivision.com/search/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O13 - Gopher Prefix: 
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - 
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Avid, Inc. All rights reserved. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Avid, Inc. All rights reserved. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - [url]http://libusb-win32.sourceforge.net[/url] - C:\Windows\system32\libusbd-nt.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: Privacyware network service (PFNet) - Privacyware/PWI, Inc. - C:\Program Files\Privacyware\Privatefirewall 6.1\pfsvc.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 3700 bytes

There is infection on that USB device. If this is happening with multiple usb devices then they all must be infected.
You need to stop the computer from using AutoPlay of USB devices in order to get the infection removed.
To do this do the following:
Start Menu \ Run and type in:gpedit.msc
You will see the Group Policy window. You should select Administrative Templates \ System in the tree view:
You will see an item in the right side pane called “Turn off Autoplay”
Double click the item, and set the radio button to Enabled, and change the “Turn off Autoplay on” to All Drives.

Next do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
Once the program is updated plug in that infected usb device. DON'T do anything with it, just plug it in. It shouldn't auto play if you disabled it correctly.
* Once the program has loaded, select Perform full scan, you should receive a box where you select the drives to scan, of course scan "C" drive of the computer AND also place a check mark in that USB drive also, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer.

Post back here with the MBA-M log.

Are you running Windows 7? this HJT log is very odd looking, only 5 running processes are showing, not nearly enough. HJT doesn't work on Windows 7 so that would explain it if that is the case.

There is infection on that USB device. If this is happening with multiple usb devices then they all must be infected.
You need to stop the computer from using AutoPlay of USB devices in order to get the infection removed.
To do this do the following:
Start Menu \ Run and type in:gpedit.msc
You will see the Group Policy window. You should select Administrative Templates \ System in the tree view:
You will see an item in the right side pane called “Turn off Autoplay”
Double click the item, and set the radio button to Enabled, and change the “Turn off Autoplay on” to All Drives.

Next do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
Once the program is updated plug in that infected usb device. DON'T do anything with it, just plug it in. It shouldn't auto play if you disabled it correctly.
* Once the program has loaded, select Perform full scan, you should receive a box where you select the drives to scan, of course scan "C" drive of the computer AND also place a check mark in that USB drive also, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer.

Post back here with the MBA-M log.

Are you running Windows 7? this HJT log is very odd looking, only 5 running processes are showing, not nearly enough. HJT doesn't work on Windows 7 so that would explain it if that is the case.

HEY,
Thanks for reply, Anyways i already have MALWAREBYTES installed, And i've run the program dozens of times with no Luck, It has not picked up anything, I've tried all the big name anti virus, I've also tried a few different Malware software, No detection. HOW COME?
I Know there's something in My PC, thats why at the moment i'm not using it for the internet, Untill i saught this out, And i am not keen on doing a re-install at all, Because i've already done one about 9 weeks ago because of this. But i will try your steps just to make sure anyway. And i wil Post the MalwareBytes LOG file here.

Oh yeah, Yes i'm running windows 7
Thanks for your help.

HEY,
Thanks for reply, Anyways i already have MALWAREBYTES installed, And i've run the program dozens of times with no Luck, It has not picked up anything, I've tried all the big name anti virus, I've also tried a few different Malware software, No detection. HOW COME?
I Know there's something in My PC, thats why at the moment i'm not using it for the internet, Untill i saught this out, And i am not keen on doing a re-install at all, Because i've already done one about 9 weeks ago because of this. But i will try your steps just to make sure anyway. And i wil Post the MalwareBytes LOG file here.

Oh yeah, Yes i'm running windows 7
Thanks for your help.

That's great you have MBA-M and you have run it a number of times, I have seen no logs so I cannot judge whether they were run correctly. Did you run it solely on the infected USB devices? That is what I recommended.
A reformat and reinstall should have removed any infected files if done properly and if that is the case then even more this points to the USB device being the source of the infection.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.