Ah, sorry about that :-/ Let's try this again...
RKiller's report:
RKreport_fixshortcuts.txt
MBAR's results screen and report:
MBAM_results_screen.PNG
MBAM_scan_complete.PNG
mbam-log-2013-05-21 (16-53-08).txt
FYI, there were no boxes to check or uncheck for removal after MBAR's scan. Am I assuming correctly that's because it didn't find anything?
Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume4 -- 0x3 --> Restored
[G:] \Device\CdRom2 -- 0x5 --> Skipped
[H:] \Device\HarddiskVolume7 -- 0x2 --> Restored
[I:] \Device\HarddiskVolume8 -- 0x3 --> Restored
Is the external drive [I:]?
Does it still show a shortcut?
Please go to: Downloading ListParts (64-bit)
Save to the Desktop.
Double-click the downloaded file to run the program.
Click: Scan
When done, please post the Result.txt in your reply.
Next, please provide a screenshot of: Disk Management - Post a Screen Capture Image
Last edited by cottonball; 22 May 2013 at 09:53.
I still see the shortcut and receive the same pop-up window when I click it. But now, like the thread I first posted on, I see all my files in a new $RECYCLE.BIN folder. Good news: I can access my files! Should I worry that the the folder is titled "RECYCLE?"
external_files.PNG
On to, as Jumanji wrote, the therapy...
FARBAR scan results:
farbar_scan_report.txt
Disk Management screenshot:
diskmanagement_screenshot.PNG
Sorry, didn't answer the first part of your question. Yes, [I:] is the external!
ducat1base,
Are you using WinRAR to show them, or, are the files showing after using the Shortcut Fix?I see all my files in a new $RECYCLE.BIN folder
Are you able to take the contents of the $RECYCLE.BIN folder where you see the files, and move them to a folder in another USB drive, or in the computer's HDD?
If you can do the above, verify that the move was successful by checking the files in the folder where you moved them to.
The files are showing from the Shortcut Fix. I was able to move them to a different external and yes, all the files are opening!
Is my computer still compromised?
ducat1base,
Since Trojan.ZeroAccess can filter network traffic and steal personal information, it is in your best interest to go to a clean computer, and change any passwords to bank accounts,
credit card transactions, and the like. Use complex passwords to make it difficult to crack password files. This all helps to prevent or limit damage.
The results of the different scans do not show malware on the computer.
If you moved files to another USB drive, run Malwarebytes Anti-Malware once again, with the USB drive where you moved the files to plugged in. Make sure you perform
a Full Scan, and select the drives in quetion:
ZeroAccess! Attention: cottonball
As far as your external drive [I:] goes, plug it in also, and let MBAM scan it, and then we can do more work on it if you wish to use WinRAR or format the drive.
Other suggestions addressed by our colleague jumanji are here: External Hard Drive error ~$WV.FAT32
Last edited by cottonball; 27 May 2013 at 23:49.
Wait an infected svchost?When you open up task manager does it show a process by the name of "svchost 32*"?
Hi ducat1base,
I am limiting myself to your Toshiba External drive.
1. You have confirmed that you had moved all your data files to another media. If you had made sure all your data files are intact and nothing will be lost if you format your Toshiba external drive, then you may do so.
2. Before that, check the file location of the shortcut. Right click on the shortcut > Properties > Open file location. Let us know where that leads to and the exact file name. We shall know whether the root cause has been eliminated or still present.
3. Just for my curiosity and better insight: You have said that $RECYCLE.BIN contains all your data files. Fine. Now run WinRAR and explore your Toshiba external drive. Open each and every other folder and let us know what the other two folders (one unnamed folder and the other 02.ETTT contain.) ( WinRAR can show even superhidden files. That is why I am asking you to open those with WinRAR.) This is only for academic purpose as I have already said. Just information gathering. You may also name any other files/folders that may be seen. Better a screen capture.
4. To format your Toshiba external drive follow this procedure - this keeps Windows out of the loop, just in case your PC is still compromised. I think cottonball has asked you to run MBAM again. Please do that.
Run MiniTools Partition Wizard Home edition. Download the bootable CD version from Free download Magic Partition Manager Software, partition magic alternative, free partition magic, partition magic Windows 7 and server partition software - Partition Wizard Online (the last one on this page)
You may either burn the ISO to a CD and boot from it or create a bootable pen drive with that ISO using Rufus Rufus - Create bootable USB drives the easy way
Note: If you had created a bootable pen drive, when booting with it you have to type linux0 against the boot prompt and press Enter for the boot process to continue. ( It is zero and not the alphabet O. You may press TAB key to see all available options linux0, linux1, local, I think.)
Last edited by jumanji; 29 May 2013 at 22:20.
Hey Cottonball, thanks for all your help! For a guy who doesn't know much about computers, thanks for making the instructions clear and simple for me to do on my own. I learned a lot! I moved my files over to a new external and all my log-ins and passwords are changed. Much appreciated!
Jumanji, below are the screen captures from WinRAR. I don't know how, but the shortcut actually disappeared when I opened it this time, so no shortcut to explore. With inimitable logic I also named the blank folder "blank" so I could save the screenshot under a name, though in hindsight I suppose I could have done without the other. Here is what I see...
[I:]
02.ETTT folder contents
Blank folder contents
$RECYCLE.BIN
..its contents
------------
The size of MiniTools Partition Wizard Home is too big for me to download. (I'm serving with the Peace Corps in Cambodia and trying to do this from my village with a VPN. I can barely handle e-mail tasks and small file uploads!) I went ahead and downloaded the 11MB Enterprise version. Is it the same thing? This is what I see when I open it:
How can I format my drive from here?
Quote
