http://www.bleepingcomputer.com/forums/ ... e-problem/
and
http://www.bleepingcomputer.com/forums/ ... f-malware/
but as you can see, I was told that I was out of choices except formatting my hard-disk clean and clean-install the OS, coz this malware-system was highly elusive and sophisticated. my concern is that I have a portable hard-disk to which I have to backup my personal files [documents, photos, movies, etc.], and if I connect it back to my laptop after clean-installing the OS, wont the malware return back? coz I can see for sure clearly that the malware infects any USB drive I connect to my laptop. I am not so much a geek, to interpret the results of tools like GMER, but I have some files under my suspicion [but not sure]:
a) inside "C:\Windows\System32"
[1]
.crusader
[PS: I have not seen a file before with the extension 'crusader' and no name.] whose content is:
<Actions><Group name=""><File path="C:\user files\U\Collection\software\internet software\CoffeeCup HTML Editor 12.6 Build 448 Portable\SKEL\0679f2b994c7952ede4c69955fd421b4169795ff.SharedTA" rootkit="yes" /></Group><Group name=""><File path="C:\user files\U\Collection\software\internet software\CoffeeCup HTML Editor 12.6 Build 448 Portable\SKEL\1b6da2a1fe16536314695069a587fb4008d12786.SharedTA" rootkit="yes" /></Group><Group name=""><File path="C:\user files\U\Collection\software\internet software\CoffeeCup HTML Editor 12.6 Build 448 Portable\SKEL\205139f4bef28987bc4374e3145d52344e53353c.Tls" rootkit="yes" /></Group><Group name=""><File path="C:\user files\U\Collection\software\internet software\CoffeeCup HTML Editor 12.6 Build 448 Portable\SKEL\41cfaca9f4d8be21d5eccacff939bb5dd64b23fc.Tls" rootkit="yes" /></Group></Actions>
[2] PerfStringBackup.INI
[3] HideMyIpSRVOff.ini
[4] NOISE.THA
[5] activity.txt
[6] AdmList.txt
[7] HP_ActiveX_Patch_NOT_DETECTED.txt
[8] gatherNetworkInfo.vbs
[9] onlinesetup.cmd
[10] winrm.cmd
[11] manage-bde.wsf
[12] "C:\Windows\System32\drivers\aq9vzx4r.sys"
b) stubborn files and folders:
[13] "<drive>:\System Volume Information"
[14] "<drive>:\System Volume Information\tracking.log"
[15] "H:\$Extend\$ObjId"
and other files which make safe-removal of USB-mass-storage-devices impossible coz of 'file under use' reason; which have 'hidden' and 'system' attributes - clearing these attributes crashes windows-explorer; where <drive> is C, D, E, (local drives) and H (portable drive).
c) [16] notepad starts up on booting to display this:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
d) suspicious processes and process-IDs [not sure though]:
[17] 75dff2b7- 6936- 4c06- a8bb- 676a7b00b24b
[18] WLIDSVCM.exe 3040
[19] AB8902B4- 09CA- 4BB6- B78D- A8F59079A8D5
[20] rundll32.exe 995C996E- D918- 4A8C- A302- 45719A6F4EA7
d)not sure about:
[21] "C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0"
[22] "C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0"
I cannot afford to lose my huge collection of personal files. do I have a hope? can anyone help? thanks in advance