Virus on Thumbdrive? win32.exe

[mliraved]

Hi everyone,

I'm running Vista 64 bit, all available updates, UAC enabled. I regularly scan my system with Spybot/Malwarebytes/AVG Free. I just plugged my month-old thumb drive into my computer and got an error that read: "win32.exe has stopped working." Perplexed, I googled it and found it's some sort of Trojan. Here's the best site I found:

WIN32.EXE, Prevx

At any rate, I was quite surprised when I couldn't find win32.exe on my task manager, even when I opted to show SYSTEM processes. I ran a search for it, including hidden and system files, and didn't find anything. Ran all my malware detection programs and didn't get any matches.

Feeling defeated, I restarted my system hoping to catch a glimpse of win32.exe in my task manager but it was also a no-go. Out of curiosity, I plugged in my thumb drive and got the same error message: win32.exe has stopped working, yadda yadda. I opened my task manager and finally saw it. When I right-clicked and asked task manager to "Open File Location," nothing happened. I selected "Properties" instead and found that win32.exe was actually "running" from my thumb drive!

E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013

I tried to find the folder in question, with hidden files visible, but it just didn't exist. I'm beyond confused at the moment and am hoping one of you can help me out with some questions:

1. How the heck did a virus get onto my thumb drive?
2. How is this .exe attempting to run without my clicking on it?
3. How can it be attempting to run when it doesn't seem to exist?
4. Is my thumb drive still "infected" / is my computer now infected?

I got the thumb drive for free when I took a LexisNexis (legal database) orientation course at my law school -- it was a gift from the company itself, came in a fancy case, etc. I use it when I'm at school to transfer files between my Mac laptop and the school PCs/friends' PCs. I doubt the virus came from my Mac, as it can't even run executables...

Any help would be GREATLY appreciated!

 

[mliraved]

Here's my HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:19 AM, on 9/13/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lexmark 1400 Series\lxdjamon.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\QuickTime\QuickTimePlayer.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files (x86)\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files (x86)\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files (x86)\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix: 
O17 - HKLM\System\CCS\Services\Tcpip\..\{166B5BB3-8EAF-48C1-940D-48E05CAAD3F1}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{166B5BB3-8EAF-48C1-940D-48E05CAAD3F1}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{166B5BB3-8EAF-48C1-940D-48E05CAAD3F1}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AODService - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: lxdj_device -   - C:\Windows\system32\lxdjcoms.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9149 bytes

 

[oldskool]

Hi everyone,

I'm running Vista 64 bit, all available updates, UAC enabled. I regularly scan my system with Spybot/Malwarebytes/AVG Free. I just plugged my month-old thumb drive into my computer and got an error that read: "win32.exe has stopped working." Perplexed, I googled it and found it's some sort of Trojan. Here's the best site I found:

WIN32.EXE, Prevx

At any rate, I was quite surprised when I couldn't find win32.exe on my task manager, even when I opted to show SYSTEM processes. I ran a search for it, including hidden and system files, and didn't find anything. Ran all my malware detection programs and didn't get any matches.

Feeling defeated, I restarted my system hoping to catch a glimpse of win32.exe in my task manager but it was also a no-go. Out of curiosity, I plugged in my thumb drive and got the same error message: win32.exe has stopped working, yadda yadda. I opened my task manager and finally saw it. When I right-clicked and asked task manager to "Open File Location," nothing happened. I selected "Properties" instead and found that win32.exe was actually "running" from my thumb drive!

E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013

I tried to find the folder in question, with hidden files visible, but it just didn't exist. I'm beyond confused at the moment and am hoping one of you can help me out with some questions:

1. How the heck did a virus get onto my thumb drive?
2. How is this .exe attempting to run without my clicking on it?
3. How can it be attempting to run when it doesn't seem to exist?
4. Is my thumb drive still "infected" / is my computer now infected?

I got the thumb drive for free when I took a LexisNexis (legal database) orientation course at my law school -- it was a gift from the company itself, came in a fancy case, etc. I use it when I'm at school to transfer files between my Mac laptop and the school PCs/friends' PCs. I doubt the virus came from my Mac, as it can't even run executables...

Any help would be GREATLY appreciated!

1) Could have came from anywhere you had it plugged in.
2) and 3) Viruses are written in a million different ways, so who knows.
4) They both very well could be.

I would run Osiris' Spyware Guide - it's worked for me and countless others. Good luck !

 

[mliraved]

oldskool,

Thanks for the reply. I ran an AVG scan on the USB drive and it found the culprit: an "infected" file called autorun.inf, which I deleted. Chances are I got it from plugging my USB into a friend's computer. I was relieved that AVG detected it, since it means it can detect it on my computer as well.

I'm running another full scan right now for good measure, but it seems I'm in the clear. The autorun.inf file referenced the missing win32.exe within the thumb drive. I have no idea how the E:\RECYCLER folder that housed win32.exe disappeared, but I'm glad it did!

I found this link helpful:
Preventing and Removing Autorun.inf Virus | Bleuken

For anyone who hasn't done it already, you can apparently "vaccinate" your USB against this autorun.inf virus by simply creating a folder named "AUTORUN.INF" in its root directory. Since the very premise of a thumb drive is to transfer files between computers, it's a good idea to do it. You never know if the second party is compromised.

 

[oldskool]

Thanks for sharing your information that you found. Keep in mind, thumb drives are the culprit of spreading viruses more frequently these days than they used to, primarily because of the sheer number of people that use them to pass files back and forth.