Data not appearing on external hdd

[Closed]
Report
Posts
6
Registration date
Thursday September 20, 2012
Status
Member
Last seen
September 26, 2012
-
Posts
2
Registration date
Thursday February 28, 2013
Status
Member
Last seen
October 24, 2013
-
Hello,

A few days ago I used my external hdd for the first time in awhile. I was surprised to find only a single locked folder with a bunch of random letters on it. Inside of it was an application file called mrtstub. It is supposedly a legitimate Microsoft file included in updates that is suppose to auto delete itself but glitches frequently if interrupted. Why it installed itself to my external hdd and not my main one I have no idea. I know all of my data is there because it shows over 200gb of data in use and whenever I unplug/re-plug my external hdd McAfee will auto scan all 50000+ files.

So far I have tried plugging it into a different computer, that did nothing. I also tried deleting the numbered folder, but all that did was leave my hdd "looking" completely empty (I have since restored the numbered folder in case I need it later). I have also tried a few oddball fixes, but I think they were meant to solve different issues than my own. Please help I can't find any solutions online. I've come across a few other forums with people having the same exact problem as me...but no one has come up with a solution yet. Thanks again, I would hate to loose all of this data!

6 replies

Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,142
Hello,

Sorry for the late reply.

mrtstub is definitely malware

Should you need further assistance, please let me know.

Regards

Ambucias
Virus security contributor
Posts
6
Registration date
Thursday September 20, 2012
Status
Member
Last seen
September 26, 2012

I researched mrstub before posting and I just double checked. It is a real file that Microsoft has been including in its service updates. I just re-scanned my external hdd and it came up clean. I also checked the digital signature and mrstub has an authentic Microsoft signature on it. Some viruses use the name mrstub to confuse people, but that is not the case here. Like I said I have come across a few other people online with the same exact problem as myself but no one has offered up any solutions. Honestly I wish it was a virus because I could fix it then, I've never come across anything like this before. Any other ideas? Thank you!
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,142
To help you and precribe a remedy, I must make a diagnostic and to do so, I require a system log.
.

1. Open this link and download ZHPDiag2 :

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon allows to change the language.)

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).

4. Double click on the short cut ZHPDiag on your Destktop.

5. Click on the screwdriver icon and ensure all of the items are checked.

6. Click on the Magnifying glass and run the analysys.

Wait for the tool to finished (maybe a long time)

7. Close ZHPDiag.

8. To transmit the report, click on this link :

https://authentification.site

9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag).

10. Select the file ZHPDiag.txt.

11. Click on "upload »

12. Copy the url and post it here

Best regards
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,142
Just a comment, mrtstub (malicious software removal tool) is sometimes legitimate when it comes with a Windows security update, in your case, it seems to be a disguise because it should not get on an external drive.
Posts
6
Registration date
Thursday September 20, 2012
Status
Member
Last seen
September 26, 2012

Ok I did as you asked. In all honestly I'm not sure how this will help with the external hdd, but I'm desperate to get my files back so I'll try anything. Here is the link.

http://speedy.sh/CnzVb/ZHPScan.txt</code>                        
                
                
Posts
6
Registration date
Thursday September 20, 2012
Status
Member
Last seen
September 26, 2012

Also thanks again for your time, I'm very puzzled with this problem.
Posts
6
Registration date
Thursday September 20, 2012
Status
Member
Last seen
September 26, 2012

--One last thing after I ran the program I could not find a file named ZHPDiag.txt, however I did find the file posted above (ZHPScan) and I assumed that was it. Let me know if it isn't.
Posts
6
Registration date
Thursday September 20, 2012
Status
Member
Last seen
September 26, 2012

Sorry for all of the posts, I just closed out of my browser and saw the correct file. It was saved to my desktop, I didn't think about looking there. Here is the CORRECT file this time. Again sorry.

http://speedy.sh/QMWc5/ZHPDiag.txt
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,142
Greetings Merciless Nick,

Thanks for the log.

Indeed your system is infected and I assume that you are curious to know the bugs that are infesting it.

1. Adware.Yontoo
2. Adware.PriceGong
3. Trojan.FakeAlert
4. Adware.IMBooster
5. Toolbar Agent
6. One infected Browser Helper Object
7. PUP infection

The Ask Toolbar is a potential spyware.

Now I also assume that you would appreciate a few hints on how to send all of those viruses to the glue factory, right?

Just for you, in Buffalo, N.Y. I have prepared a medicinal compound and treatment schedule.

1. Go to these files and delete them:

C:\ProgramData\{D13C0989-F3EC-4F44-A33D-B3F83DF90FAF

C:\ProgramData\{D3B41B92-9BC2-43EB-916A-4FA9E8191837

2. On your desktop, ZHP Diag created ZHP Fix.

A) Launch it and click on the big H
B) Copy and paste the following files in the window
C) Click on GO and close ZHP Fix

G1 - GCS: Preference [User Data\Default] http://www.search.ask.com/?o=10148&l=dis
R0 - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page
R0 - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page
R1 - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/
O2 - BHO: (no name) [64Bits] - {462be121-2b54-4218-bf00-b9bf8135b23f} Orphean Key
O4 - Global Startup: C:\Users\Nick\Desktop\File_Recovery.lnk . (...) -- C:\ProgramData\oBILE9DE6S4xME.exe (.not file.)
O4 - Global Startup: C:\Users\Nick\Desktop\Spybot - Search & Destroy.lnk . (.Safer Networking Limited.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
O4 - Global Startup:C:\Users\Nick\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk . (...) -- C:\ProgramData\oBILE9DE6S4xME.exe (.not file.)
O23 - Service: McAfee Application Installer Cleanup (00 (0034621348629168mcinstcleanup) . (...) - C:\Windows\TEMP\003462~1.exe (.not file.)
O42 - Logiciel: Escape Rosecliff Island - (.WildTangent.) [HKLM][64Bits] -- WT087360 O42 - Logiciel: FATE - (.WildTangent.) [HKLM][64Bits] -- WT087361 => WildTangent Game
O42 - Logiciel: Final Drive Nitro - (.WildTangent.) [HKLM][64Bits] -- WT087362 => WildTangent Game
O42 - Logiciel: HP Game Console - (.WildTangent.) [HKLM][64Bits] -- My HP Game Console => WildTangent Game
O42 - Logiciel: Polar Bowler - (.WildTangent.) [HKLM][64Bits] -- WT087396 => WildTangent Game
O42 - Logiciel: Polar Golfer - (.WildTangent.) [HKLM][64Bits] -- WT087397 O42 - Logiciel: Spybot - Search & Destroy - (.Safer Networking Limited.) [HKLM][64Bits] -- {B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 => Safer Networking Limited Spybot - S&D
O43 - CFD: 9/17/2012 - 3:02:40 PM - [50.665] ----D C:\Program Files (x86)\Spybot - Search & Destroy O43 - CFD: 9/17/2012 - 3:18:34 PM - [0.264] ----D C:\ProgramData\Spybot - Search & Destroy => Spybot - Search & Destroy
O43 - CFD: 12/17/2011 - 2:13:03 AM - [0] ----D C:\Users\Nick\AppData\Local\HP MediaSmart Video O43 - CFD: 9/17/2012 - 3:02:40 PM - [50.665] ----D C:\Program Files (x86)\Spybot - Search & Destroy O69 - SBI: SearchScopes [HKCU] {79DB746B-7881-4C42-8380-31DE9DB9DE14} - (Ask Search) - http://www.search.ask.com/?o=10148&l=dis O87 - FAEL: "{F8D8B4AF-7130-4DFA-B1EC-FADE6E57A1AB}" |In - None - P17 - TRUE | .(...) -- E:\setup\hpznui40.exe (.not file.)
G0 - GCSP: Preference [User Data\Default][HomePage] https://fr.ask.com/?o=0&l=dir&ad=dirN => ZHPHosts White List
M3 - MFPP: Plugins - [Nick] -- C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr5ceq2d.default\searchplugins\askcom.xml
M0 - MFSP: prefs.js [Nick - vr5ceq2d.default] https://fr.ask.com/?o=0&l=dir&ad=dirN => ZHPHosts White List
R0 - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com
O2 - BHO: (no name) [64Bits] - {D4027C7F-154A-4066-A1AD-4243D8127440} Orphean Key
[MD5.B0EC253506BEE5CC1B004CD0E7A698E9] [APT] [Scheduled Update for Ask Toolbar] (...) -- C:\Program Files (x86)\Ask.com\UpdateTask.exe
O42 - Logiciel: Ask Toolbar - (.Ask.com.) [HKLM][64Bits] -- {86D4B82A-ABED-442A-BE86-96357B70F4FE}
O42 - Logiciel: Ask Toolbar Updater - (.Ask.com.) [HKCU][64Bits] {79A765E1-C399-405B-85AF-466F52E918B0}
[HKCU\Software\APN]
[HKCU\Software\AppDataLow\Software\AskToolbar]
[HKCU\Software\AppDataLow\Software\ConduitSearchScopes] => Toolbar.Conduit
[HKCU\Software\AppDataLow\Software\Conduit] => Toolbar.Conduit
[HKCU\Software\AppDataLow\Software\Smartbar] => Toolbar.Agent
[HKCU\Software\AppDataLow\Toolbar] => Toolbar.Conduit
[HKCU\Software\Ask.com] => Toolbar.Ask
[HKLM\Software\Wow6432Node\APN] => Toolbar.eBay
[HKLM\Software\Wow6432Node\AskToolbar] => Toolbar.Ask
[HKLM\Software\Wow6432Node\Conduit] => Toolbar.Conduit
O43 - CFD: 8/28/2012 - 7:25:54 PM - [3.489] ----D C:\Program Files (x86)\Ask.com => Toolbar.Ask
O43 - CFD: 9/2/2012 - 6:50:06 PM - [0.609] ----D C:\Program Files (x86)\Conduit => Toolbar.Conduit
O43 - CFD: 8/28/2012 - 7:24:54 PM - [0.165] ----D C:\Users\Nick\AppData\Local\APN => Toolbar.eBay
O43 - CFD: 9/2/2012 - 6:49:54 PM - [0.063] ----D C:\Users\Nick\AppData\Local\Conduit => Toolbar.Conduit
O43 - CFD: 8/28/2012 - 7:25:54 PM - [3.489] ----D C:\Program Files (x86)\Ask.com => Toolbar.Ask
O43 - CFD: 9/2/2012 - 6:50:06 PM - [0.609] ----D C:\Program Files (x86)\Conduit => Toolbar.Conduit
O69 - SBI: C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr5ceq2d.default\searchplugins\askcom.xml => Plugin Mozilla Firefox Ask.com
O69 - SBI: prefs.js [Nick - vr5ceq2d.default] user_pref("extensions.asktb.ff-original-keyword-url", ""); => Toolbar.Ask
O69 - SBI: SearchScopes [HKCU] {2fa28606-de77-4029-af96-b231e3b8f827} - (Ask.com) - https://www.search.ask.com/ => Toolbar.Ask
O69 - SBI: SearchScopes [HKCU] {5237317A-6EFF-4413-9B4E-12EF65758F8C} - (WhiteSmoke US New Customized Web Search) - http://search.conduit.com => Toolbar.Conduit
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}] => Toolbar.Ask
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}] => Toolbar.Ask
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}] => Toolbar.Ask
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}] => Toolbar.Agent
[HKCU\Software\APN] => Toolbar.eBay
[HKLM\Software\WOW6432Node\APN] => Toolbar.eBay
[HKCU\Software\Ask.com] => Toolbar.Ask
[HKCU\Software\Ask.com] => Toolbar.Ask
[HKCU\Software\AppDataLow\Software\AskToolbar] => Toolbar.Ask
[HKCU\Software\AppDataLow\Software\ConduitSearchScopes] => Toolbar.Conduit
[HKCU\Software\AppDataLow\Toolbar] => Toolbar.Conduit
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}] => Toolbar.Ask
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]:{00000000-6E41-4FD3-8538-502F5495E5FC} => Toolbar.Ask
[HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]:{D4027C7F-154A-4066-A1AD-4243D8127440} => Toolbar.Ask
C:\Program Files (x86)\Ask.com => Toolbar.Ask
C:\Program Files (x86)\Conduit => Toolbar.Conduit
C:\Users\Nick\AppData\Local\Conduit => Toolbar.Conduit
C:\Users\Nick\AppData\LocalLow\AskToolbar => Toolbar.Ask
C:\Users\Nick\AppData\LocalLow\Conduit => Toolbar.Conduit
C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr5ceq2d.default\Extensions\toolbar@ask.com
M2 - MFEP: prefs.js [Nick - vr5ceq2d.default\plugin@yontoo.com] [] Yontoo v1.20.00 (.Yontoo LLC.)
O2 - BHO: (no name) [64Bits] - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} Orphean Key
[HKCU\Software\AppDataLow\Software\PriceGong]
[HKLM\Software\Wow6432Node\Iminent]
O44 - LFC:[MD5.A103FDF7348130EF3F3FEF56B1700A27] - 9/2/2012 - 5:50:09 PM ---A- . (...) -- C:\END [9]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
C:\Users\Nick\AppData\LocalLow\PriceGong

3. Finally, Download, install and run Malwarebyte which you can find on this site:

https://ccm.net/download/download-105-malwarebytes es-anti-malware

Ensure you make an update.

Boot your computer in safemode

Plug your external drive.

Please request a FULL system scan, on all drives which may take from 20 minutes to hours. Do not interfere no matter how long in takes. The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone With The Wind or read Tolstoy's War and Peace. (I made Rockfeller Oysters and Cherry Jubilee)

If Malwarebyte restarts your system, launch it again to finish the Full scan.

When the scan is completed, delete all items found.

Once your computer is clean and working normally just to be on the safe side
*Turn off system restore and wait 30 seconds,
*Turn it back on and create a new restore point.

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.

4. Send me a brand new ZHP Diag log.

5. Good luck
Posts
2
Registration date
Thursday February 28, 2013
Status
Member
Last seen
October 24, 2013

Hey, you got hijacked :-(

I had the same issues as you with two of the infections i saw.
Yontoo and Pricegong.
Don't be frightened they can be easily removed.

Those were the articles i read that helped me, i hope they help you too
http://www.americanpendulum.com/en/2012/11/01/remove-yontoo-layers-client/
http://www.americanpendulum.com/en/tag/pricegong-virus-removal/
https://forums.malwarebytes.com/topic/113649-what-is-yontoo-and-how-do-i-remove-it/

Remember to clean your cookies and see if there are left infections by running a scan with an antivirus program.