Data not appearing on external hddClosed

Question

Hello, 

A few days ago I used my external hdd for the first time in awhile.  I was surprised to find only a single locked folder with a bunch of random letters on it.  Inside of it was an application file called mrtstub.  It is supposedly a legitimate Microsoft file included in updates that is suppose to auto delete itself but glitches frequently if interrupted.  Why it installed itself to my external hdd and not my main one I have no idea.  I know all of my data is there because it shows over 200gb of data in use and whenever I unplug/re-plug my external hdd McAfee will auto scan all 50000+ files. 

So far I have tried plugging it into a different computer, that did nothing.  I also tried deleting the numbered folder, but all that did was leave my hdd "looking" completely empty (I have since restored the numbered folder in case I need it later).  I have also tried a few oddball fixes, but I think they were meant to solve different issues than my own.  Please help I can't find any solutions online.  I've come across a few other forums with people having the same exact problem as me...but no one has come up with a solution yet.  Thanks again, I would hate to loose all of this data!

Configuration: Windows 7 / Chrome 21.0.1180.89

Ambucias · Answer

Hello,

Sorry for the late reply.

mrtstub is definitely malware

Should you need further assistance, please let me know.

Regards

Ambucias
Virus security contributor

Ambucias · Answer

To help you and precribe a remedy, I must make a diagnostic and to do so, I require a system log. 
.

1. Open this link and download ZHPDiag2 : 

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html 

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon allows to change the language.)

2. Save the file on your Desktop. 

3. Double click on ZHPDiag.exe and follow the installation instructions. 

the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step). 

4. Double click on the short cut ZHPDiag on your Destktop. 

5. Click on the screwdriver icon and ensure all of the items are checked.

6. Click on the Magnifying glass and run the analysys. 

Wait for the tool to finished (maybe a long time) 

7. Close ZHPDiag. 

8. To transmit the report, click on this link : 

https://authentification.site 

9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag). 

10. Select the file ZHPDiag.txt. 

11. Click on "upload » 

12. Copy the url and post it here

Best regards

Ambucias · Answer

Just a comment, mrtstub (malicious software removal tool) is sometimes legitimate when it comes with a Windows security update, in your case, it seems to be a disguise because it should not get on an external drive.

Merciless911 · Answer

Ok I did as you asked. In all honestly I'm not sure how this will help with the external hdd, but I'm desperate to get my files back so I'll try anything. Here is the link. http://speedy.sh/CnzVb/ZHPScan.txt

Ambucias · Answer

Greetings Merciless Nick,

Thanks for the log.

Indeed your system is infected and I assume that you are curious to know the bugs that are infesting it.

1. Adware.Yontoo
2. Adware.PriceGong
3. Trojan.FakeAlert
4. Adware.IMBooster
5. Toolbar Agent
6. One infected Browser Helper Object
7. PUP infection

The Ask Toolbar is a potential spyware.

Now I also assume that you would appreciate a few hints on how to send all of those viruses to the glue factory, right?

Just for you, in Buffalo, N.Y. I have prepared a medicinal compound and treatment schedule.

1. Go to these files and delete them:

C:\ProgramData\{D13C0989-F3EC-4F44-A33D-B3F83DF90FAF

C:\ProgramData\{D3B41B92-9BC2-43EB-916A-4FA9E8191837

2. On your desktop, ZHP Diag created ZHP Fix.  

A) Launch it and click on the big H
B) Copy and paste the following files in the window
C) Click on GO and close ZHP Fix

G1 - GCS: Preference [User Data\Default] http://www.search.ask.com/?o=10148&l=dis    
R0 - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page 
R0 - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page 
R1 - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/    
O2 - BHO: (no name) [64Bits] - {462be121-2b54-4218-bf00-b9bf8135b23f} Orphean Key    
O4 - Global Startup: C:\Users\Nick\Desktop\File_Recovery.lnk . (...)  -- C:\ProgramData\oBILE9DE6S4xME.exe (.not file.)    
O4 - Global Startup: C:\Users\Nick\Desktop\Spybot - Search & Destroy.lnk . (.Safer Networking Limited.)  -- C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe    
O4 - Global Startup:C:\Users\Nick\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk . (...)  -- C:\ProgramData\oBILE9DE6S4xME.exe (.not file.)   
O23 - Service: McAfee Application Installer Cleanup (00 (0034621348629168mcinstcleanup) . (...) - C:\Windows\TEMP\003462~1.exe (.not file.)   
O42 - Logiciel: Escape Rosecliff Island - (.WildTangent.) [HKLM][64Bits] -- WT087360    O42 - Logiciel: FATE - (.WildTangent.) [HKLM][64Bits] -- WT087361    => WildTangent Game
O42 - Logiciel: Final Drive Nitro - (.WildTangent.) [HKLM][64Bits] -- WT087362    => WildTangent Game
O42 - Logiciel: HP Game Console - (.WildTangent.) [HKLM][64Bits] -- My HP Game Console    => WildTangent Game
O42 - Logiciel: Polar Bowler - (.WildTangent.) [HKLM][64Bits] -- WT087396    => WildTangent Game
O42 - Logiciel: Polar Golfer - (.WildTangent.) [HKLM][64Bits] -- WT087397  O42 - Logiciel: Spybot - Search & Destroy - (.Safer Networking Limited.) [HKLM][64Bits] -- {B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1    => Safer Networking Limited Spybot - S&D
O43 - CFD: 9/17/2012 - 3:02:40 PM - [50.665] ----D C:\Program Files (x86)\Spybot - Search & Destroy   O43 - CFD: 9/17/2012 - 3:18:34 PM - [0.264] ----D C:\ProgramData\Spybot - Search & Destroy    => Spybot - Search & Destroy
O43 - CFD: 12/17/2011 - 2:13:03 AM - [0] ----D C:\Users\Nick\AppData\Local\HP MediaSmart Video   O43 - CFD: 9/17/2012 - 3:02:40 PM - [50.665] ----D C:\Program Files (x86)\Spybot - Search & Destroy    O69 - SBI: SearchScopes [HKCU] {79DB746B-7881-4C42-8380-31DE9DB9DE14} - (Ask Search) - http://www.search.ask.com/?o=10148&l=dis O87 - FAEL: "{F8D8B4AF-7130-4DFA-B1EC-FADE6E57A1AB}" |In - None - P17 - TRUE | .(...) -- E:\setup\hpznui40.exe (.not file.) 
G0 - GCSP: Preference [User Data\Default][HomePage] https://fr.ask.com/?o=0&l=dir&ad=dirN    => ZHPHosts White List
M3 - MFPP: Plugins - [Nick] -- C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr5ceq2d.default\searchplugins\askcom.xml    
M0 - MFSP: prefs.js [Nick - vr5ceq2d.default] https://fr.ask.com/?o=0&l=dir&ad=dirN    => ZHPHosts White List
R0 - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com  
O2 - BHO: (no name) [64Bits] - {D4027C7F-154A-4066-A1AD-4243D8127440} Orphean Key  
[MD5.B0EC253506BEE5CC1B004CD0E7A698E9] [APT] [Scheduled Update for Ask Toolbar] (...) -- C:\Program Files (x86)\Ask.com\UpdateTask.exe
O42 - Logiciel: Ask Toolbar - (.Ask.com.) [HKLM][64Bits] -- {86D4B82A-ABED-442A-BE86-96357B70F4FE}   
O42 - Logiciel: Ask Toolbar Updater - (.Ask.com.) [HKCU][64Bits]  {79A765E1-C399-405B-85AF-466F52E918B0}   
[HKCU\Software\APN]  
[HKCU\Software\AppDataLow\Software\AskToolbar]   
[HKCU\Software\AppDataLow\Software\ConduitSearchScopes]    => Toolbar.Conduit
[HKCU\Software\AppDataLow\Software\Conduit]    => Toolbar.Conduit
[HKCU\Software\AppDataLow\Software\Smartbar]    => Toolbar.Agent
[HKCU\Software\AppDataLow\Toolbar]    => Toolbar.Conduit
[HKCU\Software\Ask.com]    => Toolbar.Ask
[HKLM\Software\Wow6432Node\APN]    => Toolbar.eBay
[HKLM\Software\Wow6432Node\AskToolbar]    => Toolbar.Ask
[HKLM\Software\Wow6432Node\Conduit]    => Toolbar.Conduit
O43 - CFD: 8/28/2012 - 7:25:54 PM - [3.489] ----D C:\Program Files (x86)\Ask.com    => Toolbar.Ask
O43 - CFD: 9/2/2012 - 6:50:06 PM - [0.609] ----D C:\Program Files (x86)\Conduit    => Toolbar.Conduit
O43 - CFD: 8/28/2012 - 7:24:54 PM - [0.165] ----D C:\Users\Nick\AppData\Local\APN    => Toolbar.eBay
O43 - CFD: 9/2/2012 - 6:49:54 PM - [0.063] ----D C:\Users\Nick\AppData\Local\Conduit    => Toolbar.Conduit
O43 - CFD: 8/28/2012 - 7:25:54 PM - [3.489] ----D C:\Program Files (x86)\Ask.com    => Toolbar.Ask
O43 - CFD: 9/2/2012 - 6:50:06 PM - [0.609] ----D C:\Program Files (x86)\Conduit    => Toolbar.Conduit
O69 - SBI: C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr5ceq2d.default\searchplugins\askcom.xml    => Plugin Mozilla Firefox Ask.com
O69 - SBI: prefs.js [Nick - vr5ceq2d.default] user_pref("extensions.asktb.ff-original-keyword-url", "");    => Toolbar.Ask
O69 - SBI: SearchScopes [HKCU] {2fa28606-de77-4029-af96-b231e3b8f827} - (Ask.com) - https://www.search.ask.com/    => Toolbar.Ask
O69 - SBI: SearchScopes [HKCU] {5237317A-6EFF-4413-9B4E-12EF65758F8C} - (WhiteSmoke US New Customized Web Search) - http://search.conduit.com    => Toolbar.Conduit
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}]    => Toolbar.Ask
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}]    => Toolbar.Ask
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}]    => Toolbar.Ask
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]    => Toolbar.Agent
[HKCU\Software\APN]    => Toolbar.eBay
[HKLM\Software\WOW6432Node\APN]    => Toolbar.eBay
[HKCU\Software\Ask.com]    => Toolbar.Ask
[HKCU\Software\Ask.com]    => Toolbar.Ask
[HKCU\Software\AppDataLow\Software\AskToolbar]    => Toolbar.Ask
[HKCU\Software\AppDataLow\Software\ConduitSearchScopes]    => Toolbar.Conduit
[HKCU\Software\AppDataLow\Toolbar]    => Toolbar.Conduit
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}]    => Toolbar.Ask
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]:{00000000-6E41-4FD3-8538-502F5495E5FC}    => Toolbar.Ask
[HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]:{D4027C7F-154A-4066-A1AD-4243D8127440}    => Toolbar.Ask
C:\Program Files (x86)\Ask.com    => Toolbar.Ask
C:\Program Files (x86)\Conduit    => Toolbar.Conduit
C:\Users\Nick\AppData\Local\Conduit    => Toolbar.Conduit
C:\Users\Nick\AppData\LocalLow\AskToolbar    => Toolbar.Ask
C:\Users\Nick\AppData\LocalLow\Conduit    => Toolbar.Conduit
C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\vr5ceq2d.default\Extensions	oolbar@ask.com    
M2 - MFEP: prefs.js [Nick - vr5ceq2d.default\plugin@yontoo.com] [] Yontoo v1.20.00 (.Yontoo LLC.)  
O2 - BHO: (no name) [64Bits] - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} Orphean Key   
[HKCU\Software\AppDataLow\Software\PriceGong]   
[HKLM\Software\Wow6432Node\Iminent]    
O44 - LFC:[MD5.A103FDF7348130EF3F3FEF56B1700A27] - 9/2/2012 - 5:50:09 PM ---A- . (...) -- C:\END   [9]  
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]  
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]  
C:\Users\Nick\AppData\LocalLow\PriceGong  

3. Finally, Download, install and run Malwarebyte which you can find on this site: 

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ es-anti-malware 

Ensure you make an update.

Boot your computer in safemode

Plug your external drive.

Please request a FULL system scan, on all drives which may take from 20 minutes to hours.  Do not interfere no matter how long in takes.  The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone With The Wind or read Tolstoy's War and Peace. (I made Rockfeller Oysters and Cherry Jubilee)

If Malwarebyte restarts your system, launch it again to finish the Full scan. 

When the scan is completed, delete all items found.

Once your computer is clean and working normally just to be on the safe side 
*Turn off system restore and wait 30 seconds, 
*Turn it back on and create a new restore point. 

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed. 
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process. 
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.

4. Send me a brand new ZHP Diag log.

5. Good luck

BlueTomato · Answer

Hey, you got hijacked :-(

I had the same issues as you with two of the infections i saw.
Yontoo and Pricegong. 
Don't be frightened they can be easily removed.

Those were the articles i read that helped me, i hope they help you too
http://www.americanpendulum.com/en/2012/11/01/remove-yontoo-layers-client/
http://www.americanpendulum.com/en/tag/pricegong-virus-removal/
https://forums.malwarebytes.com/topic/113649-what-is-yontoo-and-how-do-i-remove-it/

Remember to clean your cookies and see if there are left infections by running a scan with an antivirus program.

Data not appearing on external hdd

6 responses

Similar discussions

Subscribe To Our Newsletter!