USB mass storage detected

[ZolaWoW]

I am stumped on this one....

each time i reboot my pc, i get an icon in my systray to safely remove hardware...USB mass storage device on drives f, g, h & j. i don't have these drives. i don't have any USBs plugged in (cept my mouse and keyboard) when i look in my computer, they show up, but are empty(supposedly). i remove, they go away, i reboot, they come back.

i know i'm hijacked because i keep losing admin rights on my pc. when i tried to use add/remove programs the other day it said something along the lines of "this could mess with the other user connected to the machine" HA! the first few times i tried to run the ewido scan it gave me a page with dead or invisible links.

now, the usb thing might be benign, but it's annoying. the thing is...nothing is detecting the trojan i KNOW is there. what more can i do?--other than rebuilding my machine =)

anyway....i've run the freebie versions of all these
nod32--finds nada
ewido--found 19 (2 high risk) on first scan, but none thereafter
spybot s&d
and the paid version of spyware doctor (think i got taken on that one, cause it never catches anything)

HELP please!

[TopperID]

Are you referring to the Cypress USB Mass Storage Driver Notification Icon Application [Safely remove Hardware] - SM1nint.exe?

If so, this is quite legitimate, but you are going to have a hard job removing it since it cannot be surpressed by msconfig nor by simple Registry tweaks. There are more complicated methods, but frankly I would just leave it be; if it irritates you you can always hide icons in XP.

http://www.msfn.org/board/lofiversio...hp/t52517.html

If you are not referring to SM1nint.exe (which appears as a little green arrow in your Sys Tray) and have other problems, try an online scan:-

http://www.kaspersky.com/downloads/kws/kavwebscan.html

[ZolaWoW]

but why is it detecting stuff that's not there?

and why can't i find the hijacker with any of the software i've downloaded?

(thanks for the kaspersky link...am downloading now)

[ZolaWoW]

did multiple scans with kasper....nothing found.

[TopperID]

If no scans are finding anything it could be that your perceived problems are not caused by infection - unless it is some sort of indetectable rootkit, in which case I wouldn't really know what to suggest, other than:-

http://www.sysinternals.com/Utilitie...tRevealer.html

http://greatis.com/unhackme/

http://www.rkdetector.com/

I'm not suggesting that you have got a rootkit, rather that I can't think of any specific cause of your problems.

on my sister computer there is also alot of "horrible" drive wich arent hard drive
actually the hp computer have a "all in one card reader" included in it and it show one drive letter by card reader so my sister have 6 useless drive letter

"this could mess with the other user connected to the machine"
this does not mean you dont have admin rigth
is simply suppose you have fast user switching on and another user is logged
or something like that.

IMO what you attribute to an infection is probably a badly configured pc
or a bad behavior design from MS

anywais you can use the device manager to disable driver of those usb storage (each drive is probably a card reader) and only keep the one you would use (sd etc .. )

[ZolaWoW]

we have actually seen evidence of the "other user". programs have been modified without our doing so. for instance, teamspeak 2 (for our wow addiction) was muted--not by us, not by the server admin, but by our system admin. when this "other user" is logged on, i cannot download or remove programs.

i'm starting to feel like a character in a bad b movie "i swear there's a bad guy out there!" haha

anyway...i thank all of you for your advice thus far

question: is there a reason my processes show 2 rundll32.exe? one is in caps, the other lower-case.
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE

[edit]
btw, i dont' argue that i probably have a horribly configured pc

[TopperID]

It depends what Rundll.exe is being invoked for, but two perfectly legitimate examples include:-

rundll32.exe nview.dll,nViewLoadHook

RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

Whether you actually need to have these processes running is another matter, personally I have disabled them from auto-running on my machine 'cos I don't need them.

[Pieter_Arntz]

I'm with f3x on this one.
My external harddrive, connected by Firewire, triggers the same sort of event.
And , since it is partitioned, it also shows up as several drives.

By the way: Windows is impartial to capitals, so as long as rundll32.exe and RUNDLL32.EXE are in the same folder, they are one and the same.

Regards,

Pieter

Quote:

Originally Posted by ZolaWoW

I am stumped on this one....

each time i reboot my pc, i get an icon in my systray to safely remove hardware...USB mass storage device on drives f, g, h & j. i don't have these drives. i don't have any USBs plugged in (cept my mouse and keyboard) when i look in my computer, they show up, but are empty(supposedly). i remove, they go away, i reboot, they come back.

it sounds like your computer has a built in (xin1) card reader. if so, and you are not using them then the easiest possibility to hide them is "microsoft tweakui" .