USB mass storage detected

Discussion in 'malware problems & news' started by ZolaWoW, Jan 24, 2006.

Thread Status:
Not open for further replies.
  1. ZolaWoW

    ZolaWoW Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    4
    I am stumped on this one....

    each time i reboot my pc, i get an icon in my systray to safely remove hardware...USB mass storage device on drives f, g, h & j. i don't have these drives. i don't have any USBs plugged in (cept my mouse and keyboard) when i look in my computer, they show up, but are empty(supposedly). i remove, they go away, i reboot, they come back.

    i know i'm hijacked because i keep losing admin rights on my pc. when i tried to use add/remove programs the other day it said something along the lines of "this could mess with the other user connected to the machine" HA! the first few times i tried to run the ewido scan it gave me a page with dead or invisible links.

    now, the usb thing might be benign, but it's annoying. the thing is...nothing is detecting the trojan i KNOW is there. what more can i do?--other than rebuilding my machine =)

    anyway....i've run the freebie versions of all these
    nod32--finds nada
    ewido--found 19 (2 high risk) on first scan, but none thereafter
    spybot s&d
    and the paid version of spyware doctor (think i got taken on that one, cause it never catches anything)

    HELP please!
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Are you referring to the Cypress USB Mass Storage Driver Notification Icon Application [Safely remove Hardware] - SM1nint.exe?

    If so, this is quite legitimate, but you are going to have a hard job removing it since it cannot be surpressed by msconfig nor by simple Registry tweaks. There are more complicated methods, but frankly I would just leave it be; if it irritates you you can always hide icons in XP.

    http://www.msfn.org/board/lofiversion/index.php/t52517.html

    If you are not referring to SM1nint.exe (which appears as a little green arrow in your Sys Tray) and have other problems, try an online scan:-

    http://www.kaspersky.com/downloads/kws/kavwebscan.html
     
  3. ZolaWoW

    ZolaWoW Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    4
    but why is it detecting stuff that's not there?

    and why can't i find the hijacker with any of the software i've downloaded?

    (thanks for the kaspersky link...am downloading now)
     
  4. ZolaWoW

    ZolaWoW Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    4
    did multiple scans with kasper....nothing found.
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  6. f3x

    f3x Guest

    on my sister computer there is also alot of "horrible" drive wich arent hard drive
    actually the hp computer have a "all in one card reader" included in it and it show one drive letter by card reader so my sister have 6 useless drive letter

    "this could mess with the other user connected to the machine"
    this does not mean you dont have admin rigth
    is simply suppose you have fast user switching on and another user is logged
    or something like that.

    IMO what you attribute to an infection is probably a badly configured pc
    or a bad behavior design from MS

    anywais you can use the device manager to disable driver of those usb storage (each drive is probably a card reader) and only keep the one you would use (sd etc .. )
     
  7. ZolaWoW

    ZolaWoW Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    4
    we have actually seen evidence of the "other user". programs have been modified without our doing so. for instance, teamspeak 2 (for our wow addiction) was muted--not by us, not by the server admin, but by our system admin. when this "other user" is logged on, i cannot download or remove programs.

    i'm starting to feel like a character in a bad b movie "i swear there's a bad guy out there!" haha

    anyway...i thank all of you for your advice thus far

    question: is there a reason my processes show 2 rundll32.exe? one is in caps, the other lower-case.
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RUNDLL32.EXE

    [edit]
    btw, i dont' argue that i probably have a horribly configured pc :)
     
  8. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    It depends what Rundll.exe is being invoked for, but two perfectly legitimate examples include:-

    rundll32.exe nview.dll,nViewLoadHook

    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    Whether you actually need to have these processes running is another matter, personally I have disabled them from auto-running on my machine 'cos I don't need them.
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I'm with f3x on this one. :)
    My external harddrive, connected by Firewire, triggers the same sort of event.
    And , since it is partitioned, it also shows up as several drives.

    By the way: Windows is impartial to capitals, so as long as rundll32.exe and RUNDLL32.EXE are in the same folder, they are one and the same.

    Regards,

    Pieter
     
  10. hadi

    hadi Guest

    it sounds like your computer has a built in (xin1) card reader. if so, and you are not using them then the easiest possibility to hide them is "microsoft tweakui" .
     
Loading...
Thread Status:
Not open for further replies.