TechSpot

FullHouse Drive Virus?

By Rasmey
Nov 23, 2008
  1. My computer suddenly has this drive like thing (like removable disk drive) on the desktop and My Computer. Its name is FullHouse Drive and when I double click it it show a picture of a Korean female movie star. It won't be moved, deleted or anything at all. I don't know what other effects it's having on my computer as it seem to be functioning normally except for this annoying extra drive.
    I try to scan it with Kaspersky, MBAM, and KillFullHouse (from a Laos website I got by googling). Still it won't budge!
    Please help me.
    Thanks,
    Rasmey
     
  2. rf6647

    rf6647 TS Maniac Posts: 829

    Outstandind description. Did the 'gurgle' & found this thread.

    It probably goes against conventional wisdom around here, but I would System Restore to a point preceding its appearance.

    'Ratscheddar' does a good job of undoing registry hacks meant to annoy. Some of the hacks alters permissions, takes away common tools/utilities, to mention a few.

    Download RatsCheddar
    It contains a program written by Rathat, and it is a Policy Controller.
    Save and extract this program to the desktop.
    Once extracted, Double click on the RatsCheddar.exe file.
    Enable everything, then click Exit
    Reboot your Computer.

    Update all the scanning programs. Please post the 3 logs. See Here
     
  3. Rasmey

    Rasmey TS Rookie Topic Starter Posts: 42

    Thanks for your reply.
    I did as the suggested. Here are the logs.
    As for HiJackthis I can't find the log.
    The FullHouse drive is still there in my computer and my other computer have it too. But there doesn't seem to be any noticeable symthom yet.

    Rasmey
     

    Attached Files:

  4. rf6647

    rf6647 TS Maniac Posts: 829

    For your case, we will supplement our guide with a special scan / tool. The difficulties you mention are being interpretted as a procedural glitch. Inform me if I have this wrong. 'Taskmgr.exe' appearing in recycle bin is unusual.

    Observations & Recommended Action:
    • Update the scanning tools: MBAM & SAS
    • HJT log is saved to same folder for all HJT logs. > File > save as > identifies folder
    • Reminder: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions
    • ComboFix is a very effective tool that scans / fixes hard to clean infections. Additionally, it includes diagnostic information.
    • Uninstall old copy of ComboFix

    Supplement to guide. Successive scans used to uncover additional infections.
    • Update both MBAM & SAS. Rerun them both.

    • This effort is complete when logs report NO infections/threats, or reporting something it can not clean.

    • Follow ComboFix instructions referenced below.

    • Scan with HJT. (part of instructions for ComboFix)

    • Posts logs. Report progress & what changes are observed. Include logs that found infections.


     
  5. Rasmey

    Rasmey TS Rookie Topic Starter Posts: 42

    Problem fixed

    Thank you rf6647. I did as instructed and now the Fullhouse drive is removed. I run Combofix twice. The first time it made the 'virus' appear like a folder and I can delete it from my desktop and the second time I run Combofix it's removed from my Control panel. I'm attaching the log of both times here.

    However I have two other computers which have the same problem but even though I run Combofix and other program (CCleaner, MBAM) a few time it still won't be removed. I don't know why. Please help.
    The logs in zip file is from one of the computer which the problem cannot be solved.

    Thanks
     

    Attached Files:

  6. rf6647

    rf6647 TS Maniac Posts: 829

    I have insufficient information.

    No filetype for zip file.
    Does HJT contain reference?? >> "BIBLauncher"="c:\documents and settings\INTERNET\Desktop\BIBLauncher.exe"

    Network? That opens the possibility of cross contamination. Firewalls? How configured?

    Your observations about the double run of combofix to clean the 'full house' symptom was a learning experience for me. A HJT log may show residue remaining in 'msconfig'.
     
  7. Rasmey

    Rasmey TS Rookie Topic Starter Posts: 42

    I'm sorry I don't know what happen to the zip file.
    I did Hijackthis and the log is here.

    Thank you so much for your help.
     
  8. rf6647

    rf6647 TS Maniac Posts: 829


    • HJT shows two items not handled by ComboFix:
      Code:
      O4 - HKLM\..\Policies\Explorer\Run: [Task Manager] C:\RECYCLER\S-1-5-21-1202660629-412668190-725345543-500\smss.exe
      O4 - HKCU\..\Policies\Explorer\Run: [Manager Task] C:\RECYCLER\S-1-5-21-1202660629-412668190-725345543-500\smss.exe
    • Uninstall ComboFix
    • Install & run SDFix.
      • While I judge both tools to be "equals", there are brief periods where one excels over the other.
    • Scan with HJT
    • Post logs & give your impressions.
    1. Download SD Fix to Desktop From Here

    2. On Desktop run SDdFix. It will run (install) then close.

    3. Then reboot into Safe Mode
      • As the computer starts up, tap the F8 key several times.
      • On the Boot menu Choose Safe Mode.
      • Click through all the prompts to get to desktop.

    4. At Desktop - SD Fix does its job
      • My Computer C: drive. Double-click to open.
      • Look for a folder called SD Fix. Double-click to enter SD Fix.
      • Double-click to RunThis.bat. Type Y to begin.
      • When prompted hit the enter key to restart the computer
      • Your computer will reboot.

    5. On normal restart the Fixtool will run again and complete the removal process. Then say Finished

    6. Hit the Enter key to end the script and load your desktop icons.

    7. Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.

    8. Attach the Report.txt file to your next post
     
  9. Rasmey

    Rasmey TS Rookie Topic Starter Posts: 42

    Thank you! I'll do as instructed.
    By the way I forgot to tell you. My computers have network connection but I don't think it's the source of contamination since the other are cleaned and only these two that won't clear. Also I forgot to mention that while running combofix on these two there is a messege on the blue screen that say something about missing file or something. I wonder if it's because of this that it's not effective.
     
  10. Rasmey

    Rasmey TS Rookie Topic Starter Posts: 42

    Hi these are the logs. I did it on three computers which are having the same problem.
    The third computer I did SDFix twice as you'll see in the report.
    Should I try to fix the two items in hijackthis log that combofix did handle?
    The FullHouse drive are still there and won't be deleted. Overall the computers are still the same.
     
  11. Rasmey

    Rasmey TS Rookie Topic Starter Posts: 42

    After SDFix finish and start the normal window there is this icon near the clock that say Windows Security Alert (on two computers except the 3rd one). What do I do with it?

    Here are two more logs.
     
  12. rf6647

    rf6647 TS Maniac Posts: 829

    You have given me much to ponder. Here is my current understanding.

    Member’s assessment
    • 3 infected computers with “FullHouse Drive”
    • M10 Computer 1; trojans found; mirc.exe; HJT normal
    • M10 computer 2 ; clean; mirc.exe; recycle ;O24 HJT
    • M11 computer 3 ; trojan found; recycle; O24 HJT
    Explanation
    • Message 10, computer 2, SDfix - no trojan found, registry item restored for 'mirc.exe', secret-hidden files in recycle bin, O24 found (HJT)
    • Message 11, computer 3, SDfix - found trojan, secret-hidden files in recycle bin, O24 found (HJT)

    Overview
    1. I am headed back to combofix. Uninstall old version – get rid of the history. When scanning with HJT, ALWAYS restart the computer preceding HJT.

    2. Check installed programs for mirc.exe
    3. I will follow a plan developed by mflynn that is geared toward wide coverage. Successive application of the tools removes parts of the infection that mask the 'real bad guy'. Every step improves the chances that the next step will succeed. When a tool does not work, make note and move to the next tool. We are trying to get info and cleaning where we can. I want the tools to do the heavy work for us. MBAB is expected to do its share to remove parts of the infestation, ComboFix will take it to the next level.
    ----------------------------------------------------------------------------------------------------------------------------------
    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

    http://www.majorgeeks.com/ATF_Cleaner_d4949.html
    ----------------------------------------------------------------------------------------------------------------------------------

    D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
    No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

    Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

    Please make a note of what it found if any as it has no log.
    If it finds several things reboot to Safe Mode and run again before continuing below.
    ----------------------------------------------------------------------------------------------------------------------------------

    Get and run Malware Removal Tool by Joe Pestro http://majorgeeks.com/Malware_Removal_Tool_d4632.html
    ----------------------------------------------------------------------------------------------------------------------------------

    When above is completed reboot back to Safe Mode Networking and do the following..

    http://www.techspot.com/vb/post684649-3.html

    When Fixit.cmd finishes it will reboot to normal.

    Then..

    ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.
     
  13. december41991

    december41991 TS Rookie

    I think I have found a easy way to do away with fullhouse drive. It will take less than a minute.

    check this link to know about the issue and the linkto download the removal tool.

    exchangeserverinfo.net/default.aspx?g=posts&t=59

    Enjoy ... I had to fight this virus for 24 hours to get it out. It had screwed my regedit and task manager. I so happy that its gone ...
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    He stated above that he specifically tried this tool, and it still won't "budge"

    Later on he confirmed running the UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions (and Combofix) did :grinthumb

    But thanks for your reply anyway ;)
     
  15. rf6647

    rf6647 TS Maniac Posts: 829

    Thanks for the tip. While rasmey may have given up with the efforts so far, the info that you shared with us will benefit others.

    Cheers! Merry Christmas.
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  17. december41991

    december41991 TS Rookie

    fullhouse drive

    guys there is a change in the link from where you can download the virus removal tool:

    exchangeserverinfo.net/default.aspx?g=posts&m=67&#67

    its under anti virus forum ,
     
  18. rahulk077

    rahulk077 TS Rookie

    thanks lot it works
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...