[febuary1088]

It seems like there is a virus on my External HD and my USB flash drive as well. Avira tells me that its disguised as F:\Autorun

I know that I can reformat these electronics but I REALLY prefer not to because I have so many precious files on my External....

Is there ANY way I can clean out the hard drive without having to reformat it?

[evilfantasy]

Panda USB and AutoRun Vaccine

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Download Panda USB and AutoRun Vaccine and save it to your desktop. - Alternate download link

* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.

Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

----------

Run this on all your drives and post the logs please.

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

Alternate MBAM download link

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[febuary1088]

Hey, I'm going to run these programs in a few days because my external hard drive is far away from where I am right now but I just wanted to ask, do I need to hold down the shift button if the hard drive doesn't autorun? Like the way its set up on my computer, the little menu comes up thats asks me what do you want to do: open the folder, play, etc.

Also, is it possible to get rid of this virus if I follow your directions? Or would it just "quaratine" the virus rather than getting rid of it?

Btw this thread is not related to my old virus computer, because I think the external got infected before my comp got infected. My comp is good now.

[evilfantasy]

Quote:

the little menu comes up thats asks me what do you want to do: open the folder, play, etc.

That's autorun.

Run the scans and post the logs. I need to see what we are dealing with.

[febuary1088]

Hey sorry I've been away

But I've done what you've instructed and there is the log file from Malware's program

Malwarebytes' Anti-Malware 1.38
Database version: 2374
Windows 5.1.2600 Service Pack 2

7/4/2009 6:56:37 PM
mbam-log-2009-07-04 (18-56-33).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 122780
Time elapsed: 19 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{51267417-b33c-4783-a2fb-ccfafa2247d8}\RP1\A0000011.exe (Trojan.Downloader) -> No action taken.


For the Flash Drive, I just formated it

But this result is from the External Hard Drive of mine

[evilfantasy]

Quote:

Files Infected:
c:\system volume information\_restore

This is a System Restore Point.

Clear your System Restore of infected Restore points.

Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are infected, but that's good news)

Turn OFF System Restore

• On the Desktop, right-click My Computer
• Click Properties
• Click the System Restore tab.
• Check Turn off System Restore
• Click Apply, and then click OK

Restart your computer

Turn ON System Restore

• On the Desktop, right-click My Computer
• Click Properties
• Click the System Restore tab.
• UN-Check Turn off System Restore
• Click Apply, and then click OK

System Restore will now be active again

----------

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
• An information notice will appear, click OK.
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
• Under the Scanning tab UNcheck Heuristic analysis and click OK
• Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
• Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
• Save the DrWeb.csv report to your Desktop.
• Exit Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply

[febuary1088]

um..I don't know why but when I plugged out the external hard drive and ran the DrWeb Cureit, it says 0 viruses were found....

But c:\ is on my computer right? Not the external cause external should be F:\

Whats going on ..?

[febuary1088]

Quote:

Originally Posted by febuary1088

um..I don't know why but when I plugged out the external hard drive and ran the DrWeb Cureit, it says 0 viruses were found....

But c:\ is on my computer right? Not the external cause external should be F:\

Whats going on ..?

Ok it seems like I was stupid for running the scan without plugging in the external HD but now that I did, 8 viruses were found and I deleted them

The log from DrWeb Cureit is a Excel document and it seems like I cannot attach an excel document to this forum...

So I tried notepad and I am copy+pasting it onto here:

EXPLORER.EXE;F:\;BackDoor.Generic.1451;Deleted.;
A0006037.inf;F:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP24;Win32.HLLW.Autoruner.2155;Delet ed.;
A0000016.EXE;F:\System Volume Information\_restore{51267417-B33C-4783-A2FB-CCFAFA2247D8}\RP1;BackDoor.Generic.1451;Deleted.;
A0006071.EXE;F:\System Volume Information\_restore{867E6898-30F3-43B9-9A88-CAC89E6B085D}\RP75;BackDoor.Generic.1451;Deleted.;
A0006072.EXE;F:\System Volume Information\_restore{867E6898-30F3-43B9-9A88-CAC89E6B085D}\RP75;BackDoor.Generic.1451;Deleted.;
A0006073.inf;F:\System Volume Information\_restore{867E6898-30F3-43B9-9A88-CAC89E6B085D}\RP75;Win32.HLLW.Autoruner.2155;Delet ed.;
A0006091.EXE;F:\System Volume Information\_restore{867E6898-30F3-43B9-9A88-CAC89E6B085D}\RP76;BackDoor.Generic.1451;Deleted.;
A0006092.inf;F:\System Volume Information\_restore{867E6898-30F3-43B9-9A88-CAC89E6B085D}\RP76;Win32.HLLW.Autoruner.2155;Delet ed.;

[evilfantasy]

That seems to have found the problem and removed the infected Restore Points on F:

How is everything now?

[febuary1088]

it seems like everything is perfect ^_^

haha awesome, you helped me save like 500 GBs of files and movies!!! xD

Thank you sirrrrrrrrrrrrr

(Is it ok to remove the applications like malware removal , etc. now?)

[evilfantasy]

Keep Malwarebytes' Anti-Malware. Update and scan with it occasionally.

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
• Check the box next to Enable thorough system inspection.
• Click Start
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

----------

Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.