Submit Your Article Forum Rules FAQ About Us
Search the forums:

Tech Support Team

Join Now!Nav Seperator FAQNav Seperator GalleryNav Seperator TutorialsNav Seperator BlogNav Seperator SearchNav Seperator Today's PostsNav Seperator Mark Forums ReadNav Seperator Navigation Right

Hello and Welcome to Tech Support Team! Before you can start posting and answering questions, you'll have to register. Registration is fast, simple and absolutely free! Feel free to browse through existing questions by choosing the forum you want to visit below.


Tech Support Team » Malware Removal & Security » Malware Removal » External HDD possibly infected

Notices
Before creating a new thread, we ask that you please read our Removal guide first: Malware Removal Guide - Read Before Posting. We also advise you reading this thread before continuing: P2P programs - please remove before posting for help

NOTE: NEVER follow someone elses fix. Just because the symptoms may appear to be the same, it does NOT mean your system has the same malware infection. ALWAYS start a new thread so that a member of our Security Team can take you through the steps of cleaning your computer.

Reply
Thread Tools
 
  #1 (permalink)   Top
Old 17th March 2010, 06:37 PM
Buu's Avatar
Buu Buu is offline
Newcomer
  
Join Date: Mar 2010, 2 posts.
Reputation: Buu is on a distinguished road
External HDD possibly infected
Hello. Excuse me if this question has been answered tons of times already but I'm very unsure on how I shall do this.

To come straight to the point, I think my external 1TB HDD is infected with one or more trojan virus(es) and a few other ones. I was downloading a few videos when -upon opening one- Internet Explorer automatically started up itself with an ad.

So I became suspicious and decided to run the AVG 9.0 antivirus that detected three viruses which were deleted afterwards when the scan finished. I thought everything was fine then and plugged in my external HDD to save a few things onto it, not including the downloaded video mentioned before.

I unplugged it and continued with my usual activities on the laptop when suddenly Internet Explorer and Firefox opened themselves again and new advertisements showed up.

I scanned with AVG again, with no viruses found as result. So I went to Google and tried to get something different and eventually stumbled upon 'Spyware Doctor'. I installed it, let it scan my laptop and 29 infected files were found. Due to registration needed to let it delete the viruses, I had to get something different and ended up with 'Malwarebytes's Anti-Malware'. I started running it until it got to the folder location 'Spyware Doctor' found lots of viruses from. 'Malwarebyte's Anti-Malware' didn't detect anything in it though.

I got a bit nervous and shut down the laptop. Today I decided to reinstall Windows Vista by putting in the Recovery Disc and running it. Everything installed properly. I activated the 'Norton Internet Security' antivirus, scanned my laptop, nothing found. Then I proceeded onto 'Spyware Doctor' and it didn't find anything either. I uninstalled it and installed 'Ad-Aware'. Nothing was found. Then 'Malwarebytes' Anti-Malware'. Nothing either.

I guess my laptop is clean now but I'm afraid my HDD isn't and I'm unsure about plugging it in reading that the viruses can simply jump over from the HDD to the laptop.

I'd need some professional help on how to get my HDD clean from viruses, preferably without having to format it or anything similar that gets rid of all files from it.

I appreciate every help I can get. Thanks in advance.
-- Buu
Reply With Quote
  #2 (permalink)   Top
Old 20th March 2010, 08:26 PM
Buu's Avatar
Buu Buu is offline
Newcomer
  
Join Date: Mar 2010, 2 posts.
Reputation: Buu is on a distinguished road
Alright folks, I've got a few updates.

I decided to go for it and tried to get rid of the 'viruses' on my external HDD.

Before I did so, I disabled autorun.inf by using a .reg file and disabled the autoplay function in Vista's options. Then I plugged in my external HDD and quickly scanned it with Avira Antivir, Malwarebytes' Anti-Malware and Ad-Aware and for my surprise, no suspicious files found. I did not open the drive itself yet.

Then I ran cmd.exe and typed D:, hit enter, then dir /a/w and saw the autorun.inf file. Then I did del autorun.inf, though I got an 'access denied' error. Unplugging and re-plugging in the HDD made it possible to delete it.
Also I noticed a file called 'get_started_for_windows.exe'. I deleted that aswell, but I don't know if I should have done that or not. So far no harm though.

I checked the inside of my HDD then, no files deleted, everything present. After that, I ran Avira Antivir again, this time scanning the whole system and also doing a complete scan with Malwarebytes' Anti-Malware aswell as with Ad-Aware. No errors from either of those.

Then quickly downloaded HiJackThis and created a log file.

Here are the logs from MBAM and HJT:

Malwarebytes' Anti-Malware 1.44
Datenbank Version: 3876
Windows 6.0.6000
Internet Explorer 7.0.6000.16473

20.03.2010 19:52:27
mbam-log-2010-03-20 (19-52-27).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|)
Durchsuchte Objekte: 175571
Laufzeit: 1 hour(s), 48 minute(s), 1 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:17:06, on 20.03.2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Program Files\TOSHIBA\Registration\ToshibaRegistration.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Users\Oliver\AppData\Local\Google\Update\Google Update.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Oliver\AppData\Local\Google\Update\Googl eUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: eBay - Der weltweite Online Marktplatz - {76577871-04EC-495E-A12B-91F7C3600AFA} - eBay Deutschland - Der weltweite Online-Marktplatz (file missing)
O9 - Extra button: Amazon.de - {8A918C1D-E123-4E36-B562-5C1519E434CE} - Amazon.de: Günstige Preise bei Elektronik & Foto, DVD, Musik, Bücher, Games, Spielzeug & mehr (file missing)
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AE6E242-8159-4DB6-89D6-9468F3F86A20}: NameServer = 212.18.0.5 212.18.3.5
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7066 bytes

Sorry for the German language, if there's something unclear to you, please let me know so I can translate.

Anyways, no viruses found, I have no clue what HJT is saying though, that's why I'd need confirmation on that.

Otherwise, I guess I'm safe.

And by the way, if there's any program I should install/uninstall, please tell me, I'd like to be as safe as possible.
Reply With Quote
Reply

Only registered members can participate in forum threads. You must register or log in to contribute.


« Previous Thread | Next Thread »
Thread Tools

Forum Jump


All times are GMT. The time now is 09:44 AM.

Contact Us - Tech Support Team - Terms of Service - Top


Member Login
Forgot Password?



Post A Question!
Useful Links
Main Menu
Home
Forum Rules
FAQ
About Us
Welcome Pack
Search the forums
TST Mobile
Contact Us
Send Message

These are the 18 most used thread tags
Tag Cloud
32-bit cat drivers geforce hardware intel gfxui mobile 4 chipset driers modem monitor network no ring response no signal nvidia soft modem software wifi win7 windows 7
Copyright © Tech Support Team, Inc. All rights reserved.
TechSupportTeam.org is an Privacy Policy and Legal Powered by vBulletin® Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 ©2008, Crawlability, Inc.