Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.bacalid!inf In Quarantine


  • Please log in to reply
3 replies to this topic

#1 jlstep

jlstep

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 14 January 2008 - 06:15 PM

I am using Win XP Professional. I have Symantec anti-virus software installed that tells me I have this virus in quarantine. It says that it is in g:/recycled, was generated on Dec 25 at 12 pm. This is the time I would have installed software for a new digital picture frame I got for Christmas. Since it has a couple USB ports I think it assigns one of them as the G drive as it is the only time I have seen this drive in use on my computer.

So - I've been on the Symantec website and have downloaded their exe file (FixBacalid.com) and followed all instructions- disconnected from the internet and turned of the system restore before running it. It scanned my computer then came up with a message that this virus wasn't found. In case it makes any difference, just after I started this exe file I received an error message that had a Microsoft Visual C++ Runtime Library heading. It said
Runtime Error!
Program: C:...
R6034
An application has made an attempt to load the C runtime library incorrectly. Please contact the applications support team for more info.

I suspect that this error had nothing to do with not finding the virus on my computer since it is supposedly linked to a G drive which would only be active if I was connected to this digital picture frame.

I'm not quite sure what to do at this point though- does this mean the virus really isn't on my computer? And is it really possible that this digital picture frame could have come infected with a virus??? Does anyone have suggestions as to how I should handle this?

I appreciate any help:)

Jennifer

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:27 AM

Posted 15 January 2008 - 12:30 PM

On NTFS file systems, Recycler is the name of the Recycle Bin Folder in each partition.
On FAT Systems, the folder is named Recycled. If the device point to the G drive has been disconnected, then the drive (and that folder) will not show.

Did your Symantec provide a specific file name associated with this malware threat?
Since it did point to the G drive, then either the file in question is indeed infected or it is a "False Positive"

Symantec has instructions for suspicious file(s) it has placed in quarantine. Please read "How to submit a file to Symantec Security Response using Scan and Deliver". There is no charge for the service. After Symantec responds please post the results back here.

As for the issue with Microsoft Visual C++ Runtime Library, a search on the net will show there are numerous reports of this error and most are not malware related. The error seems to be a common complaint with various causes (to include using registry cleaners) and possible solutions. What seems to work for one does not always work for another. I would suspect that another application that is running or outdated/corrupted driver is causing explorer.exe to crash. When did it start happening? Did you install any new programs or update existing ones around the same time? Many applications have hooks into explorer.exe that could potentially cause this error due to bad drivers, corrupted executables, incompatibilities, and virulant modifications to applications.

Try re-installing the latest Microsoft Visual C++ run-time files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jlstep

jlstep
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 16 January 2008 - 11:27 AM

Thanks for your help. The file infected is the driveinfo.exe. I followed the link to Symantec and have sent them the file for inspection. I do appreciate your help and will post here when I get information from them. As for the other error, the first time I've seen it is when I ran the symantec scanning program. I'll have to do some checking to get that one figured out- your information is great.

Jennifer

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:27 AM

Posted 16 January 2008 - 12:21 PM

Driveinfo.exe is a component of BackDoor-CWT.dr Trojan (W32.Resik.A) which spreads the infection via removable media and is often seen with other infected files.

Please insert your flash drive before we begin!

Reconfigure Windows XP to show hidden files, folders. Open My Computer, go to Tools > Folder Options and click on the View tab. Under Hidden Files and Folders, check "Show hidden files and Folders", uncheck "Hide Protected operating system Files (recommended)", uncheck "Hide file extensions for known file types", and hit Apply > OK.

Open My Computer, right-click on your primary drive (DO NOT double-click), select "Explore", and search for any autorun.inf at the root. Repeat the search on all your drives (including your flash drive and any recent CDs you have used).

An easy way to do this is, click Start > Search > Click "All Files and Folders".
Under "Advanced Options", make sure the following are checked:
  • Search System Folders.
  • Search Hidden Files And Folders.
  • Search Subfolders.
Then copy and paste the following into the search box: autorun.inf
Click Search to find and delete all instances of these files.

If autorun.inf is present continue as follows:
(If autonrun.inf is not present, then skip the part in the next step to remove it, but continue with the rest of the instructions to search for and remove any infected files you find.)

Reboot your computer in "Safe Mode" or "Safe Mode With Command Prompt" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode With Command Prompt".

Go to Start > Run and type: cmd
  • press Ok.
  • At the command prompt, type in your primay drive location, usually C:
  • You may need to change the directory. If so type: cd \
  • Hit Enter.
  • Type: attrib -s -h -r -a autorun.inf
  • Hit Enter.
  • Type: dir
  • Hit Enter. This will allow you to see and confirm the Autorun files.
  • Type: del autorun.inf
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
  • Exit the command prompt and reboot normally.
Now search for and remove Driveinfo.exe
  • At the command prompt, type in your primay drive location, usually C:
  • Type: dir /s Driveinfo.exe
  • Hit Enter.
  • If the file is present, type: Driveinfo.exe
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
  • Then repeat the above commands to search for and delete Driveinfo.log, Driveinfo.scd, inetsrv.exe, csrus.exe, voinfo.dll on each drive.
  • Exit the command prompt and reboot normally.
When done, follow the instructions in How do I Delete Windows XP Recycle Bin Hidden Files? to make sure you deleted all the files.

Then, check for and remove any Startup RUN values by downloading and using Autoruns.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users