Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


External Hard Drive Virus? Can't Delete Autorun.inf, Folder.exe, Desktop.exe, And Desktop2.exe After Antivirus Xp 2008 Removal

  • Please log in to reply
2 replies to this topic

#1 buckyfuller


  • Members
  • 2 posts
  • Local time:07:04 PM

Posted 14 September 2008 - 03:55 PM

Hello! A few weeks ago I undertook removing Antivirus XP 2008 from a friend's laptop. Using Malwarebytes' Anti-Malware, Spybot SD, & Fixwareout, I was able to disinfect the laptop and remove the virus.

However, upon docking a WD external hard drive to the laptop to backup important files, the virus jumped from the laptop to the external hard drive. A sample list of the hidden virus' files follows:

setup.exe, autorun.inf, folder.exe, desktop.exe, autorun.bat, autorun.run

As well as a directory called WD_Windows_Tools apparently containing backups of the above-mentioned files, as well as other files/executables essential to the virus functioning.

I had been able to remove nearly all of these files from the WD external hard drive in question, but the hidden files
folder.exe still remain.

I've attempted to use the !Killbox app to remove these files from the WD external hard drive, as well the FileAssassin option on the Malwarebytes' Anti-Malware app, and both claim success. However, re-docking the WD external hard drive shows that the above-mentioned hidden files still exist.

Moreover, apparently other directories that once existed on the WD external hard drive are no longer there, particularly the System Volume Information directory as well as the Recycle Bin directory. This most likely happened when accidentally "open"ing rather than "open with..."ing the autorun.bat file that was in one of the viral directories.

From my readings, it seems as though the problem file is the autorun.inf file and that it is altering my ability to view, update, or delete these viral files from the WD external hard drive.

How do I remove the offending files as well as restore my ability to see the hidden directories? Is there any way?
The WD external hard drive contains the back-up to my own PC and I cannot afford to lose the information on it nor can I safely dock it to my PC before I know that these files are removed for fear of infecting my own PC.

Please help! Thanks in advance.

BC AdBot (Login to Remove)


#2 buckyfuller

  • Topic Starter

  • Members
  • 2 posts
  • Local time:07:04 PM

Posted 14 September 2008 - 04:34 PM

I have docked the External Hard Drive to my PC in safe-mode, yet Malwarebytes' finds extraneous issues.
Are there other logs I should post? Thanks in advance. -b

Malwarebytes' Anti-Malware 1.28
Database version: 1150
Windows 5.1.2600 Service Pack 3

9/14/2008 1:24:18 PM
mbam-log-2008-09-14 (13-24-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 93139
Time elapsed: 43 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MediaLoads (Adware.Medload) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#3 Bill N

Bill N

  • Members
  • 12 posts
  • Location:India
  • Local time:06:04 PM

Posted 14 September 2008 - 11:57 PM

One (very) small part of the puzzle may be to disable autorun from your system. To do this copy the following three lines into a new .txt file, then rename the file to "DisableAutorunINF.reg", and then double-click the file and say yes to the prompts. Then logoff and logon again. That will disable autorun.inf's from hitting you. Here's the three lines of text.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

If you ever want to re-enable autorun.inf's again, then do this. Copy the following two lines into a new .txt file, then rename the file to "EnableAutorunINF.reg", and then double-click the file and say yes to the prompts. Then logoff and logon again. That will enable autorun.inf's. Here's the two lines of text.

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

I recently had to deal with a nasty piece of malware (amvo.exe) which was using autorun.inf as part of its strategy. One bit of advice that helped me was this (but, I can make no guarantee that it will help you.)

first of all, (only if you are comfortable with regedit) use regedit to delete the keys with reference to the files you know are part of the malware's arsenal.
then run cmd to open a DOS window
enter the following commands
taskkill /im explorer.exe /f (comment: since many of these nasties use explorer to replicate themselves)
then troll to the offensive folder using your DOS prompt.
use one of these commands to see any hidden files (if necessary)
dir /ah
dir /as
dir /ahs
you can then use the following command to kill whatever the bogus file is (substituting the bogus file name for bogusfile.bogus)
del bogusfile.bogus /f /q /as (commment: OR /ah OR /ahs depending on what dir command switch you used to 'see' the file in the directory listing)
since you might have bogus autorun.inf files in several places, then change to the any other drives say, d: and repeat the same thing and then e: and repeat the same thing, etc.
then after you have killed off all the vermin
start explorer
hope this helps at least in some way

If you want to get some protection in place against future things coming in via thumb drives, you could visit http://autorun.synthasite.com. Sorry I can't be of more help to you since I'm a newbie and probably know less than you. :thumbsup: I trust someone with more knowledge will come along soon and help you further!

being made of mud, it's possible to be a bit muddled, no?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users