stop cross infection from external hard drive

Hi all

I have a a major problem happen I picked up a virus or something at an internet cafe when i was printing a document using a usb drive. I had problems with an old computer and replaced it.

A couple of weeks ago i was getting ready to install windows 7 and plugged this thumb drive in not being aware that it had a infection. I then went a brought an new external hard drive. when i got home i plugged it in. Then i discovered that i have a virus. I ran scans and it came up clean. I backed up my data on the drive.

I am now running 7 and i am infected with something. How do i clean the external hard drive so that i can keep the data.

my xp machine is also infected from months ago. Haven't used it again until last night

cheer

vic

I am now running 7 and i am infected with something. How do i clean the external hard drive so that i can keep the data.

You need to clean the infected machine unless you plan on reformatting and doing a clean install. Without doing that you will only infect any external drives you plug into that machine.

External storage media and flash (usb, pen, thumb, jump) drives are prone to infections which involve malware that modifies and loads an autorun.inf (text-based configuration) file into the root folder of all drives (internal, external, removable) along with a malicious executable. When removable media such as a CD/DVD is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer. For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Malware modifies the context menu (adds a new default command) and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:

• What security risks are associated with USB drives?
• USB-Based Malware Attacks
• Danger USB! Worm targets removable memory sticks.
• When is AUTORUN.INF really an AUTORUN.INF?.

You can hold down the Shift key when inserting the drive into your computer until Windows detects it to keep autorun.inf from executing automatically. However, many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful. Disabling autorun/autoplay does not prevent you from accessing your media sources. They are still available by opening My Computer and accessing the source drive (CD, DVD, USB or external hard drive). Pictures on a camera can still be accessed through My Pictures and selecting "Get Pictures" from a scanner or camera. Media can be accessed via the program you normally use it with such as music CDs via Media Player, blank CDs via burning software, image handling software provided with the camera. I strongly recommend you leave the autorun feature disabled and get into the habit of accessing your media devices manually.

An easy way to disable Autorun on a specific drive is to download and use Microsoft Power Toy Tweak UI and then follow these instructions

If using Windows XP Pro you can also use the Group Policy Editor to disable the autorun for USB & CD-ROM devices. To do this, please refer to:

• How to disable the Autorun functionality in Windows
• AutoRun patch a long time coming for XP users
• How to disable Autoplay of Audio CDs and USB Drives with gpedit.msc in XP

If using Windows Vista, please refer to:

• Disable AutoPlay in Windows Vista
• Preventing AutoPlay attacks with Vista's AutoPlay options panel

If using Windows 7, please refer to:

• Engineering Windows 7: Improvements to AutoPlay.
• How to Disable Auto Play in Windows 7.

Note: For steps that require registry changes, always back up your registry before making any changes

However, disabling AutoRun is not enough. See Scott Dunn's One quick trick prevents AutoRun attacks. For most novice users, the easiest way to inoculate a USB Flash Drive is to create a Read-only folder on the drive named autorun.inf and place a small file inside it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Alternatively, you can download and use Panda USB Vaccine. Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

Finally, always scan USB flash drives and any external storage media after they have been used in other computer systems, even your own. An easy way to do this is to download ClamWin Portable Antivirus, put it on your USB Flash Drive, update its definition files and perform a scan.

You can also download and scan with:

• Norman Malware Cleaner. Be sure to print out the instructions provided on the same page. For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.
• Dr.Web CureIt. Choose Custom Scan after the Express Scan has finished to add your usb drive to the scan.

thank you for your help.

I need just a little more advice.

I am currently reformatting the windows 7 of the 3 computer infected. I will need to plug the
external hard drive into get the data off.

So i stop autorun and scan the drive with one of the above mentioned. What do i do if they don't find anything

What ever is on the external hard drive has moved from a thumb drive to it. It causes lost of typing
problems and flashing. This morning typing "e" opened up the control panel

how do i know if my data is ok. Once the data is off should i reformat the external drive?

cheers thanks again

So i stop autorun and scan the drive with one of the above mentioned. What do i do if they don't find anything

Yes, disable autorun and do your scans. There are no shortcuts or guarantees when it comes to malware removal, especially when dealing with backdoor Trojans and rootkits. Infections will vary and some will cause more harm to your system then others as a result of it having the ability to download more malicious files. Thus, sometimes it takes several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous.

I forgot to mention, that you should also do a Full scan with Malwarebytes Anti-Malware which will also check any removable disks and remove detected malware.

Once the data is off should i reformat the external drive?

Wiping the external drive and reformatting removes everything and is the safest action.

Reformatting deletes all data. Should you decide to reformat due to malware infection, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

Again, do not back up any data with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

thank you for the add advice.

I have allready done a few scans including malwarebytes. They don't find anything.

non of the files should have those extensions it think. I should be ok.

thank you again for the advice.

i will let you know how i go or if i need some assistance

You're welcome and good luck.

Hi Quietman7

I have reformatted the laptop with windows 7. I have done a low level format with a boot disk of Partition Wizard. I download and burnt the disk using a friends computer - I will use this system to remove the files that i need off the external hard drive that i need.

I am having problems turning off autorun using gpedit.msc. I am unable to search for the file. (7)

I managed to turn off auto run on the xp using the register key but i couldn't use gpedit.msc either. I am about to reformatted this system in a minute. I plan not to use this system once it is clean reinstalled.


I also have another system my old laptop that i gave to a friend. I will have to do a hackthis log as the keyboard doesn't work ( split water on the keyboard ) but it was the first computer that would have been infected. The system hasn't been used in months either. Where should i post the logs. Here or in the Hjt area. What application should i use to scan the computer. This system is running vista.

the vista machine wouldn't have been on the internet for 3 months should i run updates or wait.

thank you so much again

Vic

Ok if this is funny - well not really ( just gotten home from having some beer at the pub

let the xp to do the formate thing and reinstall. - it would load the test i talked about above some thing to do with screen res

i have a blue screen of death on the xp it is frozen on the screen - i thought they flashed in front of your eyes, not moving

this is what it saids

A problem has been detected and windows has been shut down to prevent damage to your computer.

BAD_POOL_CALLER

If this is the first time your've seen this stop error screen ,
restart your computer. If this screen appears again , follow
these steps:



Check to make sure any new hardware or software is poperly installed.
If this is a new installation, ask your hardware or software manufacturer


If problems continue, disable or remove any newly installed hardware
or software. Disable bios memory options such as caching or shadowing.
If you need to use safe mode to remove or disable componentsm restart
you computer, press F8 to select advance startup options, an then
select sage mode

techinal information:

***STOP: 0x000000c2 (0x00000007, 0x00000D4, 0x11111111, 0x84c90c48)

Begin dup of physical memory

Physical memory dump complete.

Contact your sytem administator or technical support group for further
assistance.


Nice


One thing have to add information about. When i said above, about the vista machine. I split water on it an plugged the infected drive in to back my data up. Every one put it down to i split water on my computer.

I replaced my computer with a toshiba - used backed up data - the machine gave me a trouble for 2 weeks - it was resystemed of there recovery 4 times in that period. It would blue sceen ( i posted them on micrsoft website at the time) while i was asleep


This is all how i know i have something wrong

they all have caused backward typing. freezing of the key board and application flashing - after a restart ok


going to bed

turning monitor off with blue screen or should i restart. I was using computers original installation disks for the reformat

I have plugged the vista machine in to power and will allow it to upgrade

in australia so good night - i hope you have a good day 30c in temp here today

cheers Vickie

I just plugged in the vista machine and it did the anergency bleeping at me - it did this the night i split water on it and plugged in the usb

ok this is weird - setting the vista machine up for updates - the only update i could get was malawarbytes ( already on the machine ) Avast is asking for permission to install or something - been doing the flashy thing again - restart ususally get rid of it - just lauched scan through alot of flashing

will post log from that computer

i was going to post the log to the vista - going to sleep - will post in the morning

any advice would be great.

typing from the 7 it is doing well- running really good -didn't get why people said it was faster than vista but it is .


take care thank you

Edited by vicvic2, 19 November 2009 - 08:58 AM.

Its best to deal with one machine at a time in the same topic as it gets confusing when trying to clean or troubleshoot the various issues involved with multiple computers.

These links pertain to Windows 2000 but they will at least give you information about the type of error you are dealing with:
STOP 0x000000c2 BAD_POOL_CALLER
How to Debug "Stop 0xC2" or "Stop 0x000000C2" Error Messages

I will have to do a hackthis log...Where should i post the logs.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

hi

are you talking about doing hack this with the bsod machine or xp - it is half way through system restore.



oh sorry just editing got to go to bed

just read the thread correctly will check links tomorrow and do the hackthis log - ( i gave the computer to a friend and he hasn't used it in 3 months i don't think he is in a hurry....

have a good day

Edited by vicvic2, 19 November 2009 - 09:37 AM.

Ok.

hi quietman7

Ok first the vista machine that i am going to do the logs. I am having problems running the programs. It won't allow me to click what i need to click. It is typing backwards. I think i will need to turn of the uac to get them to run is that a good idea. As i can launch the program but can't give it premission to run as it flicker back and forward. If i am not able to get them to run should i start the thread anyway.

The xp installation still blue screening same error it doesn't work. I have reinstalled this machine before and never had the problem in the past. Any other suggestions.


I have final work out how to turn off auto play in the seven machine. In home premium we are not able to access the gpedit at all ( microsoft is strange). I have used the auto play window remove the tick at the top and then changed every media not to have any action.

Just an idea could i set up a virtual machine on the seven. Then in the virtual machine access the infected hard drive to back up the data i need. Would that help prevent this machine getting reinfected. Just an idea

thank you

Vista users can right-click on DDS or any program and Run As Administrator.

Do not start a new topic in that forum without posting a log or it will be removed.

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding RSIT attempting to contact the Internet, please allow the connection.

• Close all applications and windows so that you have nothing open and are at your Desktop.
• Double-click on RSIT.exe to start the program.
• If using Windows Vista, be sure to Run As Administrator.
• Click Continue after reading the disclaimer screen.
• Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
• When the scan is complete, a text file named log.txt will automatically open in Notepad.
• Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.

Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If RSIT did not work, then reply back here.