I hope I'm posting this in the right place, and that those in the know are able and willing to help me.
Last week i received an expected e-mail attachment from a trusted source with an unexpected surprise included in the .rar archive, which I in my infinite stupidity doubleclicked.
Since then, every time I connect a removable storage device, McAfee (Enterprise 8.7i) pops up with a warning that Generic!atr attempted to multiply itself, or at least an autorun.inf file.
The infection creates the files "install.exe" and "autorun.inf" in the root directory of each connected disk. These files both have the "hidden" attribute enabled. Neither can be removed by regular means, because they are always "in use by another user or application". McAfee manages to remove the autorun.inf file, because it is recognised as mentioned above.
When I right-click on the "install.exe" file and choose "properties", a shortcut appears in the same dir, with MS-DOS icon, it can be removed normally.
If I connect a digital camera, both files proliferate to its memory stick, whereupon it has to be removed "unsafely" because its constantly "in use".
When it is reconnected after doing so, the copy of "install.exe" on the memory stick shows "ewbkb2l0zjw" in the space where software publisher and/or document type are usually displayed in gray text, below the file name.
So far, I have run both McAfee and MBAM in and out of safe mode with system restore turned off (both full scan). As well as a stinger app the system admin sent me, based on my report of Generic!atr.
This morning, i discovered that the measures so far haven't helped, neither McAfee nor MBAM have managed to clean the infection.
The solution system admins have come up with now, is to use system restore to revert to a backup from before i opened the accursed e-mail.
And now, since I am so reluctant to do this, I come here seeking wisdom. Can anyone help?
The PC runs on Windows XP SP3.
Thank you for your time anyway.
If additional information is required, I will of course be happy to provide it.
Edited by Appleflap, 29 December 2009 - 03:45 AM.