Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

external hard drive infected by several bugs


  • Please log in to reply
9 replies to this topic

#1 kancamaga

kancamaga

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 12 July 2010 - 05:27 AM

Hi again BC team,

I am starting a new topic with my second issue as described here a few days ago:

http://www.bleepingcomputer.com/forums/ind...p;#entry1837880

Issue#1 was successfully resolved by Gringo, thank you!

Issue#2 has not been revisited, I focused entirely on following gringo's instructions and cleaning the laptop.

I will copy the description of issue#2 below and await instructions on how to proceed:
"
The problem is the external harddrive on which I backed up the system before any disinfecting started. I hooked the external harddrive to another PC (which has Sophos AV) and started a scan on the hard drive only. It found 5 trojans and 1 potentilly unwanted software (I don't have the exact names, I could't save the logs since Sophos crashed). However after 5 days the scan had only covered 41% of the drive (500GB WD MyPassport) and the progress was roughly 2% per 24 hours. So I stopped the scan and tried to clean what was found but Sophos gave an error and the PC froze. I turned it off, unplugged the external drive, restarted and ran a scan on the PC only, everything was fine. So the infection is contained only on the external. In addition, while he scan was running, it was showing the names of the files and I noticed that the vast majority of my media files were renamed with .exe extensions. My guess is that was why Sophos was taking forever to scan.
The bad news is that except the last infected backup of my laptop I had my entire media library on the external drive and now it is ruined.
"

Thanks
k

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:26 AM

Posted 17 July 2010 - 03:16 PM

Hello kancamaga

Welcome to BleepingComputer smile.gif
========================
Are you still in need of assistance?

If so please scan your external Hard drive with the following online scanner:

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Whatever is your external drive letter
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 kancamaga

kancamaga
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 18 July 2010 - 06:33 PM

Dear Kahdah,

thank you for getting back to me.

I ran the Kaspersky scan. It found 30 threats in 26,003 objects (the report files is extremely long). Many are in a backup folder of my old work emails. I have deleted these lines from the report since they contain names and email addresses which cannot be made available on the web. Lines 66 through 10,890 have been deleted (I marked it in the txt file), the remaining infected files include audio, doc and excel files. I have a second backup of these files and it will be fine to just delete them. I do however have some other data only on this drive and would like to try to salvage it.

I am attaching the truncated Kaspersky report, but it is very long.

Kind regards,
k

Attached Files



#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:26 AM

Posted 19 July 2010 - 06:18 AM

Ouch that is an quite infected drive.
I am almost certain that the virus didn't delete the music but maybe took the names of the songs and created exe's to have the same name in the hopes you would click on it.

Please click here to download Kaspersky Virus Removal Tool.
  1. Double click on the file you just downloaded and let it install.
  2. It will install to your desktop.
  3. After that leave what is selected and put a check next to your My Computer and any removable drive letter.
  4. Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
  5. Then click on Start Scan.
  6. Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  7. When the scan is done no log will be produced.
  8. Click on the bottom where it says Report to open the report.
  9. Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  10. This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  11. You can save this on the desktop.
  12. Post the contents of the document in your next reply.
Note: This tool will self uninstall when you close it so please save the log before closing it.


If the log is too big then you can click Here to upload the file please.

Edited by kahdah, 19 July 2010 - 05:53 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 kancamaga

kancamaga
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 29 July 2010 - 09:34 AM

Dear Kahdah,

I performed several cleanups with Kaspersky. The first caused the PC to freeze, so I had to kill the process and start it again. The last two did not find any more threats. Unfortunately I cannot supply the log. Since each scan produced 500-600 thousands lines, when I Ctrl-A, Ctrl-C, the machine freezes, gives a warning of insufficient virtual memory and regardless of how long I wait it out, it never unfreezes. I have not uninstalled Kaspersky and the log is saved. I am copying here just the header lines of each scan. I also ran a scan with my proprietary AV (Webroot Security) and it also did not find any threats. I have not done anything else with the external drive (trying to recover the formerly renamed files). Awaiting further instructions.

k

Autoscan: malfunction (events: 605607, objects: 0, time: Unknown)
Autoscan: completed 7 days ago (events: 734776, objects: 644368, time: 1 day 10:41:10)
Autoscan: completed 7 days ago (events: 586151, objects: 579210, time: 02:08:11)
Autoscan: stopped 7 days ago (events: 555, objects: 103, time: 00:00:33)
Autoscan: completed 14819 days ago (events: 585035, objects: 578169, time: 02:28:31)


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:26 AM

Posted 29 July 2010 - 12:45 PM

OK just to make sure nothing is left over please redo th online scan again from Kaspersky.
It was in the first post I made to you.
QUOTE
trying to recover the formerly renamed files
See if the files are hidden they are not renamed but supposed to be hidden.
To view hidden files and folders do the following:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK

Let me know what is left over and we will continue.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 kancamaga

kancamaga
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 07 August 2010 - 02:38 PM

Dear Kahdah,

I scanned the external drive one last time with the online scanner from Kaspersky. There was nothing. Report is below.

Then I examined carefully folder by folder what is left on the drive, after following your instructions to show system files, etc.

It appears everything is there, just that most of the media files are hidden (show grayed out) but open without a problem.
I guess I would like to make them show as regular files, so I can open and use them without having to change settings on other computers.

Please advise.

Thanks so much for your help so far, it seems things are on track.

Kind regards,
k

Saturday, August 7, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, August 07, 2010 09:53:32
Records in database: 4134182
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area Folder
F:\
Scan statistics
Objects scanned 1652
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 00:16:31

No threats found. Scanned area is clean.
Selected area has been scanned.

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:26 AM

Posted 07 August 2010 - 04:43 PM

Hi I can give you a command to remove the hidden attributes from the files but I need to know the layout of the drive.
Is it all files just sitting in the drive or are they each in their separate folders?

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 kancamaga

kancamaga
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 08 August 2010 - 03:09 AM

Dear Kahdah,

The files are in folders and subfolders. For example I have a few iTunes libraries and you know how iTunes "keeps tracks organized" - there are hundreds of folders.

K

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:26 AM

Posted 08 August 2010 - 09:02 AM

What you can do since it is like that in many folders you can try to right click on the folders themselves and choose properties and uncheck hidden then click ok.
That will unhide the folders.
It should unhide the contents as well but if not you will have to select them all and right click on the files and choose properties and uncheck the Hidden option then click on ok to save the changes.
Sorry it couldn't be easier but since the layout is like that it won't be easy.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users