Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

External Hard Drive Infected


  • This topic is locked This topic is locked
29 replies to this topic

#1 varunkr

varunkr

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 24 April 2013 - 12:27 PM

Hi,

 

I have an external hard drive which is very frequently passed around among friends and has become infected. My computer got infected too, but I got it cleaned thanks to help I received on this forum. I have kept my external drive disconnected since I started working on disinfecting my computer. Now that that part is taken care of, I need help to clean the external drive too.

 

What should I do?

 

Regards,

 

Varun



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:20 PM

Posted 24 April 2013 - 12:43 PM

Hi Varun,

I Will be assisting you but I am currently away from my computer. I will touch base as soon as

I am able.

Edited by Oh My, 24 April 2013 - 12:44 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:20 PM

Posted 24 April 2013 - 03:22 PM

Greetings Varun,

Let's start with this.

===================================================

Panda USB Vaccine

--------------------

Alternate download link 1
Alternate download link 2

  • Double-click on USBVaccineSetup.exe to install the program to C:\Program Files\Panda USB Vaccine.
  • Read and accept the license agreement, then click Next.
  • When setup completes, make sure "Launch Panda USB Vaccine" is checked and click Finish to open the program.
  • Click the Vaccinate computer button. It should now show a green checkmark and confirm Computer vaccinated.
  • Hold down the Shift key and insert your USB external drive.
  • When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
  • Exit the program when done
Note: Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

===================================================

Rerun Malwarebytes (MBAM)

--------------------

Temporarily disable your antivirus program.
  • Please locate your Malwarebytes icon 1208__malwarebytes.png and launch the program
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the the Full Scan including the external device option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. (If no malware was found you will not be presented with a log).
  • Click the Back button.
  • Click the Finish button.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • Malwarebytes results
  • ESET results (no log if nothing found)

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 25 April 2013 - 12:05 AM

Hi Gary,

 

I vaccinated the hard drive as you instructed and then ran the scans. Malwarebytes detected no malware, but the ESET Online Scanner detected and cleaned a couple of trojans. The logs are pasted below:

 

Malwarebytes Log:

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.23.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Admin :: ADMIN-PC [administrator]

Protection: Disabled

4/25/2013 3:23:31 AM
mbam-log-2013-04-25 (03-23-31).txt

Scan type: Full scan (C:\|D:\|E:\|I:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 430391
Time elapsed: 1 hour(s), 56 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

ESET Online Scanner Log:

 

Target                   Threat                            Action

I:\131\g0268.js    JS/Kryptik.AGQ trojan    cleaned by deleting - quarantined
I:\131\i0e0e.js     JS/Kryptik.AGQ trojan    cleaned by deleting - quarantined
 

 



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:20 PM

Posted 25 April 2013 - 08:36 AM

OK, good. Can you tell me what makes you think it is infected? What behavior are you seeing?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 25 April 2013 - 09:23 AM

The hard disk had the same malware that had infected my computer, which you helped me clean. I'm not sure if that was the malware that was detected and deleted by the ESET Online Scanner in my previous scan.

 

In addition to that, there has been a malware that has infected my drive for quite some time now. What it does is that whenever I copy a file or folder into the root directory of the hard disk, it just disappears or gets hidden from there when I disconnect it and reconnect it at a later time. Even allowing hidden files to be seen does not help and the files can't be located. The files are still present in the hard disk, only that I have to type the full file path in the Windows Explorer address bar in order to access them. All files and folders are still listed when I run the "dir/a" command on the drive using cmd.exe.

 

In place of the hidden folder, a new shortcut file is left behind. The shortcut file has the same name as that of the folder that was hidden. The target of the shortcut file is "C:\Windows\system32\CMD.exe /C Start WScript.exe 131\i0e0e.js &START EXPLORER "My Data"".

 

In case of individual files, no shortcut is left behind. It works only for folders. When I connect the drive to some of my friends' computers, the original folders can be seen as hidden. But on most computers, the drive works like it does on mine.



#7 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 25 April 2013 - 09:37 AM

Also, one question that I have is whether I can use my hard drive while you are helping me disinfect it? I won't be copying any files to or from the drive, but can I run video or audio files from the hard disks?



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:20 PM

Posted 25 April 2013 - 01:07 PM

So this "external" hard drive still has an operating system on it?

Let's hold off on running stuff from the external for just a bit.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 25 April 2013 - 02:25 PM

No, there is no OS installed on the external. The target of the shortcut file links to 'C drive', on which I have Windows installed on my computer. The external is usually read by my computer as 'I drive' and all it has is my data, mostly pictures and songs and videos.


Edited by varunkr, 25 April 2013 - 02:26 PM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:20 PM

Posted 25 April 2013 - 06:22 PM

Sorry Varun it is probably me but your situation is confusing. Are you taking files from your external drive and putting them on the computer drive which contains the operating system? But then the files are hidden on the OS drive and a shortcut is left behind when you remove the external drive?

If you could provide a step by step instruction on what you are doing, as if you were telling me how to do it on my own computer, that might help to clarify what is happening.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 25 April 2013 - 08:22 PM

My computer hard disk has 3 partitions and Windows is installed in C:\, the other two being D:\ and E:\. My external drive is usually read as I:\.

 

The issue with the external is that I am unable to view any folder in the root directory (i.e. I:\). When I copy anything from C, D or E:\ (say, 'E:\Pictures') and paste it into the root directory of the external drive (to 'I:\Pictures'), this newly copied folder on the external drive gets hidden somehow.

 

Instead, a shortcut with the same name is created in place of the folder, i.e. a file named 'I:\Pictures.lnk' is created. Nothing happens to any file in C, D or E:\. So, when I open my hard disk, all I see are shortcuts instead of actual folders. To access the folders, I need to type the path in the address bar on Windows Explorer.

 

Now, when I check the properties of this shortcut file (I:\Pictures.lnk), the target is shown as "C:\Windows\system32\CMD.exe /C Start WScript.exe 131\i0e0e.js &START EXPLORER "Pictures"". That's why nothing seems to happen when I double click on these shortcuts.

 

On most computers, even after disabling hidden folders from the Control Panel, the original folder (I:\Pictures) on the external cannot be located. But on some computers, the original folder can be located as a hidden folder. This could be, I guess, because of some difference in folder settings.

 

Although this malware does not affect my computer's performance as such, it does infect every USB Drive that is connected to it. After you helped me clean my computer, I haven't attached any new USB to check whether this is still active or not on the computer. But it is still present in the external.

 



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:20 PM

Posted 26 April 2013 - 08:32 AM

Hi Varun,

Thanks for the great explanation. Before we intrude any deeper into your computer or the external hard drive I think we need to attach a different USB device and attempt the same steps of copy/paste to see if there is any difference. That will tell us if it is the computer or the external drive.

Please let me know.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 26 April 2013 - 09:20 AM

Greetings Gary,

 

I got a different USB Drive and copied a folder from C:\ to I:\ and there were no issues that I mentioned earlier. The folders are clearly visible.

And I just realized that the target of the shortcut files created on my external have the file '131\i0e0e.js' mentioned in them. This file was quarantined by ESET Online Scanner when you asked me to run the scan on my external. So, there is a possibility that this malware might already have been removed from there. But no folders are visible yet in the root drive of my external, as before.

 

In addition to this problem, my external might also have the malware that infected my computer before, which was causing explorer.exe to crash (the one you helped me clean from my computer). I think so because a few of my friends' computers got infected with the same malware right after they used my external a week or so ago.



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:20 PM

Posted 26 April 2013 - 10:32 AM

In light of everything I think the best approach, if it is agreeable with you, is to backup whatever files you want to keep then reformat the external drive.  The difficulty is that most of the high power tools we would want to use do not really work on an external hard drive.  The only certain way to be rid of whatever might be left is to reformat.  If you decide to take this route, after you copy the files we would want to scan them before ever launching any of those file just to be safe.

 

Your thoughts?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 varunkr

varunkr
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 27 April 2013 - 04:59 AM

Hi Gary, thanks for the suggestion. Even I had thought of having it formatted, but the problem is that I do not know where to backup almost 500 GBs of data, as I don't really want to delete anything. The data on the disk is mostly stuff I had on my old computer, acting as a backup itself. So if there is any way around it, I would very much want to give it a try.

 

Also, if I do try to take a backup of the files, won't the infections get copied along with them too?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users