Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disinfecting my External Hard Drive


  • Please log in to reply
1 reply to this topic

#1 Brijens

Brijens

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 04 October 2015 - 01:36 PM

Hi

 

I am having my external hard drive infected (1 TB capacity) since a couple of days back. I got to your forum through internet while searching for the solution. Even I found a forum topic useful in which your team told to install Malwarebytes and run scan. I did accordingly on my PC with my external hard drive also loaded. However, the Malware quarantined only the C drive of my PC (See result of Malware Log below). But I need to disinfect my external hard drive using Malwarebytes which I am not able to do. Kindly help as it contains all my important data which I dont want to loose.

Hope u will provide me the solution at the earliest as you may be quite used to such problems.

 

Thanks Team. 

 

Malware Result Log...
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 04-10-2015
Scan Time: 23:00
Logfile: Malwarebytes Scan Log 04.10.15.txt
Administrator: Yes
 
Version: 2.1.8.1057
Malware Database: v2015.10.04.03
Rootkit Database: v2015.10.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x86
File System: NTFS
User: sony
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 349847
Time Elapsed: 37 min, 4 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 18
PUP.Optional.Wajam, HKLM\SOFTWARE\CLASSES\APPID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}, Quarantined, [e80b73df7e0d290de762e8116b9705fb], 
PUP.Optional.MySearchDial, HKLM\SOFTWARE\CLASSES\CLSID\{D40753C7-8A59-4C1F-BE88-C300F4624D5B}, Quarantined, [0ce7a7ab513aac8a4d324fa747bb4ab6], 
PUP.Optional.MySearchDial, HKLM\SOFTWARE\CLASSES\esrv.mysearchdialESrvc.1, Quarantined, [0ce7a7ab513aac8a4d324fa747bb4ab6], 
PUP.Optional.MySearchDial, HKLM\SOFTWARE\CLASSES\esrv.mysearchdialESrvc, Quarantined, [0ce7a7ab513aac8a4d324fa747bb4ab6], 
PUP.Optional.MySearchDial, HKU\S-1-5-21-3982043237-1895342364-2888862755-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}, Quarantined, [31c275ddbbd063d3cdb046b04db55da3], 
PUP.Optional.MySearchDial, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}, Quarantined, [31c275ddbbd063d3cdb046b04db55da3], 
PUP.Optional.Sanbreel, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\{29b136c9-938d-4d3d-8df8-d649d9b74d02}Gw, Quarantined, [fef58cc60784a492727ce0e42ada7c84], 
PUP.Optional.Sanbreel, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\{29b136c9-938d-4d3d-8df8-d649d9b74d02}w, Quarantined, [1cd71f331e6d320449a97450e91b1ee2], 
PUP.Optional.InstallCore, HKLM\SOFTWARE\InstallCore, Quarantined, [d81b8ac82a61cb6b8d4377394aba8a76], 
PUP.Optional.MySearchDial, HKLM\SOFTWARE\MySearchDial, Quarantined, [6390440eb9d2e4525324bdfe30d4ef11], 
PUP.Optional.SupTab, HKLM\SOFTWARE\supWPM, Quarantined, [d71c2f239af150e6e8b90cc10202a060], 
PUP.Optional.TornTV, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\bicnnkjibmphdeigoodpjlcklcnaobdj, Quarantined, [a74caaa8107b3600119e6b65ee167b85], 
PUP.Optional.RelevantKnowledge, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\mkndcbhcgphcfkkddanakjiepeknbgle, Quarantined, [7d7658fa92f90e285d1b80436b9956aa], 
PUP.Optional.MySearchDial, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [2cc72131345739fd83f1f5c64db723dd], 
PUP.Optional.Desk365, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Desk 365 RunAsStdUser, Delete-on-Reboot, [856e8ac8c8c38fa756baced6ca3a6799], 
PUP.Optional.APNToolBar.Gen, HKU\S-1-5-18\SOFTWARE\AskPartnerNetwork, Quarantined, [f6fd89c9404b77bf4fcd48f9699a8878], 
PUP.Optional.1ClickDownload, HKU\S-1-5-21-3982043237-1895342364-2888862755-1001\SOFTWARE\1ClickDownload, Quarantined, [797af45e058691a5f5d8a5ed59aba55b], 
PUP.Optional.InstallCore, HKU\S-1-5-21-3982043237-1895342364-2888862755-1001\SOFTWARE\InstallCore, Quarantined, [ce25e86a127981b5d4fb0ea264a0837d], 
 
Registry Values: 7
PUP.Optional.MySearchDial, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=irmsd0202ie&cd=2XzuyEtN2Y1L1Qzu0CyEyEyCtCzy0BtAyBtDzyyEtAyCyC0DtN0D0Tzu0SyBzyyEtN1L2XzutBtFtCyBtFtDtFtCtN1L1CzutDzytDtCtG1TtN1L1G1B1V1N2Y1L1Qzu2SyBtA0Bzz0Czz0ByBtGtByB0B0DtGyDyCyC0EtGtCtBtByBtGtDyE0D0Ezy0E0B0EzyzzyE0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzy0BzztDyCzy0DtG0Azy0D0AtG0CyEyDtCtGzy0FyCtCtGtCtAtAtA0C0A0DtAtD0EyCyB2Q&cr=518200963&ir=, Quarantined, [2cc72131345739fd83f1f5c64db723dd]
PUP.Optional.MySearchDial, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURLFallback, http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=irmsd0202ie&cd=2XzuyEtN2Y1L1Qzu0CyEyEyCtCzy0BtAyBtDzyyEtAyCyC0DtN0D0Tzu0SyBzyyEtN1L2XzutBtFtCyBtFtDtFtCtN1L1CzutDzytDtCtG1TtN1L1G1B1V1N2Y1L1Qzu2SyBtA0Bzz0Czz0ByBtGtByB0B0DtGyDyCyC0EtGtCtBtByBtGtDyE0D0Ezy0E0B0EzyzzyE0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzy0BzztDyCzy0DtG0Azy0D0AtG0CyEyDtCtGzy0FyCtCtGtCtAtAtA0C0A0DtAtD0EyCyB2Q&cr=518200963&ir=, Quarantined, [c13278da3754c1753c385c5f4cb81ce4]
PUP.Optional.MySearchDial, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|FaviconPath, C:\Program Files\Mysearchdial\1.8.29.0\FavIcon.ico, Quarantined, [2cc770e21d6e0f27e78d8338f60e54ac]
PUP.Optional.MySearchDial, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}, Mysearchdial, Quarantined, [787be56d72193cfa8fe552698b7953ad]
PUP.Optional.MySearchDial, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|DisplayName, Mysearchdial, Quarantined, [a44f272bdcafea4c165e43782bd909f7]
PUP.Optional.OpinionSquare, HKLM\SOFTWARE\MOZILLA\FIREFOX\EXTENSIONS|{C7AE725D-FA5C-4027-BB4C-787EF9F8248A}, C:\Program Files\RelevantKnowledge\firefox, Quarantined, [965de1711c6faf87c8ecdde0d82c946c]
PUP.Optional.Conduit, HKU\S-1-5-21-3982043237-1895342364-2888862755-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}|SuggestionsURL_JSON, http://suggest.seccint.com/CSuggestJson.ashx?prefix={searchTerms}, Quarantined, [44af6be74942979f9f55e1bc14f0ff01]
 
Registry Data: 1
PUP.Optional.MySearchDial, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://start.mysearchdial.com/?f=1&a=irmsd0202ie&cd=2XzuyEtN2Y1L1Qzu0CyEyEyCtCzy0BtAyBtDzyyEtAyCyC0DtN0D0Tzu0SyBzyyEtN1L2XzutBtFtCyBtFtDtFtCtN1L1CzutDzytDtCtG1TtN1L1G1B1V1N2Y1L1Qzu2SyBtA0Bzz0Czz0ByBtGtByB0B0DtGyDyCyC0EtGtCtBtByBtGtDyE0D0Ezy0E0B0EzyzzyE0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzy0BzztDyCzy0DtG0Azy0D0AtG0CyEyDtCtGzy0FyCtCtGtCtAtAtA0C0A0DtAtD0EyCyB2Q&cr=518200963&ir=, Good: (www.google.com), Bad: (http://start.mysearchdial.com/?f=1&a=irmsd0202ie&cd=2XzuyEtN2Y1L1Qzu0CyEyEyCtCzy0BtAyBtDzyyEtAyCyC0DtN0D0Tzu0SyBzyyEtN1L2XzutBtFtCyBtFtDtFtCtN1L1CzutDzytDtCtG1TtN1L1G1B1V1N2Y1L1Qzu2SyBtA0Bzz0Czz0ByBtGtByB0B0DtGyDyCyC0EtGtCtBtByBtGtDyE0D0Ezy0E0B0EzyzzyE0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzy0BzztDyCzy0DtG0Azy0D0AtG0CyEyDtCtGzy0FyCtCtGtCtAtAtA0C0A0DtAtD0EyCyB2Q&cr=518200963&ir=),Replaced,[b53ecf83f2990c2a5a0da0e70ef70ff1]
 
Folders: 11
PUP.Optional.MarketScore, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge, Quarantined, [678caca675164fe74e87b94940c342be], 
PUP.Optional.OpenCandy, C:\Users\sony\AppData\Roaming\OpenCandy, Quarantined, [13e0c9891774fe381710f11844bf53ad], 
PUP.Optional.OpenCandy, C:\Users\sony\AppData\Roaming\OpenCandy\173CE43E711B494F9594AD7C3463D62D, Quarantined, [13e0c9891774fe381710f11844bf53ad], 
PUP.Optional.OpenCandy, C:\Users\sony\AppData\Roaming\OpenCandy\OpenCandy_173CE43E711B494F9594AD7C3463D62D, Quarantined, [13e0c9891774fe381710f11844bf53ad], 
PUP.Optional.APNToolBar.Gen, C:\ProgramData\APN\APN-Stub, Quarantined, [975ca8aaa6e570c6ce4549c8b1529769], 
PUP.Optional.GoPhoto, C:\Program Files\Gophoto.it, Quarantined, [22d189c991fa83b3ef7a29fcc93a7888], 
PUP.Optional.JumpFlip, C:\Program Files\Jump Flip, Quarantined, [de156de599f2b581a28c50d8956eab55], 
PUP.Optional.MySearchDial, C:\Users\sony\AppData\LocalLow\MySearchDial, Quarantined, [35be87cb7e0d7bbb178d72bb49bae719], 
PUP.Optional.MySearchDial, C:\Users\sony\AppData\LocalLow\MySearchDial\mysearchdial, Quarantined, [35be87cb7e0d7bbb178d72bb49bae719], 
PUP.Optional.NextLive, C:\Users\sony\AppData\Roaming\newnext.me, Quarantined, [16dddf73246772c4cd230d2082814db3], 
PUP.Optional.NextLive, C:\Users\sony\AppData\Roaming\newnext.me\cache, Quarantined, [16dddf73246772c4cd230d2082814db3], 
 
Files: 20
PUP.Optional.InstallCore, C:\Users\sony\AppData\Roaming\0W1L1G1Q1F2W1Bzz0D1F2W1G1I1F1T1Q1B\PDF to Word Converter Free Download Packages\uninstaller.exe, Quarantined, [d61d7ed4cfbcdf570a039449c73a44bc], 
Trojan.AutoIt, C:\Users\sony\AppData\Roaming\Microsoft\Office\trzE978.tmp, Quarantined, [a64db59d46452c0a8162317ed62c26da], 
PUP.Optional.NextLive, C:\Users\sony\AppData\Roaming\newnext.me\trzE7F9.tmp, Quarantined, [f9fa68ea6625280ea9468739659c6997], 
PUP.Optional.Conduit, C:\Users\sony\AppData\Roaming\OpenCandy\173CE43E711B494F9594AD7C3463D62D\embededstub.exe, Quarantined, [e013cc86b7d4da5c6c2eef6701ffae52], 
PUP.Optional.InstallCore, C:\Program Files\FLV Player\FLVPlayer.exe, Quarantined, [d71c8dc56229fd39be5b46e3619f8d73], 
Trojan.Bot.RV, C:\Temp\trz6F66.tmp, Quarantined, [3ab97dd5266593a3a85d8f8823ddca36], 
Trojan.Bot.RV, C:\Temp\trz792B.tmp, Quarantined, [cd26381a543789ad49bc2aed867aad53], 
Trojan.Bot.RV, C:\Temp\trzB2D9.tmp, Quarantined, [09eac88a5437d660679e8e89689831cf], 
Trojan.Bot.RV, C:\Temp\trzB2EA.tmp, Quarantined, [3fb40a488cffde58f1140611e31d28d8], 
Trojan.Bot.RV, C:\Temp\trzBD3C.tmp, Quarantined, [8370a0b2fd8ef640b94ccf48db25f60a], 
PUP.Optional.RelevantKnowledge, C:\Windows\System32\rlls.dll, Quarantined, [c42f2032aeddda5c39cad6c5a95cf40c], 
PUP.Optional.RelevantKnowledge, C:\Users\sony\AppData\Local\Temp\CSME649.tmp, Quarantined, [d023bf936823003623026b25c045fd03], 
PUP.Optional.CheckOffer, C:\Users\sony\AppData\Local\Temp\nsz309C.tmp\nsCBHTML5.dll, Quarantined, [bd3690c2197200366be1147ab34e1ae6], 
Trojan.Agent, C:\Windows\System32\rlls.dll, Quarantined, [b340ee643259d6607c84e3c9a85bc33d], 
PUP.Optional.Desk365, C:\Windows\System32\Tasks\Desk 365 RunAsStdUser, Quarantined, [04efb69c3952ff379772683c956fed13], 
PUP.Optional.Sanbreel, C:\Windows\System32\Drivers\{29b136c9-938d-4d3d-8df8-d649d9b74d02}Gw.sys, Quarantined, [fef58cc60784a492727ce0e42ada7c84], 
PUP.Optional.Sanbreel, C:\Windows\System32\Drivers\{29b136c9-938d-4d3d-8df8-d649d9b74d02}w.sys, Quarantined, [1cd71f331e6d320449a97450e91b1ee2], 
PUP.Optional.MarketScore, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge\RelevantKnowledge.lnk, Quarantined, [678caca675164fe74e87b94940c342be], 
PUP.Optional.NextLive, C:\Users\sony\AppData\Roaming\newnext.me\nengine.cookie, Quarantined, [16dddf73246772c4cd230d2082814db3], 
PUP.Optional.NextLive, C:\Users\sony\AppData\Roaming\newnext.me\cache\spark.bin, Quarantined, [16dddf73246772c4cd230d2082814db3], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:34 AM

Posted 05 October 2015 - 03:31 PM

Hi, you are infected with at least Trojan ZBOT


Quote
This Trojan has primarily been designed to steal confidential information from the computers it compromises. It specifically targets system information, online credentials, and banking details, but can be customized through the toolkit to gather any sort of information. This is done by tailoring configuration files that are compiled into the Trojan installer by the attacker. These can later be updated to target other information, if the attacker so wishes.

Confidential information is gathered through multiple methods. Upon execution the Trojan automatically gathers any Internet Explorer, FTP, or POP3 passwords that are contained within Protected Storage (PStore). However, its most effective method for gathering information is by monitoring Web sites included in the configuration file, sometimes intercepting the legitimate Web pages and inserting extra fields (e.g. adding a date of birth field to a banking Web page that originally only requested a user name and password).

Additionally, Trojan.Zbot contacts a command-and-control (C&C) server and makes itself available to perform additional functions. This allows a remote attacker to command the Trojan to download and execute further files, shutdown or reboot the computer, or even delete system files, rendering the computer unusable without reinstalling the operating system.

This will steal ant banking and personal data. .

I recommend you re post with the log from this guide to assure you have removed any and all of it.
Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users