Autorun Infections on USB Drives

[Tatterdemalion]

When my Router broke at the start of the week, I used an old computer and
USB ADSL  modem to contact my ISP and arrange its replacement. During
 that time I was transferring the USB drive where I store my e.mail plus
a larger external hard drive of audio files between machines.

Now that my new Router has arrived and my main laptop is able to
connect to the internet, I have those two drives hooked into it and
Avast Anti-Virus has found infections.

I have run scans and have deleted the rogue items but I would
like to know if this is a safe time to plug in and test other drives
that may have been affected.

My situation currently is that Avast alerted me to an
autorun.inf infection on the larger hard drive. I deleted it
and then found the same item on the smaller flash drive.

I scanned the small drive in full and Avast reported :

RECYCLER/autorun.exe

Malware Name : Win 32 : Delf.NDH [Drp]

I scanned the large drive and the same

RECYCLER/autorun.exe

was found plus multiple instances of

BV : AutoRun-G [Wrm]

The scan also mentioned that

setup.exe
instmsia.exe
instsmsiw.exe

are "Decompression Bombs".

I don't know what that means. The software I have deliberately
put on the drive are installers for Direct X, Open Office and the
Demo of the driving game Dirt 2.

During the scanning of the large drive, Norton said it had
removed

W32.Polip

as a security risk.

I do NOT have Norton installed. There is a splash screen
advert for it that appears whenever I boot up. It is a trial that
came pre-installed with the laptop. I have never run it.
I chose Avast.

After scanning the external hard drives separately - and
deleting the autorun.inf and autorun.exe
 infections, I ran a full scan of "My Computer" so that those
drives would be scanned again and the C: drive for the
irst time.

No infections were reported at the end of the scan
and I would like to know if it is safe for me to plug in
and test additional hard drives that may have been
compromised.

THANK YOU FOR BEING THERE

[evilfantasy]

Flash Drive Cleanup

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Please have all your removable storage devices ready for disinfection.

Download Flash Disinfector by sUBs and save it to your desktop.
 
* Double-click Flash_Disinfector.exe to run it.
* Your desktop and icons may disappear. This is normal.
* It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
* Follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* There will be no GUI interface or log file produced.
* Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

----------

Panda USB and AutoRun Vaccine

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Download Panda USB and AutoRun Vaccine and save it to your desktop.

* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.

Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

----------


Now you need to clean the malware from the computer. Follow the directions in the below link and post the logs.

http://www.computerhope.com/forum/index.php/topic,46313.0.html

[Tatterdemalion]

Thank you very much for this advice.

Am I correct in understanding that both of these applications should be run on every one
of every kind of data-storing USB drive that I own, (not just the ones that Avast identified
as having a problem) from 2GB memory sticks to the 1.5TB external hard drives that are
supposed to be dismounted using the "Safely Remove Hardware" option ?

[evilfantasy]

You can run them on everything that plugs in to your computer that has storage capabilities from flash drives, mp3 players, phones etc.

You can also take the extra measure of manually disabling autoruns.

AutoRun Cleanup

Download and Install Microsoft's TweakUI
* Once installed start TweakUI.
* Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
* Turn off the checkbox next to every drive letter to disable AutoPlay except your CD/DVD drive letters.

[Tatterdemalion]

Thank you.

One more question before I start, I was initially alerted to this infection by Avast which found a RECYCLER/autorun.exe on two external drives that were plugged in simultaneously.

Is this the program that SPREADS th infection ?

I ask because I want to establish whether a third drive has avoided contagion or whether it is another carrier.

I inserted that third drive into the laptop that has Avast by using the SHIFT key method to avoid autorun.inf starting and then scanned it. Avast did not report RECYCLER or any other problem.

Does that mean that drive has escaped being hit ?

[evilfantasy]

If you can I would suggest also running another scan on any drive that was plugged in to the infected machine for a "second opinion". Never hurts to be sure.

The autorun/recycler virus can be hard to get rid of but getting the host machine cleaned up will make cleaning the other drives much easier.

Run this on the other drives. Dr.Web CureIt

[Tatterdemalion]

Hi

I ran Flash Disinfector whilst my 120GB USB hard drive and the flash memory stick that MIGHT not have the virus on it were connected to my laptop's USB ports.

I do not know if the program treasted BOTH drives.

When it had finished I got an alert box from BOClean, it said :

NIRCOMMAND VARIANT STOPPED BY BOCLEAN

Location of startup: FILE
C:DOCUMEN~\SCOUT\LOCAL~1\TEMP\NIRCMD.EXE

This trojan horse program was found on your machine. It has been shut down, but the FILE from which it started still remains and can be started up again.

Do you want the file removed also ?

Should I reposnd with a "Yes" or a "No" ?

Do I need to treat all of the drves I own NOW before re-booting to move onto the Panda Utility ?

I have other drives that have DEFINITELY NOT been infected yet and I wonder if they could be immunised later on AFTER the malware has been identified and cleared from this laptop.

[evilfantasy]

NIRCOMMAND VARIANT STOPPED BY BOCLEAN

Location of startup: FILE
C:DOCUMEN~\SCOUT\LOCAL~1\TEMP\NIRCMD.EXE

That's part of Flash Disinfector. You need to allow it.

Do I need to treat all of the drves I own NOW before re-booting to move onto the Panda Utility ?

Go ahead and restart then run Panda. Either way though should be fine.

I have other drives that have DEFINITELY NOT been infected yet and I wonder if they could be immunised later on AFTER the malware has been identified and cleared from this laptop.

It never hurts to check when you have the extra time.

[Tatterdemalion]

Hi

When I installed the Panda Vaccination software I did not check any of the
boxes and I did not select the NTFS option as it said it was in BETA.

I have immunised my Flash FAT 32 memory sticks. My larger "fixed" drives
are in the NTFS format and have not been vaccinated.

I assume I can vaccinate all my PCs and/or use the TWEAK application
to allow me to confidently attach my 1.5TB drives again.... ??

I have followed the Six Step set of Malware Guidelines.

STEP 1

I saw a program in my Add/Remove Programs list called "Keynote
Connector".I don't know what it is. I can't see a date for its
installation and no file size is given.

I am also unfamiliar with "PC-Doctor 5 for Windows" but perhaps it
is part ofthe OS. It's installation date was probably the day I got the laptop.

STEP 3

I scanned just my C: Drive using SUPERAntiSpyware.

I did not scan any additional external drives.

The result was :

"Scanning is complete. No harmful software was detected."

STEP 4

I updated MBAM to Version 3703 and ran the scan.

The result was :

"The scan completed successfully. No malicious items were detected."

STEP 5

My Java Version is now at V6 Update 18

STEP 6

I'm a bit confused by the renaming here.

I ran the scan by double-clicking
the "Shortcut to sniper.exe" icon

I will try to attach the log to the next thread.

[Tatterdemalion]

This should be my Hi-Jack This log

[Saving space, attachment deleted by admin]

[evilfantasy]

Keynote Connector -  I'm not sure what this is but came up with this. http://panel.webeffective.keynote.com/

PC-Doctor 5 for Windows - http://www.bleepingcomputer.com/uninstall/2442/PC-Doctor-5-for-Windows.html



Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[Tatterdemalion]

I have downloaded the Disable/Remove Messenger program, unzipped and run it.

I had to try twice to get it to "Uninstall Windows Messenger", it says it has but I can't see any new files on the Desktop.

There is a Box with the heading : "Advanced INF Install"

It contains the text : "You must restart your computer before the new settings will take effect.
                                  Do you want to restart your computer now ?

                                  YES     NO    "

Please let me know if I should agree to this or continue with the HijackThis scan without re-booting - which I think I am supposed to run by clicking on "Shortcut to Sniper.exe".

[evilfantasy]

Go ahead and restart first.

[Tatterdemalion]

Hi

My result said "No threats found".

Does that mean there wikll be no log generated ?

[evilfantasy]

Yes there will be no log.

Final suggestions.

Use the Secunia Software Inspector to check for out of date software.

* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Tatterdemalion]

Thank you. While I am running the Secunia Scan, I'd like to ask more questions and express GRATITUDE for your patience with me. I've learned a lot from this - not least that it's just not really viable to keep computers off the internet any more (certainly not if you ever intend to (re-)introduce them) - and that you must, must, must, must, MUST keep everything up-to-date.

My concern --->

Three of my USB drives had direct physical contact with the insufficiently protected 7-year-old, usually offline Desktop PC that was the source of this infection. They were exposed to it over a period of a couple of days while I was using that machine to request a replacement Router from my ISP. I kept checking back at different times to see how that order was progressing, to collect my e.mail and to look up information on the new Router. I became complacent and spent more and more time online on each occasion, I read pdf manuals in an ANCIENT version of Acrobat and hung around watching YouTube reviews. Very silly.

I can't remember when I used the Cruzer Crossfire Flash Drive. I am hoping it was early on BEFORE the infection struck because I used it to move some files to two USB NTFS 1.5TB drives connected to my Toshiba Laptop - which is another computer that I have kept offline as much as possible.

The machine that you have been giving me so much help to clean and protect is not the Desktop PC (which is pre Windows XP SP1a, has lots of physical problems and which I won't be using again) but my main day-to-day Lenovo Laptop. The Lenovo has Avast installed and Avast detected RECYCLER on my Flash Voyager Drive and my 120GB NTFS USB hard drive.

Avast did NOT find RECYCLER or any other problem on the Cruzer Crossfire Flash Drive.

Can I now safely use that Cruzer Crossfire Flash Drive to transport the Panda Immunisation software to my Toshiba Laptop ?

The Lenovo Laptop has been immunised. Is it now in a safe enough state for me to test the 1.5TB drives in it ?

If Avast does not see RECYCLER on those 1.5TB drives, as it did not see it on the Cruzer Crossfire, might that suggest that I am in the clear and have had a lucky escape ?

[evilfantasy]

Can I now safely use that Cruzer Crossfire Flash Drive to transport the Panda Immunisation software to my Toshiba Laptop ?

The Lenovo Laptop has been immunised. Is it now in a safe enough state for me to test the 1.5TB drives in it ?

Plug in the flash drives, one at a time, and don't let them launch. Just plug them in.

Now scan them with the Kaspersky online scanner. Keep track of which log goes with each flash drive.

Please keep ALL other programs closed during the scan

Run an online scan with the Kaspersky Online Scanner

* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click Next
* Now click on Scan Settings
* Now under select a target to scan select Your USB drive
* Once the scan is complete it will display if your system has been infected.
* Please do not use your computer while the scan is running. Once the scan is complete it will display if your USB drive has been infected.

* Click the Save Report As... button.
* In the Save as... prompt, select Desktop
* In the File name box, name the file KasScan-ddmmyy (or similar)
* In the Save as type prompt, select Text file (see below)



Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

[Tatterdemalion]

Hi

Please confirm that I should run this on my 1.5TB NTFS USB Drives, these are Samsung Storystation external spinnin hard drives not solid state or flash drives.

[evilfantasy]

If the scanner will scan them then yes. This is a scan only and it has no removal capabilities so nothing will be changed on the drives.

[Tatterdemalion]

Hi

I am running the Kaspersky scans on my smaller USB flash memory drives first using the Lenovo Laptop.

I am not sure whether I formatted the 1.5TB drives with the Lenovo or the Toshiba.

I think when I plug a drive into a computer for the first time a "New Hardware Detected" box will probably appear.

Could that be a problem ?

Hopefully I have ALREADY used them in both laptops an so it may not be an issue - but I'd like to know what to do in case it appears. I'm scared I would press "Cancel" and make the drive permanently inaccessible.

The pair of big drives are supposed to be duplicates of one another.

[evilfantasy]

I would think that if you get the"New Hardware Detected" prompt then they are probably formatted and have no data?

[dr_iton]

<Removed>

Read the thread.

Also see here. http://www.computerhope.com/forum/index.php/topic,57605.0.html

[Tatterdemalion]

I get the "New Hardware Found" message on machines that have not seen a particular hard drive before. I'm not sure if it happens just the FIRST time a drive is inserted into a computer as a whole - or the first time for EACH USB port.

They do it when there is already data on the drive.

I have scanned two USB smallish memory drives so far using the Lenovo and the online Kapersky scanner.

I then accidentally came up against the "Add New Hardware" issue with a drive that I was surprised that I have never used in the Lenovo.

I let Windows automatically prepare it and then selected it from the list and saw there was a RECYCLER folder.

This drive is a Western Digital "My Passport". Could there be a legitimate folder called "RECYCLER" on it that perhaps functions as that drive's Recycle Bin ?

The Lenovo has been immunised by the Panda Security Program.

Avast did not shout immediately.

I removed the drive as quickly as I could to ask your advice.

I really don't want to put my 1.5TB drives at risk.

I don't think I have used the "My Passport" drive in the Desktop PC that I thought was the source of the infection.

I only became aware of the infection when Avast on the Lenovo detected it.

Could the Lenovo be the source and has it just infected the "My Passport" drive ?

[evilfantasy]

or the first time for EACH USB port.

Yes it's possible that it will launch when plugging it into a new USB port.

Once you get done with the Kaspersky scan let me know. I'd like to run another scanner on the computer to make sure nothing else has gotten in while all of this other stuff has been going on.

[Tatterdemalion]

I don't know if the Lenovo Laptop has just infected the My Passport Drive.
or if I am unduly panicking at the sight of a "RECYCLER" folder listed in the View from the Kaspersky Online Scanner.

Could it t be a legitimate item ? The "My Passport" is a large drive. Is this the way the "Recycle Bin" might be displayed ?

I have currently taken the "My Passport" out of the Lenovo altogether.

It was Avast that initially saw problems on two drives and deleted them.

If THIS "Recycler", visible in the Kapersky Folder View, was a threat, should Avast have seen it immediately ?

Please let me know how dangerous the Malware I have caught is.

What does it DO ?

Can it delete or corrupt all the contents of my drives ?

Should I be keeping the Lenovo offline at all times when it is not doing online scans ?

I am typing to you from a different Desktop PC.

[evilfantasy]

The "Recycler" virus is actually a worm and it will spread onto anything it can. Some also have backdoor capabilities but they are not really hard to contain and clean once found by a scanner or manually. They spread to flash drives, phones etc. Whatever you plug into the computer.

You could, if you want to, take the portable drives and copy or move whatever folders/files you want to keep onto the computer then just format the drive and put the files/folders back.

Hook up the Lenovo and run this on it. We should have done it earlier... Post the log it creates.

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[Tatterdemalion]

Hello. This is sounding serious. It is half past midnight here and I am going to try to get some sleep before continuing.

I am worried about the data on my two 1.5TB drives. 

I am worried I have infected my Toshiba laptop.

Do all of these problems also apply to external drives that attach with Firewire rather than USB ?

[evilfantasy]

It's not going to be a problem. The data on the external drives will still be there.

Did you get the Kaspersky scan ran on anything yet?


Get some rest. Well get everything figured out. I have not come across a Recycler virus that wasn't cured yet and I've seen many.

[Tatterdemalion]

Thank you for the reassurance.

I still have the Kaspersky Online Scan Window available and could re-insert the "My Passport" drive. I will probably run a scan with it on my 120GB Iomega drive after posting this. I am expecting that to take several hours and wonder if I shouldn't do that because the RECYCLER appeared on the My Passport.

I have some results for my smaller Flash Memory Drives.

The Cruzer Crossfire was completely clear. This was the disk that I used on the Desktop PC and then used on the Toshiba Laptop with the 1.5TB drives.

I have been ASSUMING that the infection came from the Desktop PC.

I don't actually have sound evidence for that.

I jumped to a conclusion.

I have two Flash Voyager Drives. I bought an 8GB version when the 2GB wasn't large enough. I copied everything from the 2GB to the 8GB and so they share the same infections.

There are minor date discrepencies between the two. I thought I might be able to pinpoint precisely when I was first exposed to the infected e.mails but I've found from my Diary that I decided to change from my current version of my mail program to the latest on the 3rd of January. When I didn't like the new version I reverted to the former program and copied my folders back in from a hard drive - so that might explain why the dates look strange.

I will post the Logs in subsequent Posts. Below I have shown as much file information as I c

Kaspersky Results :

I used Windows Search to find the fullest details I could for the files those text logs identify.

JUNK.PMM
Suspicious

Trojan-Spy.HTML.Fraud.gen 1

Size : 44.0KB
Size on disk : 48.0KB

Created 04 January 2010, 14:26:35
Modified 01 January 2010, 17:33:54

Accessed 10 February 2010

FOL037D6.PMM
Suspicious

Trojan-Spy.HTML.Fraud.gen.1

Size : 2.38MB
Size on disk : 2.38MB

Created 04 January 2010, 14:28:25
Modified 04 January 2010, 17:35:22

Accessed February 10 2010

FOL0059B.PMM
Infected and Suspicious

Trojan-Spy.HTML.Bayfraud.ib 1 (Infected)
Trojan-Spy.HTML.Fraud.gen 2 (Suspicious)
Trojan-Spy.HTML.Bayfraud.ek 5 (Infected)

Size : 56.4MB
Size on disk : 56.4MB

Created 04 January 2010, 14:28:47
Modified 25 January 2010, 12:48:14

Accessed 10 February 2010

[Tatterdemalion]

This is the Flash Voyager 8GB Kaspersky Online Scan Report

[Saving space, attachment deleted by admin]

[Tatterdemalion]

This is the Flash Voyager 2GB Kaspersky Online Scan Report

[Saving space, attachment deleted by admin]

[Tatterdemalion]

I just put my 120GB Iomega USB Drive into the Lenovo Laptop.

It is an NTFS formatted drive.

Panda USB Vaccine warned me that NTFS is not supported.

I thought the drive might be O.K. because the PC *itself* has been immunised with the Panda product.

However, when I looked at the drive in Kaspersky Online Scanner it was showing an

autorun.inf folder

and a

RECYCLER folder.

There are two folders within the RECYCLER folder, they are named :

S-1-5-21-600045118-2910303213-3587881655-1004

and

S-1-5-21-604846702-3632034918-3533566495-1005

There is also a folder called System Volume Information.

I have kept the drive in and am running a Kaspersky Scan.

[Tatterdemalion]

The scan for the 120GB Iomega NTFS drive was a lot faster than I expected.

This is the text log.

The same files are being identified.

It's multiple back-ups of the same material.

ADDITION : I am going to go and attempt the ComboFix Procedure now and will post the results when I can.

Thank you for your help.

[Saving space, attachment deleted by admin]

[Tatterdemalion]

I am tryimng to use the ComboFix application.

I have closed my browser and shut down Avast and Comodo BOClean which are programs I deliberately installed.

I am getting the message : "ComboFix has detected the following real time scanners to be active antivirus : Norton Internet Security".

I do not use this. I have never run it. There is an advert for it that appears every time I re-boot my PC and arrive at the Desktop.

....I have found Norton Internet Security under All Programs. I clicked the program name and it has given me a screen saying that I am "At Risk" and have an "Incomplete Configuration".

I suppose this is because I have NEVER run it.

It is giving me the option to "Continue".

I don't want the Norton product and I know I mustn't contine with ComboFix if Norton is going to interfere.

Please advise...

[evilfantasy]

Flash Voyager 8GB

I'm not sure that the .PMM files are actually infected or they are false positives. .PMM is Pegasus Mail mail message folder.

Flash Voyager 2GB

Detected the same files/folders.

120GB Iomega

Same .PMM detections.

Do you know what they are?


Just continue on with the ComboFix scan. If you never installed the Norton it won't interfere with CF.

[Tatterdemalion]

I think each PMM file represents an individual Pegasus Mail message.

I wanted to check the dates - because over the course of about 14 years I have had various virus scanners spot mail messages as viruses. They may have been quarantined on older computers and perhaps that's why these traces remain.

I think all my dates were showing as the 3rd and 4th of January because that is the last time I copied my main mail folder between drives.

These could be messages from discussion groups or random spams.

I have started ComboFix.

It says :

Microsoft Windows Recovery Console

This machine does not have the "Microsoft Windows recover console installed.

Without it, ComboFix shall not attempt the fixing of some serious infections.

Click 'Yes' to have ComboFix download/install it.

NOTE : This requires an active internet comnnection".

Should I agree to this or not ?

I should mention that my Lenovo Laptop is a T61. It is supposed to have settings that you can go to to restore the machine to the exact state that it was in when it was brand new.

I believe that, if it works, it re-formats your hard drive and reinstals the operating system for you.

However, I have read that this particular virus can withstand and survive a format.

Please advise and thank you so much for your expertise.

[evilfantasy]

You can skip the Recovery Console.

[Tatterdemalion]

This is the report generated by ComboFix.

[Saving space, attachment deleted by admin]

[evilfantasy]

You can't uninstall Norton Internet Security or the Norton Firewall right?

[evilfantasy]

Go to Add or Remove Programs and uninstall (if found):

• LiveUpdate (Symantec Corporation)

----------

Download the Norton Removal Tool (SymNRT) to your desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

* Go to your desktop and double click on the 'Norton_Removal_Tool' and then click Setup.
* Once open Click Next
* Accept the license agreement and click Next
* Type in the letters/numbers that you see into the text box then click Next.
* Then click Next and the tool will start running.
* Once finished restart the PC.
* Delete the 'Norton_Removal_Tool' from your desktop.

----------

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
EraserUtilRebootDrv

SecCenter::
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IS CfgWiz"=-
"osCheck"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

File::
c:\windows\TEMP\_av_proI.tm~a02808\setup.lok

Folder::
c:\program files\Common Files\Symantec Shared
c:\program files\Norton Internet Security
c:\program files\Symantec\LiveUpdate
c:\windows\TEMP\aswUpdSum.ini 107
c:\windows\TEMP\_av_proI.tm~a02808

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

[Tatterdemalion]

The Lenovo came with Norton adverts already on it. I think I have declined them all.

Looking in "Add and Remove Programs" I can see "LiveUpdate 3.2 (Symantec Corportaion). It is 13.64MB and says it is used "Rarely".

The Last Used date is 7th June 2008 which is probably the day I got the machine.

Ahhh ! Scrolling down, there is also the 42.67MB "Norton Internet Security (Symantec Corporation)" entry with the same date.

The "Change" and "Remove" Buttons are both available for this pair of items.

ADDITION : In posted the above WHILST you were supplying the Removal Instructions.Thanks I will now follow those.

[evilfantasy]

Yes uninstall them both and then still run the Norton Removal tool.

[Tatterdemalion]

I've just used the "Remove" from "Add/Remove Programs" to get rid of Norton Updater.

It tried to stop me by saying I had 90 days of Subscription left. Presumably, this is because I have never used it.

I am now trying to also remove the main Norton Security Program from the same list. It says "There are files in Quarantine. Would you like to delete the quarantined files. ?"

I have never, knowingly, run Norton but - as I recorded in the very first post of this thread, I did get a message from it mentioning a W32.polip.

Perhaps THAT is the quarantined item.

I wanted to run this by you before I continue.

Should I say YES to the deletion ?

[evilfantasy]

Yes let it remove everything that it can.

[Tatterdemalion]

The main Norton Program has reached the end of its "Add/Remove Programs" removal procediure and is asking me to re-boot.

Is it O.K. for me to agree to that now aqnd then run the special removal tool after the computer has re-booted ?

[evilfantasy]

Yes that would be best.

[Tatterdemalion]

When I tried to drag the CFScript.txt onto the ComboFix icon I think it asked to Run and I think I said O.K. then I realised my browser was still open and so I tried to delay the ComboFix program while I closed it.

The browser is now shut.

However, I have a couple of warning screens saying that Avast and BOClean are active.

Will I be able to shut them from the icons on the TaskBar while the warning boxes are still visible ?

Should something ELSE have happened ?

What should I do ?

Again massive thanks for your patience.

[evilfantasy]

Will I be able to shut them from the icons on the TaskBar while the warning boxes are still visible ?

Yes shut them down now and then let CF continue.

[Tatterdemalion]

I've closed Avast and BOClean and the ComboFix Blue area has appeared.

It has given a message that there is a new version of ComboFix available and is asking if I want to download it.

Should I update now or proceed with the scan ?

[evilfantasy]

Yes update it before continuing.

[Tatterdemalion]

In case it is important, I thought I had better mention that both times after ComboFix re-booted the Lenovo it has briefly displayed a text line saying that it couldn't find combofix.sys.

I have attached the ComboFix Report generated after starting it with the CFScript.

I have run the Temp File Cleaner. It removed 68.00MB.

[Saving space, attachment deleted by admin]

[evilfantasy]

That looks good now.

I'm confident that the computer is clean and it should perform a little better with all of the Norton stuff gone.


Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.

* Click START then RUN
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter.

The above procedure will:
* Delete: ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Here are some more suggestions to help tighten up your computers security.

Use the Secunia Software Inspector to check for out of date software.

* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Tatterdemalion]

Hi. Thank you for your help.

I am trying to uninstall ComboFix.

I have typed the command in the RUN box.

BOClean hs produced this message :

RSK-HIDE.SAA MALWARE STOPPED by BOCLEAN

Location of startup : FILE
C:\32788R22FW\HIDEC.EXE

This trojan horse was found on your machine.
It has been shut down, but the FILE from which it
started still remains and can be started up again.

Do you want the file removed also ?

YES/NO

Please advise.

[evilfantasy]

Disable BOClean before uninstalling ComboFix.

[Tatterdemalion]

I closed down BOClean and Avast so that the unistallation would continue.

I have an "Info" Box on screen that says "ComboFix is ininstalled".

It appeared really quickly, there were no other screens and the computer did not re-boot.

Is that O.K?

[evilfantasy]

Yes it's gone. It happens very fast.


You should be good to go on cleaning the other drives now. Nothing on the computer will spread to them. Just don't let the drives auto launch before you are sure they're cleaned.

[Tatterdemalion]

In the process of using a 250GB Iomega Hard Drive, that has not had contact with the Lenovo, to transport Flash Disinfector, Panda USB Vaccine and Avira Anti-Virus to my Toshiba laptop, I discovered that I had not been following your TWEAK UI Auto-Run instructions properly.

What I have found is that if you -->

Open Tweak UI
Expand My Computer
Expand AutoPlay
Click Types
UNcheck "Enable Autoplay for removable drives"
Click Apply
Click O.K.

your external hard drive will STILL Autoplay, even after a re-boot.

I suppose the Tweak Tool is divided up so that the section I looked at and modified is geared towards ENABLING a function - whereas the LIST I *should* have looked at is about SWITCHING THINGS OFF.

I'm posting my mistake so that hopefully other people will avoid it.

I do find it confusing that imy WRONG Tweak appears to have no effect.

Is AutoPlay ever actually really necessary for anything ?

If you have a CD or a DVD, could you not always CHOOSE to make it start by clicking the optical drive's icon ?

Thanks again for all the help that you have provided. This site is brilliant. The direct links to the relevant pages for program downloads cut through so much time searching at Google or just trying to navigate through a software company's site.


ADDITION : I just went to manually modify the AutoPlay settings on the Lenovo and this Systemax and can see that ALL of the drives - even the optical drives - have been deselected.

So I take it that's what Panda Vaccine does when it "Vaccinates a Computer" rather than an external drive.

[evilfantasy]

There are some more solutions for disabling autoruns here. http://support.microsoft.com/kb/967715