Autorun Infections on USB Drives

[Tatterdemalion]

This is the Flash Voyager 2GB Kaspersky Online Scan Report

[Saving space, attachment deleted by admin]

[Tatterdemalion]

I just put my 120GB Iomega USB Drive into the Lenovo Laptop.

It is an NTFS formatted drive.

Panda USB Vaccine warned me that NTFS is not supported.

I thought the drive might be O.K. because the PC *itself* has been immunised with the Panda product.

However, when I looked at the drive in Kaspersky Online Scanner it was showing an

autorun.inf folder

and a

RECYCLER folder.

There are two folders within the RECYCLER folder, they are named :

S-1-5-21-600045118-2910303213-3587881655-1004

and

S-1-5-21-604846702-3632034918-3533566495-1005

There is also a folder called System Volume Information.

I have kept the drive in and am running a Kaspersky Scan.

[Tatterdemalion]

The scan for the 120GB Iomega NTFS drive was a lot faster than I expected.

This is the text log.

The same files are being identified.

It's multiple back-ups of the same material.

ADDITION : I am going to go and attempt the ComboFix Procedure now and will post the results when I can.

Thank you for your help.

[Saving space, attachment deleted by admin]

[Tatterdemalion]

I am tryimng to use the ComboFix application.

I have closed my browser and shut down Avast and Comodo BOClean which are programs I deliberately installed.

I am getting the message : "ComboFix has detected the following real time scanners to be active antivirus : Norton Internet Security".

I do not use this. I have never run it. There is an advert for it that appears every time I re-boot my PC and arrive at the Desktop.

....I have found Norton Internet Security under All Programs. I clicked the program name and it has given me a screen saying that I am "At Risk" and have an "Incomplete Configuration".

I suppose this is because I have NEVER run it.

It is giving me the option to "Continue".

I don't want the Norton product and I know I mustn't contine with ComboFix if Norton is going to interfere.

Please advise...

[evilfantasy]

Flash Voyager 8GB

I'm not sure that the .PMM files are actually infected or they are false positives. .PMM is Pegasus Mail mail message folder.

Flash Voyager 2GB

Detected the same files/folders.

120GB Iomega

Same .PMM detections.

Do you know what they are?


Just continue on with the ComboFix scan. If you never installed the Norton it won't interfere with CF.

[Tatterdemalion]

I think each PMM file represents an individual Pegasus Mail message.

I wanted to check the dates - because over the course of about 14 years I have had various virus scanners spot mail messages as viruses. They may have been quarantined on older computers and perhaps that's why these traces remain.

I think all my dates were showing as the 3rd and 4th of January because that is the last time I copied my main mail folder between drives.

These could be messages from discussion groups or random spams.

I have started ComboFix.

It says :

Microsoft Windows Recovery Console

This machine does not have the "Microsoft Windows recover console installed.

Without it, ComboFix shall not attempt the fixing of some serious infections.

Click 'Yes' to have ComboFix download/install it.

NOTE : This requires an active internet comnnection".

Should I agree to this or not ?

I should mention that my Lenovo Laptop is a T61. It is supposed to have settings that you can go to to restore the machine to the exact state that it was in when it was brand new.

I believe that, if it works, it re-formats your hard drive and reinstals the operating system for you.

However, I have read that this particular virus can withstand and survive a format.

Please advise and thank you so much for your expertise.

[evilfantasy]

You can skip the Recovery Console.

[Tatterdemalion]

This is the report generated by ComboFix.

[Saving space, attachment deleted by admin]

[evilfantasy]

You can't uninstall Norton Internet Security or the Norton Firewall right?

[evilfantasy]

Go to Add or Remove Programs and uninstall (if found):

• LiveUpdate (Symantec Corporation)

----------

Download the Norton Removal Tool (SymNRT) to your desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

* Go to your desktop and double click on the 'Norton_Removal_Tool' and then click Setup.
* Once open Click Next
* Accept the license agreement and click Next
* Type in the letters/numbers that you see into the text box then click Next.
* Then click Next and the tool will start running.
* Once finished restart the PC.
* Delete the 'Norton_Removal_Tool' from your desktop.

----------

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
EraserUtilRebootDrv

SecCenter::
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IS CfgWiz"=-
"osCheck"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

File::
c:\windows\TEMP\_av_proI.tm~a02808\setup.lok

Folder::
c:\program files\Common Files\Symantec Shared
c:\program files\Norton Internet Security
c:\program files\Symantec\LiveUpdate
c:\windows\TEMP\aswUpdSum.ini 107
c:\windows\TEMP\_av_proI.tm~a02808

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

[Tatterdemalion]

The Lenovo came with Norton adverts already on it. I think I have declined them all.

Looking in "Add and Remove Programs" I can see "LiveUpdate 3.2 (Symantec Corportaion). It is 13.64MB and says it is used "Rarely".

The Last Used date is 7th June 2008 which is probably the day I got the machine.

Ahhh ! Scrolling down, there is also the 42.67MB "Norton Internet Security (Symantec Corporation)" entry with the same date.

The "Change" and "Remove" Buttons are both available for this pair of items.

ADDITION : In posted the above WHILST you were supplying the Removal Instructions.Thanks I will now follow those.

[evilfantasy]

Yes uninstall them both and then still run the Norton Removal tool.

[Tatterdemalion]

I've just used the "Remove" from "Add/Remove Programs" to get rid of Norton Updater.

It tried to stop me by saying I had 90 days of Subscription left. Presumably, this is because I have never used it.

I am now trying to also remove the main Norton Security Program from the same list. It says "There are files in Quarantine. Would you like to delete the quarantined files. ?"

I have never, knowingly, run Norton but - as I recorded in the very first post of this thread, I did get a message from it mentioning a W32.polip.

Perhaps THAT is the quarantined item.

I wanted to run this by you before I continue.

Should I say YES to the deletion ?

[evilfantasy]

Yes let it remove everything that it can.

[Tatterdemalion]

The main Norton Program has reached the end of its "Add/Remove Programs" removal procediure and is asking me to re-boot.

Is it O.K. for me to agree to that now aqnd then run the special removal tool after the computer has re-booted ?