grimsberry Posted February 7, 2015 ID:937276 Share Posted February 7, 2015 Hi all, I am having an issue with removing an autorun virus from my Win7 computer, a total of 3 hard disk drives are infected, symptons include slower performance, certain programs behaving abnormally and not running properly anymore, files and folders are hidden automatically after like a minute after applying to show hidden files and folders, I have ran in safe mode a custom scan selecting all drives connected at the time to be scanned for malware with Malwarebytes AntiMalware (2.0.4.1028) with updated database, malware was found with restart required for cleanup, ran a threat scan to make sure malware was removed, upon restart the virus doesn't seem to be removed, autorun.inf along with pif and exe files (all having same size of 101 kb) reappeared in root directory of all drives. Please help, the virus was discovered during a file backup process, older methods of using CMD to manually delete the malicious files didn't seem to work, thanks in advance. Link to post Share on other sites More sharing options...
kevinf80 Posted February 7, 2015 ID:937293 Share Posted February 7, 2015 Hello and welome, P2P/Piracy Warning: If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy. Autorun.inf is not necessarily malicious, read here: http://en.wikipedia.org/wiki/Autorun.inf Run the following online scan with ESET, ensure all relevant drives are connected. Ensure all extra drives are selected as per the instructions.... Scan with ESET Online Scanner This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.Temporary disable your AntiVirus and AntiSpyware protection - instructions here.Please visit ESET Online Scanner website. Click there Run ESET Online Scanner. If using Internet Explorer: Accept the Terms of Use and click Start.Allow the running of add-on.If using Mozilla Firefox or Google Chrome:Download esetsmartinstaller_enu.exe that you'll be given link to.Double click esetsmartinstaller_enu.exe.Allow the Terms of Use and click Start.To perform the scan:Make sure that Remove found threats is unchecked.Scan archives is checked.In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.Under “Enable Stealth Technology select “Change” select any extra drives in that window.Click StartThe program will begin to download it's virus database. The speed may vary depending on your Internet connection.When completed, the program will begin to scan. This may take several hours. Please, be patient.Do not do anything on your machine as it may interrupt the scan.When the scan is done, click Finish.A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.Please include this logfile in your next reply. Don't forget to re-enable previously switched-off protection software! The scan is very thorough so make take several hours to complete... Thank you, Kevin... Link to post Share on other sites More sharing options...
grimsberry Posted February 7, 2015 Author ID:937422 Share Posted February 7, 2015 Hi kevinf80, thanks for replying,I have some concerns connecting to the Internet with the autorun virus, unless if the autorun virus is disabled, wouldn't using Internet connection for online scanner also allow virus to do malicious activities such as backdoor access? Is it safe to copy files from infected drive to clean drive in safe mode? Link to post Share on other sites More sharing options...
kevinf80 Posted February 8, 2015 ID:937425 Share Posted February 8, 2015 I`m not so sure you have the virus you believe, but is always best to check. Go to the following link: http://support.microsoft.com/kb/967715 You will find the instructions to disable autorun feature.... Run ESET when completed.. Link to post Share on other sites More sharing options...
grimsberry Posted February 8, 2015 Author ID:937437 Share Posted February 8, 2015 Great, I will try ESET later in the day, thanks. Link to post Share on other sites More sharing options...
kevinf80 Posted February 8, 2015 ID:937440 Share Posted February 8, 2015 Post the log anytime you`re ready. I`m in the UK, my local time is 1 am, sleepy time for me. Will catch up later.... Link to post Share on other sites More sharing options...
grimsberry Posted February 8, 2015 Author ID:937555 Share Posted February 8, 2015 Hope you had a good sleep, wasn't too bright for me. During the ESET scan, the scanner was stuck on a file in the "Program Files" folder of the system © drive, it probably was like that for at least 3 hours, the drive started randomly clicking very loudly, shortly I get a BSOD (fatal system error) and I wasn't able to boot the partition anymore, I'm looking now at recovering what I can from that hard drive. Thanks for your suggestion anyway, I'll let you know if I get the drive working again. For now, it takes the drive at least 15 minutes to be opened on another computer in safe mode. Link to post Share on other sites More sharing options...
kevinf80 Posted February 8, 2015 ID:937566 Share Posted February 8, 2015 The instructions I gave for ESET would not have removed or changed anything on any of the drives you have installed.... Make sure that Remove found threats is unchecked. I therefore do not see why this system will not boot, it would be beneficial to have a look at your main drive (listed as C:\) from outside of windows, disconnect all other drives... Please download Farbar Recovery Scan Tool from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Plug the flash drive into the infected PC. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt Here: http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ to enter System Recovery Command prompt. If you are using Vista or Windows 7 enter System Recovery Options. Plug the flashdrive into the infected PC. Enter System Recovery Options I give two methods, use whichever is convenient for you. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select Your Country as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next. To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select Your Country as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next. On the System Recovery Options menu you may get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt Select Command PromptIn the command window type in notepad and press Enter.The notepad opens. Under File menu select Open.Select "Computer" and find your flash drive letter and close the notepad.In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive.The tool will start to run. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply. Thanks, Kevin.... Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 17, 2015 Root Admin ID:940477 Share Posted February 17, 2015 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts