My whole External Hard Drive is infected by a trojan!

[edodelosang]

Hello.

I recently installed Malewarebytes due to a suspicious activity in my external hard drive.

All the files shown as an executable and i decided to just leave them there and not connect the hard drive on my PC, until, I Install Malewarebytes and ran the analysis on it and all the files are infected with this trojan (trojan.nymeria.outit). I sent all the archives to quarantine, but my actual question is, Is there a chance that i can clean or repair the files, are extremely important because I have all my work, personal things like photos, music, videos are in there, or i just should give up  and forget all the files? BTW I ran an analysis on my computer and everything is ok, no maleware, no virus, no nothing, it's just in this External Hard Drive. Please hope someone can help.

Thanks and regards.

[Porthos]

@edodelosang

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove pesky malware.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• 
• 
• A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply
  
  Then be patient for the next expert to take your case.

Thank you

[edodelosang]

Thanks Porthos 

Here are the files 

mbst-grab-results.zip

[Porthos]

10 minutes ago, edodelosang said:

Here are the files 

Your version of Malwarebytes is extremely OLD.

Please download the following and install over what you have. Restart the computer after the install and please scan again and create a new log with the support tool.

https://downloads.malwarebytes.com/file/mb4_offline

[Maurice Naggar]

Hello. Some basic questions before we get started. What is the Drive letter for that "External" drive ?  Is it the  Drive d: with the volume Label

Documentos

Model: WDC WD10EZEX-22MFCA0)

Please advise. Also, on this External drive, when you go to get it seated, I presume it is a USB-type connection.....if USB then be sure to press and Hold the SHIFT key on the keyboard as you are seating the connection.

I also meant to ask, Just what security app had identified 

trojan (trojan.nymeria.outit

Edited January 28 by Maurice Naggar

[edodelosang]

Ok I'm going to download the lastest version. I thought I got it already 

6 minutes ago, Porthos said:

Your version of Malwarebytes is extremely OLD.

Please download the following and install over what you have. Restart the computer after the install and please scan again and create a new log with the support tool.

https://downloads.malwarebytes.com/file/mb4_offline

 

 

[edodelosang]

3 minutes ago, Maurice Naggar said:

Hello. Some basic questions before we get started. What is the Drive letter for that "External" drive ?  Is it the  Drive d: with the volume Label

Documentos

Model: WDC WD10EZEX-22MFCA0)

Please advise. Also, on this External drive, when you go to get it seated, I presume it is a USB-type connection.....if USB then be sure to press and Hold the SHIFT key on the keyboard as you are seating the connection.

Hello. The drive letter to this external drive is "E". And yes it is a usb-type.

[Maurice Naggar]

Finish all that Porthose suggested about getting tha latest Malwarebytes, doing a Scan, and providing the Scan log report.

After that, I will guide you forward.

Maurice

[edodelosang]

Just now, Maurice Naggar said:

Finish all that Porthose suggested about getting tha latest Malwarebytes, doing a Scan, and providing the Scan log report.

After that, I will guide you forward.

Maurice

Ok thank you so much, and replying to your other question, the app that says that I got the trojan (trojan.nymeria.outit) it's Malwarebytes. I'm not home right now but as soon as I get there I'm going to download and run another analysis on my computer. 

Again thank you so much 

[Maurice Naggar]

The Malwarebytes scan of date 2024-01-27  local 18:57 hours is the one that found lots and lots and lots of trojan.nymeria.outit
that were in the E drive Recycle Bin.
When you next get a chance for quiet time, and nothing else on-going, take a few minutes to EMPTY all Recycle Bins including any on the C drive and the one on the E drive.

Open an elevated Powershell window i.e. run Powershell Prompt as an administrator .

On the Taskbar Search box, type in

powershell.exe

click the line for "run as administrator"

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
On that prompt-window,  Copy & Paste this command
    

Clear-RecycleBin -DriveLetter C:

tap Enter-key to proceed

Copy & Paste this command
    

Clear-RecycleBin -DriveLetter E:

tap Enter-key to proceed
Let me know after this has been done. Close Powershell window.

Edited January 28 by Maurice Naggar

[edodelosang]

Thank you Maurice.

I already downloaded the newest version of malewarebytes, and did a scan on both my computer (Drive C) and on the External Hard Drive (E).

And erased Recycle Bins on both drives as you said using the powershell tool, and then used the malewarebytes support tool, and here are the file.

mbst-grab-results.zip

[Maurice Naggar]

You need to scan both C drive and E drive with ESET Onlinescanner.  Do the first scan on C. Then repeat the scan for the E drive.

You only need to do the tool download one time.

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

If upon launching the Esetonlinescanner, there is a windows-message box displaying

A driver cannot load on this device. Driver ehdrv.sys

then, please, TICK the check-box

"Don't show this message again"

and then, click the Close button on that window-box. The ESET scan will proceed forward.

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[edodelosang]

I did everything you ask me to do and here are the files

ScanDriveE.txt ScanDriverC.txt

[Maurice Naggar]

Five trojans removed on the C drive. Two items deleted as threats on the E drive. The deletion of autorun.inf on E drive is a good cleanup.

Next, you can use the Microsoft Safety Scanner to scan the E drive.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the E drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

[edodelosang]

Thanks again Maurice.

Here is the log

 

msert.log

[Maurice Naggar]

Results Summary:
----------------
Found HackTool:Win32/Keygen, partially removed.
Found HackTool:Win32/Crack!pz, partially removed.

Be sure you uninstall any application that was got thru illegal or pirated means.

I would urge you highly to stay far away from hack / cracked software of any sort. Whether a so called free program or free game, or whatever.
Hidden risks in pirated software
https://news.microsoft.com/apac/2019/01/08/hidden-risks-in-pirated-software/

Why You Shouldn't Use Pirated Software
https://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software

Torrenting & filesharing. Try to not do that, as a general security matter. All it takes is one malicious file to lead to tragedy & loss.
https://informationsecuritybuzz.com/articles/torrenting-know-risks-take/

DON'T FALL FOR THE MONEY-SAVING LURE OF CRACKED SOFTWARE
https://scambusters.org/crackedsoftware.html

 

Next, you can use the Microsoft Safety Scanner to scan the C drive.

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

[edodelosang]

Hello: I did what you said and run an scan over Drive C and here is the log

msert.log

[Maurice Naggar]

If this file is still on the E drive, then you should delete it

E:\Descargas\Programas\3ds Max\3dsmax 2021\3ds Max 2021\Autodesk_3ds_Max_2021_1_Win_64bit.iso

This next part, I would like for you to scan the E drive with ESET Onlinescanner.

As a next step, I suggest the following:
This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

If upon launching the Esetonlinescanner, there is a windows-message box displaying

A driver cannot load on this device. Driver ehdrv.sys

then, please, TICK the check-box

"Don't show this message again"

and then, click the Close button on that window-box. The ESET scan will proceed forward.

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on CUSTOM scan  and  select E  drive to be scanned
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[edodelosang]

I have a question.

When i go to the Drive E there's nothing on it but just one file. Everything that was there went to the Malewarebytes quarantine, when you suggest that i should delete the file:

43 minutes ago, Maurice Naggar said:

E:\Descargas\Programas\3ds Max\3dsmax 2021\3ds Max 2021\Autodesk_3ds_Max_2021_1_Win_64bit.iso

You mean delete it from quarantine?

[Maurice Naggar]

NO. I meant that if that .iso was still present on the E drive at that location, then delete it from that location.

[edodelosang]

Well, there nothing on the E drive. 

When I plug the external drive to the computer, it says that it almost full, but when I open it, there's just one file, this file it's from SkechtUp, wich is a program that I use. I have the hidden files option tilled. So there's nothing on the E Drive, all the files that were there are in quarantine. I'm gonna add an screenshot so you can see for yourself. I'ts in Spanish but I think you can figure it out.

And just in case I scanned this file with Malewarebytes and it's clean.

[Maurice Naggar]

IF and when you attempt to "plug in " or "attach" that removavble drive, FIRST press and HOLD the SHIFT key on the keyboard before and during the time you slide in the connector.  Be sure to observe that.

Now, I have to say, this thing on that removable drive is becoming some sort of weird condition. Be aware,  that I know nothing about archives SKP

NOTE, that folder in the image has a date of 2019.

Edited February 1 by Maurice Naggar

[edodelosang]

Well, actually when I plug the external device I hold the shift key on the keyboard, every time. 

Yes it is weird that is the only file on the Drive, but I think you should not worry about it, well at least I know very well SKP archives, I'm very used to them. Just to put you in context this files are created with this program SketchUp, wich is a program to make 3d modeling, it's basically used on architectural modeling. I'm not sure exactly what it is, but I think its a 3d modeling that I did back in 2019. Like a said, I had a lot of work from several years back in this drive and I'm pretty sure that is something that I did, to be honest I don't know exactly what it is 'cuz there were a lot files like this in the drive, and I don't want to open it, but at least I know this kind of files. 

[Maurice Naggar]

As to the E drive, it was scanned one with the ESET OnlineScanner and once with MS Defender antivirus.

Now,  just want to be sure this machine has the latest Release from Malwarebytes.

First some housekeeping, and then one Scan.  
Start Malwarebytes. Click Settings ( gear ) icon. Next, let us make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

• now Click the General tab.
• Under Application updates, click the Check for updates button.

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[edodelosang]

Sorry replying till now, I was kinda busy.

I followed all your instructions and here is the file for the last scan.

ScanFeb5th.txt