Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Immunizing portable HDD

02 Jun 2015   #61
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

@ Callender
I actually installed CIS + Firewall and I'm gonna remove avast but I'm waiting for atleast one detection or in other wards ..I'm waiting to see CIS in Live action before i remove avast, right now its on permanent disable.
About UKV, I followed your instructions precisely(I think) but here is another scan log
And UKV log attached.

Also after running the fix to remove D:/Skypee directory ... I ran scan using EmsisoftEmergencyKit and UKV again and no detections .. perhaps its removed I'm still a bit skeptical because from what I read on Immunizing portable HDD url .. it seems like this virus is coded to shut itself down when certain .dll's etc are active ... is there anyway to be absolutely sure(or as sure as we can be) that its gone?

@ cottonball
Scan log attached.

@ Jacee
I followed the steps from the link on your post Immunizing portable HDD, looked into all directories/registry locations mentioned there ... found nothing.




Attached Files
File Type: txt UVK - Ultra Virus Killer Log-1.txt (360.2 KB, 2 views)
File Type: txt Addition.txt (60.2 KB, 2 views)
File Type: txt FRST.txt (47.1 KB, 3 views)
My System SpecsSystem Spec
.
02 Jun 2015   #62
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

I'm working late so will look at your log later - in a couple of hours. About those dll's - don't worry about those. If you read carefully it's a list of processes and dll's that will result in the worm terminating itself if found. In other word it looks for those on your system and it doesn't create them.

Re: Avast inactive. Good. I saw running Avast processes and services. I take it that you just disabled shields?
My System SpecsSystem Spec
02 Jun 2015   #63
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

A quick look at the UVK log and I don't see any cause for concern. That skypee directory that you couldn't see - probably set it's properties to "Super hidden" so you would'nt see it if you navigated to it. Seems to have been removed though.

Looks like it's gone. No .a3x files listed. I'd still like to take a look at a couple of registry keys that are mentioned in the linked Trend Micro report.

I'll explain how to export and upload those later. It's fairly easy to do.
My System SpecsSystem Spec
.

02 Jun 2015   #64
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

"I'm working late so will look at your log later - in a couple of hours. About those dll's - don't worry about those. If you read carefully it's a list of processes and dll's that will result in the worm terminating itself if found. In other word it looks for those on your system and it doesn't create them."
# I mean like if the virus is coded in a way that it closes itself on the presence of those dll's from protection systems etc, then doesn't it means chances are its still on the system?

"Re: Avast inactive. Good. I saw running Avast processes and services. I take it that you just disabled shields?"
# yes the shields
My System SpecsSystem Spec
02 Jun 2015   #65
cottonball

Windows 7 Home Premium
 
 

gabe22,

Agree with Callender, don't see any cause for concern. As far as Registry keys, the FRST report does not show anything malicious.

Let's do the following with FRST...

Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents inside of the code box below to Notepad.
Save it to the Desktop, and name it: fixlist.txt

Code:
start
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [FAStartup] => [X]
HKLM\...\RunOnce: [*CA] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-308545677-2519419906-1156364470-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll No File
CHR HKU\S-1-5-21-308545677-2519419906-1156364470-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\MARUF\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [Not Found]
EmptyTemp:
Reboot:
end
NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please run FRST or FRST64, and press the Fix button, just once, and wait.

If for some reason the tool needs a restart, please let the system restart normally. After that let the tool complete its run.

When done, the tool creates a report on the Desktop called: Fixlog.txt
Please post the Fixlog.txt in your reply.

Did you scan the external devices with MBAM? Not necessarily to find a Worm, but, for malware in general.

Open malwarebytes, select Scan from the top bar.
Select: Custom Scan and click on: Configure scan
Select the letter(s) of the drive(s) you wish to scan, and click: Start Scan


Also, did you use the Panda Vaccine on your computer and USB Drives as recommended by MoxieMomma? Post #2

This tool provides a two way security by vaccinating both computer and the USB drive.
It works on NTFS, FAT, FAT32 formatted drives.
My System SpecsSystem Spec
02 Jun 2015   #66
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Chances are that it might still be present on external drives that you've got lying around but I don't see it on your system anymore. Just because it can self terminate doesn't mean that it wasn't found and deleted.

Re: Avast vs Comodo.

It's not recommended to leave them both installed. If you want to disable Avast entirely but leave it installed - well I'm no expert on that but I'd imagine that it involves looking for Avast services in services configuration and setting startup type to disabled, checking for Avast drivers and doing the same, checking for Avast entries using something like Autoruns or even Ccleaners's startup manager and disabling those, checking msconfig and uncheck any Avast entries.

However - I'm not at all confident in guiding you on that one as disabling drivers and stuff can lead to a non booting machine if it's not done correctly. My personal opinion is that it would be better to completely uninstall either program - if you're using the free version and only have one installed at a time.

If anyone wants to comment on how to completely disable all Avast startup items please feel free to do so.
My System SpecsSystem Spec
02 Jun 2015   #67
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Re: Startup registry entries.

I know you looked at this already but just double check the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Immunizing portable HDD-reg-entries.jpg

Check each entry and delete if found. Here's an example of what to look for:

Immunizing portable HDD-reg-entry.jpg

If those entries don't exist then that worm doesn't launch.


My System SpecsSystem Spec
02 Jun 2015   #68
cottonball

Windows 7 Home Premium
 
 

gabe22,

To quickly check out those Registry entries, you can do the following...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1

Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :reg 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Click the Look button to start the scan.
  • When finished, a notepad window opens with the results of the scan.
Please post the SystemLook.txt in your reply.
It is found on your Desktop.
My System SpecsSystem Spec
03 Jun 2015   #69
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

@ cottonball

Ran the fix, log attached and I'll try the systemlook later tonight and post back.

About MBAM scan I already ran full system scan/portable device scan multiple times and no detection from MBAM

About "Panda Vaccine"
I woud like to try it out but as its mentioned there on its page that once the immune system is active one needs to format the drive thats why I'm a bit skeptical and also I'm still wondering if it will effect my daily usages or not.

@Callender

Check again but nothing detected. also I agree with you on the fact that its probably(could be) still in the portable device .. in sleep mode maybe ... any way to find it out and kick its annoying arse?

Also don't worry about avast for now, I know one shouldn't keep two AV's on same OS but I'm just keeping it as failsafe because Avast .. is the one thing that managed to detect all the issues so far .. no the root of it but still its did something that others protection systems couldn't.
Will remove it soon.


Attached Files
File Type: txt Fixlog.txt (2.2 KB, 1 views)
My System SpecsSystem Spec
03 Jun 2015   #70
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Re: Portable drives. Well I did have some software that prevented anything at all from running when drives were plugged in and listed the details but I can't remember what it was at the moment. I'll have a think about it tonight, As you know already, for me, the best protection is software that alerts on any unsigned executable that attempts to run no matter the method use to launch it.
My System SpecsSystem Spec
Reply

 Immunizing portable HDD




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Is a USB portable SSD viable?
I mean the speed that an SSD has is accessed through the SATA connexction, but having a portable SSD means using a ISB to connect, will the USB be a huge bottleneck, hugely slowing the transfere rate down?
Hardware & Devices
Are portable apps preferable, even for non-portable use ?
Some software publishers or authors offer both portable and installable versions of their products. (Kee Pass is one of them.) Is it advisable to systematically prefer the portable version, when running it from a fixed drive and not a thumb drive, according to the logic that if it's possible not...
Software
how to create a portable app?
I have an application that I want to make portable. It is free and I have. EXE for it. I also installed the PortableApps start and NSIS portable. I'm stuck in trying to create an application portable. I can not find any detailed instructions at all. I found bits and pieces here and there, but...
Virtualization
USB Win XP Portable
Has anybody make a successful Win XP Portable with a thumb drive? I have read many websites and "How To's" but to no avail... it is one of those things that I tell myself I must learn to do as it would make my life easier for those times when the computer has a virus or help a friend with a...
Installation & Setup
Immunizing Firefox with Spybot S&D
Since re-installing 7 ult x64 about two weeks ago (and, of course, along with it, all my applications), I've noticed that Spybot S&D no longer immunizes firefox (currently 3.6.2). When I update SS&D every Wednesday, and apply the new immunizations, it basically has to do all 13k of the items again...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 22:28.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App