Immunizing portable HDD

Page 7 of 9 FirstFirst ... 56789 LastLast

  1. Posts : 146
    Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
    Thread Starter
       #61

    @ Callender
    I actually installed CIS + Firewall and I'm gonna remove avast but I'm waiting for atleast one detection or in other wards ..I'm waiting to see CIS in Live action before i remove avast, right now its on permanent disable.
    About UKV, I followed your instructions precisely(I think) but here is another scan log
    And UKV log attached.

    Also after running the fix to remove D:/Skypee directory ... I ran scan using EmsisoftEmergencyKit and UKV again and no detections .. perhaps its removed I'm still a bit skeptical because from what I read on Immunizing portable HDD url .. it seems like this virus is coded to shut itself down when certain .dll's etc are active ... is there anyway to be absolutely sure(or as sure as we can be) that its gone?

    @ cottonball
    Scan log attached.

    @ Jacee
    I followed the steps from the link on your post Immunizing portable HDD, looked into all directories/registry locations mentioned there ... found nothing.
    Immunizing portable HDD Attached Files
      My Computer


  2. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #62

    I'm working late so will look at your log later - in a couple of hours. About those dll's - don't worry about those. If you read carefully it's a list of processes and dll's that will result in the worm terminating itself if found. In other word it looks for those on your system and it doesn't create them.

    Re: Avast inactive. Good. I saw running Avast processes and services. I take it that you just disabled shields?
      My Computer


  3. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #63

    A quick look at the UVK log and I don't see any cause for concern. That skypee directory that you couldn't see - probably set it's properties to "Super hidden" so you would'nt see it if you navigated to it. Seems to have been removed though.

    Looks like it's gone. No .a3x files listed. I'd still like to take a look at a couple of registry keys that are mentioned in the linked Trend Micro report.

    I'll explain how to export and upload those later. It's fairly easy to do.
    Last edited by Callender; 02 Jun 2015 at 13:04. Reason: add info
      My Computer


  4. Posts : 146
    Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
    Thread Starter
       #64

    "I'm working late so will look at your log later - in a couple of hours. About those dll's - don't worry about those. If you read carefully it's a list of processes and dll's that will result in the worm terminating itself if found. In other word it looks for those on your system and it doesn't create them."
    # I mean like if the virus is coded in a way that it closes itself on the presence of those dll's from protection systems etc, then doesn't it means chances are its still on the system?

    "Re: Avast inactive. Good. I saw running Avast processes and services. I take it that you just disabled shields?"
    # yes the shields
      My Computer


  5. Posts : 2,470
    Windows 7 Home Premium
       #65

    gabe22,

    Agree with Callender, don't see any cause for concern. As far as Registry keys, the FRST report does not show anything malicious.

    Let's do the following with FRST...

    Please open Notepad (Start > All Programs > Accessories > Notepad)
    Copy the entire contents inside of the code box below to Notepad.
    Save it to the Desktop, and name it: fixlist.txt

    Code:
    start
    CreateRestorePoint:
    HKLM-x32\...\Run: [] => [X]
    HKLM-x32\...\Run: [FAStartup] => [X]
    HKLM\...\RunOnce: [*CA] => [X]
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    HKU\S-1-5-21-308545677-2519419906-1156364470-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
    FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll No File
    CHR HKU\S-1-5-21-308545677-2519419906-1156364470-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\MARUF\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [Not Found]
    EmptyTemp:
    Reboot:
    end
    NOTICE: This script is written specifically for this computer!!!
    Running this on another computer may cause damage to the Operating System.

    Now, please run FRST or FRST64, and press the Fix button, just once, and wait.

    If for some reason the tool needs a restart, please let the system restart normally. After that let the tool complete its run.

    When done, the tool creates a report on the Desktop called: Fixlog.txt
    Please post the Fixlog.txt in your reply.

    Did you scan the external devices with MBAM? Not necessarily to find a Worm, but, for malware in general.

    Open malwarebytes, select Scan from the top bar.
    Select: Custom Scan and click on: Configure scan
    Select the letter(s) of the drive(s) you wish to scan, and click: Start Scan


    Also, did you use the Panda Vaccine on your computer and USB Drives as recommended by MoxieMomma? Post #2

    This tool provides a two way security by vaccinating both computer and the USB drive.
    It works on NTFS, FAT, FAT32 formatted drives.
      My Computer


  6. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #66

    Chances are that it might still be present on external drives that you've got lying around but I don't see it on your system anymore. Just because it can self terminate doesn't mean that it wasn't found and deleted.

    Re: Avast vs Comodo.

    It's not recommended to leave them both installed. If you want to disable Avast entirely but leave it installed - well I'm no expert on that but I'd imagine that it involves looking for Avast services in services configuration and setting startup type to disabled, checking for Avast drivers and doing the same, checking for Avast entries using something like Autoruns or even Ccleaners's startup manager and disabling those, checking msconfig and uncheck any Avast entries.

    However - I'm not at all confident in guiding you on that one as disabling drivers and stuff can lead to a non booting machine if it's not done correctly. My personal opinion is that it would be better to completely uninstall either program - if you're using the free version and only have one installed at a time.

    If anyone wants to comment on how to completely disable all Avast startup items please feel free to do so.
      My Computer


  7. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #67

    Re: Startup registry entries.

    I know you looked at this already but just double check the following:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Immunizing portable HDD-reg-entries.jpg

    Check each entry and delete if found. Here's an example of what to look for:

    Immunizing portable HDD-reg-entry.jpg

    If those entries don't exist then that worm doesn't launch.
      My Computer


  8. Posts : 2,470
    Windows 7 Home Premium
       #68

    gabe22,

    To quickly check out those Registry entries, you can do the following...

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1

    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :reg 
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Click the Look button to start the scan.
    • When finished, a notepad window opens with the results of the scan.
    Please post the SystemLook.txt in your reply.
    It is found on your Desktop.
      My Computer


  9. Posts : 146
    Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
    Thread Starter
       #69

    @ cottonball

    Ran the fix, log attached and I'll try the systemlook later tonight and post back.

    About MBAM scan I already ran full system scan/portable device scan multiple times and no detection from MBAM

    About "Panda Vaccine"
    I woud like to try it out but as its mentioned there on its page that once the immune system is active one needs to format the drive thats why I'm a bit skeptical and also I'm still wondering if it will effect my daily usages or not.

    @Callender

    Check again but nothing detected. also I agree with you on the fact that its probably(could be) still in the portable device .. in sleep mode maybe ... any way to find it out and kick its annoying arse?

    Also don't worry about avast for now, I know one shouldn't keep two AV's on same OS but I'm just keeping it as failsafe because Avast .. is the one thing that managed to detect all the issues so far .. no the root of it but still its did something that others protection systems couldn't.
    Will remove it soon.
    Immunizing portable HDD Attached Files
      My Computer


  10. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #70

    Re: Portable drives. Well I did have some software that prevented anything at all from running when drives were plugged in and listed the details but I can't remember what it was at the moment. I'll have a think about it tonight, As you know already, for me, the best protection is software that alerts on any unsigned executable that attempts to run no matter the method use to launch it.
      My Computer


 
Page 7 of 9 FirstFirst ... 56789 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 22:19.
Find Us