Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93116 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

How to remove USB Drive infections and autorun.inf files

Started by LDTate , Dec 28 2008 09:21 AM

  • This topic is locked This topic is locked
1 reply to this topic

#1 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 28 December 2008 - 09:21 AM

Getting help to remove the USB Drive infections infection.




Posted Image


SPYWARE / MALWARE / VIRUS REMOVAL


WARNING this is ONLY a STARTING point and WILL NOT remove any infections.


INSTRUCTIONS - Please read this BEFORE posting for malware removal assistance.

Disclaimer: WhatTheTech, does not take responsibility for any outcome from following these directions. Every computer is different, so we cannot guarantee the results.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ONLY REGISTERED MEMBERS MAY RECEIVE ASSISTANCE


PLEASE TAKE A MOMENT TO REGISTER HERE FIRST


REGISTERING IS EASY AND FREE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


If you would like to learn more about how free, community based tech support works CLICK HERE.

CAUTION - Please DO NOT USE any SPECIALIZED MALWARE REMOVAL TOOLS such as Combofix, without supervision.

Be advised that running specialized tools on your own, is done solely at your own risk. Doing so could make your pc inoperable and could require a full reinstall of your OS, losing all your programs and data.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PREPARING FOR THE MALWARE REMOVAL PROCESS

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


We suggest you print out these instructions

Vista and Windows 7 users:
1.These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights > Right click, choose "Run as Administrator"

NOTE: If you are unable to complete any of these steps for any reason, please move on to the next step and advise in your post which step(s) you could not complete.

~~~~~
FIRST
~~~~~

Create a new system restore point

Posted Image System Restore (Windows Vista, XP and ME)
Why? This ensures there's a valid system restore point, in case it's needed. We use a simple program called SysRestorePoint that automates the steps of creating a restore point.
  • Create a New System Restore Point:
  • Download SysRestorePoint to your desktop, or other location.
  • Double click SysRestorePoint.exe to create a new system restore point.
  • A box will pop up as it's creating the restore point, and provide notification when complete. When finished, close that window and exit the program.

~~~~~
NEXT
~~~~~

Backup your Registry

Posted Image ERUNT - Download - Homepage
Why? This ensures we have a valid registry backup. ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Removing modern malware infections often requires making changes to the registry, and a corrupt registry can prevent a system from booting. Compatible with Windows NT, 2000, 2003, XP, Vista, 32 & 64-bit versions.

  • Download ERUNT
  • Double-click erunt_setup.exe to run.
  • Follow the prompts and install using the default configuration (setup language, install location, shortcuts...).
  • Say No to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later.
    Posted Image
  • Start ERUNT
  • Choose a location for the backup
    The default location C:\WINDOWS\ERDNT\[today's date] is preferred
    Posted Image
  • The first two check boxes are ticked by default (System registry and Current user registry).
  • Press OK
  • When prompted, click YES to create a new folder.
  • Progress bars will show backup status.
  • A confirmation window will popup when complete. Click OK to close.

~~~~~
NEXT
~~~~~


CD EMULATION SOFTWARE such as DAEMON TOOLS or ALCOHOL120, may interfere with the running of some tools.

If you have such programs installed then please run the following program:

DEFOGGER

Defogger will temporarily disable your CD Emulation drivers (sptd drivers)

Please download DeFogger and save it to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


NOTE:
You must remember to re-enable your Emulation drivers once we are finished, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

~~~~~
NEXT
~~~~~

REQUIRED DIAGNOSTIC SCANS

Our trained helpers require these reports to analyze your computer so they may know how to safely proceed to clean your machine


Important: Disable any script blocking protection How to Disable your Security Programs
Note: Do not connect to the internet while your security programs are disabled. Remember to enable your security programs once the scans are complete.

~~~~
DDS
~~~~

Please download DDS from LINK 1 or LINK 2
and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your reply:

DDS.txt
Attach.txt.

~~~~~
GMER
~~~~~
Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


NOTE:
If you cannot run GMER as indicated above, please save a scan from the initial startup scan.
  • Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click the gmer.exe file.
  • The program will begin to run, and perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
  • After the "initial scan" is complete, click on the Save button, and save the log file to your desktop, and post it in your reply



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PREPARING TO POST
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Start a Posted Image in Spyware / Malware / Virus Removal Forum


Copy/Paste the contents of DDS.txt and GMER.txt into your post

Attach the Attach.txt to your post.


Do not reply to your own topic - Helpers look for topics with 0 replies.

If you do not receive a reply to your initial post after three days please post a reminder for us HERE

How to create a new topic
How to create a forum attachment




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Malware and Spyware Removal Forum Rules:
  • Combofix should NEVER be run unless requested. While it's a powerful tool useful for removing a number of infections, things can, and do go wrong. Sometimes systems even refuse to boot. There are safeguards built into Combofix, but only someone trained in its use will be able to help you recover. The logs generated can also be very difficult to interpret properly.
  • Please stay with your original topic when posting follow ups.Use the ADD REPLY button, do not "QUOTE" the previous post.
  • The "Topic Title" should contain the name of the infection that you are having a problem with e.g. WinTools, http://...sp.html etc. Use the "Topic Description" to include more details. This will help you get faster responses as some people are more familiar with certain infections.
  • Tell us if you're having any problems, and please be specific. Let us know what you've already done to fix it (if anything).
  • If you do not understand a step, do not panic, simply ask for direction and information. We will offer any advice necessary to help you.
  • Please only post your topic once. Duplicate posts will be closed, it just creates additional work for the staff members trying to help you.
  • Do not create posts at multiple forums. Logs take time to diagnose, and doing this will waste multiple helpers time which is already over-stretched. If you do this your topic will be closed.
  • Do not attach logs unless directed to do so, as it is harder to read that way. Post them instead
  • If you are being helped and you haven't replied within 3 days your topic will be closed as inactive.
    If that is the case, please start a new topic when you have the time needed to finish all the instructions.

If you would like to know who is helping you here at WhatTheTech Forums please read The Different Groups Here At WhattheTech.


    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 23 August 2009 - 10:43 AM

Updated

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Self Help Fixes for Spyware / Malware · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Self Help Fixes for Spyware / Malware
  4. Privacy Policy
  5. Terms of Use ·