Removing Malware from External Hard Drives

Dear All!

I have been through all the steps of the Windows XP cleaning but keep coming up with Trojans in Zone Alarm on a daily basis. Think something has crept in real deep this time. Im happy to do a complete re-format once again to swipe anything BUT I have alot of files on an external hard drive I want to gain access to and load back onto here at a later date. Question is... how do I do a real deep check on the external hard drive as I have a feeling that is the carrier that infected this in the first place???

And how can I protect my pc from getting anything naughty from the external hard drive while I connect it?

Thanks all.

Breeza

 

Just did the computer by itself as was more interested in cleaning that up at the time and didn't want the chance of it getting reinfected. What im gonna do is do a full clean up and scan with the external hard drive attached then place the logs up.

Thanks for your help Tim,

(any advice for when I do attach the external HD back on and run the scans)

Thanks again

Simon (Breeza)

 

Thank you

 

Hi Tim,

Been a bit busy at work so haven't been able to complete all the steps yet fully but have the logs so far.. will do the rest as soon as possible when I get time away from work (running the bloody london underground) lol

Things to note...

- Windows running in normal mode as advised
- Zone Alarm Security Suite fully turned off so all scans can do everything without that getting in the way
- External hard drive plugged in permanently and included in scans where possible
- System Restore has been Disabled from the external hard drive

(Peculiarities currently happening in windows)

- Auto run doesn't ever autorun now
- 'Open with' option disappeared
- Every so often the ram will start doing something and sounding very busy but no applications selected to start and can't find any processes on task manager running up the cpu?? (this one has me very worried as have a feeling something naughty is kicking in in the background)

Drive References:

C: Hard Drive
D: Swap Drive Files (Separate partition I made on drive when installing windows for virtual memory)
F: External Hard Drive

Logs so far attached..

Thank you Tim, your a life saver

Simon

 

Have also attached print screens of the Zone Alarm logs so you know what I originally found.. Hope this is of help

Simon

 

Am on the combofix and Mg case once I finish writing this so will be back on asap.

 

Toggled System Restore off on all drives once found that (a couple of days ago) then only turned it back on on the C drive. But seems like it has turned itself back on again on the F Drive (external hard drive) ???? Could this be caused if you unplug it? Does appear the F drive virus is gone though as all subsequent ZA scans didn't find it.

Have attached the final Combo and MG Logs...

Thank you,

Simon

 

(Zone alarm being a bit rubbish at times doesn't give the option to show where spyware was found in logs) :confused

 

Sorry what is active AV Tim?

And does this mean you think the F Drive (external hard drive) is clean now? .. also did you see in one of the logs it deleted autorun.inf from the external hard drive... does this mean something?

Simon

 

Oh yeah Tim forgot to mention I was ideally looking at doing a fresh install of windows on this machine.. any steps I should take straight away after doing it? E.G Removing/ Adding of certain software or redoing the tests.. as want everything fresh and new and as tidy as can be.

You have been really helpfull so far and if there's anything I can do to help in return I'd be more than happy to.

Thanks mate, owe you one!

Simon

 

Just did another full system scan on ZA and found...

Win32.Trojan.KillAV.ko
Win32.HLLW.spreader.17

looking at the logs these keep re-appearing

Was found in C: System Restore Volume Information
this time..

Very interesting..

 

Just wanted a clean install as really want it as streamlined as possible as gonna use it for DJ'in.

Does ZA not activelly scan your pc when you have it on?? I can see that it might not as it only does a scan when timed to or you manually push it to but it does scan files as and when their opened etc..

What freeware one would you recommend if I did put one on.

 

Just got in from a lazy days work and a quick visit to the pub so gonna give Bitscan a quick run through now

(should I turn off system restore for my scan so I can let it have a look and play in there?)

:tas:tas:tas:tas Tazz all the way!!

 

Bit scan ran... nothing found :-D

 

Thanks Tim, your help was really good and am very thankful!

 

Hey Tim, know your a busy man and that but keep finding Win32.dropper.vb.rw in system restore.. only zone alarm finds this though?? SAS, MB, spybot, sophos root kit and Avivra never spot it. Is it a false positive? Had a little googling and can't really find much info on it.....