How would you guys get rid of a virus/trojan/worm on an external drive?

Scan the drive, isolate non system files like docs, vids, etc and trash the rest. But if you already know where it is, it wouldn't be hard to remove the virii. Could you give me more details

Boot into safe mode and run various virus scanners.

How would you guys get rid of a virus/trojan/worm on an external drive?

What reported the virus? Is it not capable of taking care of the problem?

Most anti-virus programs at least tell you where the problem is. In Norton Antivirus, where it says it detected a virus, there's a way to export the log. Just export it to somewhere on your computer where you know you'll find it, then open it up (it's a text file) and scroll down to the virus on the external. It should have a file path that tells you where it's at (along with some other technical info along with it)

I don't know what anti-virus software you are using, but if it's Norton, that should help. :)

The virus will only do its thing on your OS drive. If your external is just archives, and you haven't activated the virus yet, just delete it.

If it has already delivered its payload, you can still just delete it from your external, but you're also gonna have to disinfect your OS.

Kaspersky's the antivirus.

XP Pro's the OS.


http://www.precisesecurity.com/blogs/2008/09/20/resycledbootcom/ <-- This helped (comments 24 and 25) some, I think, but I'm sick of testing and being fucked again.

I can't open either the C: or the external when it's connected, at least, not via My Computer. I can explore just fine.

I'm still getting a "Windows cannot find 'resycled\boot.com' message when accessing either.



P.S. You guys are quick. Thanks for the replies :)

I can't open either the C: or the external when it's connected, at least, not via My Computer. I can explore just fine.

I'm still getting a "Windows cannot find 'resycled\boot.com' message when accessing either.


Usually that is a problem with it being called from in the path.

I liked this suggestion pretty good from the link you provided:

I got rid of the problem by simply removing s file called autorun.inf from the root directory of my hard drive and it also worked for my USB memory stick when I removed the same file from the root of that drive.

Being able to follow those very difficult and tedious instructions in steps 24 and 25 shows you have the capacity for getting this fixed.

You've narrowed down some of the problem and found out you can still access both drives with the explorer view...

From here I'd make sure that under folder options you can see all hidden file types even system files and that show all file extensions is selected even for known file types.

Look for that 'autorun.inf' file they are talking about..don't delete it...just make a new folder for it on your c:\ drive and move the autorun.inf into it..if you have it and can see it on your c:\ drive.

Then do the same thing with your external drive...what drive letter does your computer assign to your external drive?
Anyway do the same with your external drive for now I'm using 'X' to represent the drive letter for your external drive as I don't know that info yet..but look for that same file on it and create a new folder for it on the external and move it into it if it can be found.

If the file moves in both places with no errors..reboot and see what you get.

Also make sure you have the lastest version of hijack this in the zip archive format and extract its contents to its own folder. rename the hijack this folder 'happy' (all lowercase no quotes) then rename the main executable of hijackthis.exe (or whatever its called to 'addon.exe' again alll lower case and without quotes)

2) now double-click on the the renamed hijackthis.exe program now called 'addon.exe' and run a scan...post us a log of the scan you did with hijack this here so we can help you figure out what's calling up the path for 'boot.com'

the reason for the renaming is because some viruses and malware look for the hjthis.exe (or whatever the original name for its called) and deliberately hide from it..renaming it as suggested will give you a better chance of getting more accurate results.

Neway good luck with this.

-DM

Have you fixed your stick?

This tool (http://www.esnips.com/doc/29a0d024-a50a-47c5-ad89-3bb31ec5853e/Flash_Disinfector) looks like it may be of use. I have not tried it, but it may be worth a try. Good for future use too.

With gasoline and a match. Format =)

had a similiar problem once, licked it with a little (more than a little actually) help from the master himself. might want to check it out.
http://www.zeropaid.com/bbs/showthread.php?t=47008&highlight=windows+explorer

Okay... I moved the autorun.inf file on the C: and the E: into different folders on each.

Opening either drive from My Computer still gave the same message.

I found some registry cleaner and ran that. It wanted me to pay, and I didn't, so it only "fixed" 15. I rebooted, then opening any drive brought up a search window. Found a fix for that, and now everything works beautifully.

What should I do with those autorun.inf files?

Okay... I moved the autorun.inf file on the C: and the E: into different folders on each.

Opening either drive from My Computer still gave the same message.

I found some registry cleaner and ran that. It wanted me to pay, and I didn't, so it only "fixed" 15. I rebooted, then opening any drive brought up a search window. Found a fix for that, and now everything works beautifully.

What should I do with those autorun.inf files?

you can safely delete them...or if you don't mind could you put them together in a zip file and upload them here as an attachment for me to look at?

It's optional of course.

Glad you got things sorted.

oh and btw what was the fix with the search window deal....and for the sake of completeness which registry cleaner did you use?

Here's an excellent freeware reg cleaner. It won't stop at 15 ;)
http://www.freewarefiles.com/RegScrubXP_program_40487.html

hey random mod, thanks for editing the title (but not really)


Fix for the issue of it opening a search window all the time: http://windowsxp.mvps.org/searchwindow.htm

Modified value at HKEY_CLASSES_ROOT \ Drive \ shell to say "none"

nod 32 antivirüs scanner