External HD possibly infected...what to do?

So, last night I got hit with a real nasty win32:ramnit-b infection that caused Avast! to start spamming alerts like crazy, countering rapid and relentless attempts by this thing to spread. Within about ten minutes, the infection had caused Avast! to obliterate all the .exe’s and .dll’s in a folder that I kept full of graphics drivers. The infection had also been trying to access a 1TB external HD that I use to store all my games (I have Steam installed to this drive).

While the Win32:ramnit-b component itself, along with VBS:ExeDropper-gen, were busy molesting the internal HD…another component, identified as “LNK:Runner” was doing something on the external HD; this time, creating/infecting files with the extension “.lnk”

These files were located in randomly-named folders inside a hidden “recycle” folder on the external HD.

(EDIT: To clarify, the Win32:ramnit-b and VBS:ExeDropper-gen components were also infecting htm and html files.)

Like with the other two components, Avast! seemed to be managing to spot and delete every one of these attempts, but the thing generating these attempts was still running wild.

So I ran every scan I could: Avast itself (including boot time scan, which identified a threat but could do nothing about it), Malwarebytes, Dr. Web CureIt, Ad-Aware and SAS.

The Dr. Web CureIt program was successful at killing the process generating the spread of the infection (though, of course, it regenerated when the machine was restarted), so I used this opportunity to back up files (excluding executables and dlls) on the external HD.

Then, having read up on the subject and discovered the possibility that my system may never fully recover from such an infection, I reformatted it and reinstalled windows.

Windows, now, seems fine. I’ve installed ZoneAlarm, Avast! and Ad-Aware, (edit: and Malwarebytes) and it looks like an utterly clean installation complete with new car smell.

But, as I said, I backed up data onto the external HD (pictures, word documents etc). I had little choice; there was no other device/burnable disc at hand. Which leaves me with something of a dilemma.

Avast! destroyed a lot of attempts by this “LNK:Runner” component, and there was no sign that the infection was touching any .exe on the external HD.

Interestingly, the Win32:Ramnit-b and VBS:ExeDropper-gen components seemed to be infecting the system in an alphabetical order. I say this, because the folder I discussed earlier, containing graphics drivers, contained specifically AMD/ATI drivers and was listed as such (C:\AMD and C:\ATI), and no other folder had been touched by the time I halted the spread.

The dilemma:
The external HD, as I said, has Steam installed to it. That means nearly 300GB’s of games, replete with .exe’s and .dlls.

After backing up data to this HD, in the quiet period after Dr. Web CureIt halted the initial growth of this infection, I ran a full scan (using Avast!) of the external HD. Nothing was detected, so I unplugged it, and went ahead with reformatting the machine.

How do I approach the external HD? I could reformat it, but that would require that I plug it in…and it would also mean losing a lot of data.

If I were to extract data from it before reformatting, is there any way that image files (.bmps .jpgs) video files (.wmv .mpg etc) and text documents (.doc .docx .txt) could be infected?

Is there any way to access the contents of this HD in a secure “sandbox” environment? Would accessing it in safe mode make any difference?

I’d appreciate any advice anyone could give.

EDIT: Oh, and for the record, the first thing I did today was change all my passwords.

Hi…

for some start…

http://www.mycity.rs/images/smiles/icon_arrow.gif
Install & Run Malwarebytes program
http://www.malwarebytes.org/
Remove flash drive.
Install Malwarebytes >> Update >> Quick Scan >> Ok; Remove Selected

Reboot Windows.

http://www.mycity.rs/images/smiles/icon_arrow.gif
Install MCShield program.
Install >> allow update
Add flash drive and whait for MCShield to remove malware.
Please paste or attach here log from MCShield ( AllScans.txt )
location:
Start >> All Program >> MCShield >> Logs

copy/paste log here

It will not just remove malware from flash drive,it will prevent infection by computer via any other USB flash drive, mobile phone or any memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD.

But,if you still have problem,follow this.
http://forum.avast.com/index.php?topic=53253.0

my colleague essexboy will reply to you :wink:
I currently do not have time :frowning:

You’re awesome…I’ll get started on that right away. Will report back asap.

EDIT: A horrible irony just occurred to me, while I’m watching this scan…

I’ve just started re-reading Neuromancer…

Er, that seemed a bit quick. Did I do something wrong?

Anyway, here’s what it said:

<<< MCShield v1.4.3 >>> Monitoring started at 23/05/2011 20:11:54

23/05/2011 20:13:17 > Scanning drive E: (KINGSTON ~2 GB, FAT flash drive )…

=> The drive seems clean.

23/05/2011 20:14:15 > Scanning drive E: (Expansion Drive ~932 GB, NTFS HDD )…

E:\autorun.inf > Suspicious > Renamed.

=> Suspicious files : 1/1 renamed.

For the record, that first scan was me inserting a freshly reformatted, clean USB pen drive to back up the install .exe of these AV programs (I’m building up an emergency reinstall bundle, in case I have to reinstall windows again).

The second entry was the 1TB HD.

Looks…clean to me. Tbh, that autorun thing may have been there from the start; the Seagate expansion drive has a few bits of software preloaded.

Was this McShield program supposed to scan so quickly though? It logged those results within like 2 seconds of me plugging it in.

EDIT: Oh, and Malwarebytes didn’t find anything whatsoever. But then, this is a fresh windows install now.