Hello, I am completely new to this forum, but before posting this I have searched through the forum about the problem I had and I am posting this to inquire about the problem further and see if I am free of it. I have a very new laptop just 1 week old and a friend gave me his external hard drive so I can transfer some files on my computer to his ext hard drive. He told me he has no viruses but I should have been wiser. Anyway the second I plug it in, avast alerts me that there are 17 LNK:FakeFolder-B[Trj] on that external hard drive and it quarantined them. I Immediately removed the ext hard drive and run a full system scan that came back with no infections. I got scared that the virus or whatever it is may have seeped into my computer so I started searching through the avast forums and found on different posts that I should download and run mcshield. I have done that and the scan took way less than 2 seconds and I read the logs and showed that all my drives were clean. I plugged in my own personal ext hard drives and memory sticks and mcshield scanned them and the logs showed that they were all clean as well. I ran another avast full system scan and there were no infections detected. Now the questions is, after doing all this, does this indicate that the virus did not manage to seep into my laptop or any other external memory devices? Is there anything else I should be doing or am I good for now and I should stop worrying? I hope I will be hearing about this soon, and I do apologize if I posted this in the wrong section, but I figured it may be the right place.
Let us check the system.
Follow the instructions and attach the logs please.
Sure thing, lets do that. Just not sure which instructions to follow lol sorry. Are they any of the ones in your signature?
here https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes / Farbar Recovery Scan Tool / aswMBR logs
I plugged in my own personal ext hard drives and memory sticks and mcshield scanned them and the logs showed that they were all clean as well.Did MCShield scan that drive when it was plugged in?
Anyway the second I plug it in, avast alerts me that there are 17 LNK:FakeFolder-B[Trj] on that external hard drive and it [b]quarantined them.[/b]avast may have killed it before MCShield ;)
LNK:FakeFolder-B[Trj] = Microsoft call it Dorkbot
Tech info
http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2FDorkbot
Spreads via… Removable drivesWin32/Dorkbot might create a folder named “RECYCLER” in all accessible USB drives, and registers it as a Recycle Bin folder. The worm registers a device notification so that it is notified whenever you plug a USB device into your PC. It then copies itself to the USB device, using a variable file name, and creates an Autorun configuration file named “autorun.inf” pointing to the worm copy. These autorun.inf files tell the operating system to launch the worm file automatically when the USB drive is accessed from another PC that supports the Autorun feature.
seems your friend need a computer check also
Well I removed all external memory devices before installing mc and I ran the scan and it showed me that my internal drives were clean,when I plugged in my memory devices (not my friends) mc scanned them and said they were cleaned. To be honest I was scared to plug in my friend’s external hard disk again lol. When Avast detected them and quarantined them, I went to the chest and there was an option to delete/remove them (I am sorry I do not remember the exact action) and so I did that. I ran MC scan a few times and plugged my stuff in and out and would still show me everything was clean. I remember we had a similar virus at uni and I believe it attaches itself to removable disks and when I plugged in my removable devices and nothing happened to them, I felt a bit at ease. But there is nothing wrong with making sure even more right? lol
At the moment I am running the scans that you asked me to run and I will be attaching the logs. But do you think that the virus has been killed and did not manage to get into my laptop?
But do you think that the virus has been killed and did not manage to get into my laptop?removal experts will find out when they see your logs
they are notified, it may take some hours before they are online
Sorry, forgot to post the link. :-[
It is the one Pondus gave you.
Well I have run all the scans you asked for and attached the logs, I know I was not supposed to rename any logs but the Malwarebytes log was empty and I had to give a name to it or else it would not save.
When saving the log for aswMBR I got two files, a .txt and a .dat, what should I be doing with the .dat?
I had a quick look and there are some (minor) things that i.m.o. should be fixed, but I leave it to one of the experts to guide you.
Are they virus related or just things within the system itself? I hope they are not very harmful lol.
There are two batch files that the malware placed on the system but without the trigger file they are harmless, the remainder are just house cleaning
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - DefaultScope {4B9A223F-B483-4215-97CC-8C831EA52A0A} URL = SearchScopes: HKCU - {4B9A223F-B483-4215-97CC-8C831EA52A0A} URL = 2014-09-13 15:35 - 2014-09-13 15:35 - 00000144 _____ () C:\windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat 2014-09-13 15:17 - 2014-09-13 15:17 - 00000510 _____ () C:\windows\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
Alright, I have done what you have asked and I have attached the fixlog
Are you experiencing any problems at all ?
Does not seem like there are any problems, I left the laptop running and I had to go run some errands till I got notified here, came back to laptop and it seems normal.
Does this mean there is no more threat? Should I be doing anything else?
Not from my side as it appears to be a nice and clean system (apart from the two batch files that are now dead)
Subject to no further problems
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Download and run Delfix
https://dl.dropboxusercontent.com/u/73555776/delfix.JPG
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe
Sounds great, makes me feel better now, I would have killed my friend if something would have happened to the laptop haha I should be careful in the future. I have just got some few questions just to have a much peace of mind. What exactly did you do to the bat files? are they still around on my laptop or completely gone? When I plugged in own external memory devices before you did your fix, did they catch the malware or are they clean? yeah, that’s it I guess lol and I am sorry for asking too many questions.
Now your friend need his computer checked, and he can do it here
Don’t kill a friend, torture him/her.
That way you will have longer fun with him/her ;D