Usb Drive Infection
Posted 24 February 2008 - 12:16 PM
I was wondering if anyone can help me with this problem?
I have some sort of Trojan Horse on my flash drive (Kingston Data Traveller). I went to a stationary store with the flash drive to print out some call cards and must've got it from the store. I opened the Flash Drive on my ThinkPad which runs Windows XP Professional OS. It was immediately detected by avg (free edition). I clicked on the Heal button but got a description that it is unhealable. I ran the avg again from my laptop and found two errors in the virus vault: Virus name: Generic.SV (Worm) File name: AdobeR.exe; and Generic.ZWE (Trojan Horse) File name: ctfmon.exe; with paths to the E drive (USB port).
I closed and ejected the flash drive, then ran the scan on my laptop and got no errors. I plugged back in the flash drive and got a Threat Detected message from avg showing 1 error: the autorun.inf file was infected. No other detections.
I did not execute/open any file on the flash drive.
I searched for answers on the net but found only ones in French and Vietnamese - Nothing in English. I translated the page but the translator did not do a good job. On antivirus websites I did not find any solutions, can someone point me in the right direction?
I was wondering:
1. How would I know if my laptop was infected?
2. Can I safely wipe the 2 errors from the virus vault? The software cannot heal the worm or trojan.
3. How do I disinfect the flash drive?
I found the autorun file on the flash drive and deleted it. It was created yesterday - which was when the drive was opened on the store's pc. I ran the scan again and found no threats: Does this mean I'm safe?
Posted 24 February 2008 - 03:03 PM
Please insert your flash drive before we begin!
Download Flash_Disinfector.exe by sUBs and save it to your desktop.
- Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
- The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
- Wait until it has finished scanning and then exit the program.
- Reboot your computer when done.
When done remove any Startup RUN value by downloading and using Autoruns.
When an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive". If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be bad, you can delete it at any time.
"Understanding AVG7 Free Virus Vault"
"AVG FAQ #647: I have some files in the AVG Virus Vault. What next?"
Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read Danger USB! Worm targets removable memory sticks.
I recommend disabling the Autorun feature on USB and removable drives (especially an external drive used for backup) as a method of prevention.
The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
- After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
- Uncheck the drives you want to disable AutoPlay on and click on Apply.
- Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
- Uncheck the box to disable Autoplay for a particular type of drive.
- Click Apply.
When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.
Another prevention measure you can use is Symantec's NoScript utility. Scroll down to the section "How to disable (or re-enable) the Windows Scripting Host" to find the link and follow the instructions. Noscript will disable the Windows Scripting Host and prevent VBScripts from running on your machine until you run the utility again. Firefox also has a free NoScript Add-on for its browser.
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Posted 25 February 2008 - 06:35 AM
Posted 06 February 2009 - 05:10 PM
I mean come on dont you have anything better to do than try and infect us when we are looking for a solution.
Posted 07 February 2009 - 12:29 PM
Do you know what the flash disinfector is coded in?
Posted 07 February 2009 - 12:46 PM
A-Squared Found nothing
AntiVir Found WORM/Generic.4084, APPL/NirCmd.2
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Malware.Generic
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found not-a-virus:RiskTool.Win32.NirCMD
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Application/NirCmd.A
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Often powerful tools are detected as malware, in this case they are false positives
I install flashdisinfector on all computers and all drives
No. Try not. Do... or do not. There is no try.
Posted 07 February 2009 - 12:52 PM
As you can see from the detection above, the nircmd.exe tool that is packed with FlashDisinfector was being detected. It is used for the message windows you see when the tool is run.
That file is being flagged because it includes some features that can potentially be used for malicious purposes, such as hiding windows.
Please see here for more information on that tool.
We can assure that you will not be told to download any files whose purpose is sinister.
Posted 07 February 2009 - 02:12 PM
so once again excuse my ignorance.
thanks for the replys.
Posted 07 February 2009 - 05:17 PM
To expand on what PropagandaPanda and DaChew provided.
Certain embedded files that are part of legitimate programs or specialized fix tools, may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted program", or even "malware (virus/trojan)" when that is not the case.
Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users