Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Usb Drive Infection


  • Please log in to reply
10 replies to this topic

#1 comstarr

comstarr

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 24 February 2008 - 12:16 PM

Hi everyone,
I was wondering if anyone can help me with this problem?

I have some sort of Trojan Horse on my flash drive (Kingston Data Traveller). I went to a stationary store with the flash drive to print out some call cards and must've got it from the store. I opened the Flash Drive on my ThinkPad which runs Windows XP Professional OS. It was immediately detected by avg (free edition). I clicked on the Heal button but got a description that it is unhealable. I ran the avg again from my laptop and found two errors in the virus vault: Virus name: Generic.SV (Worm) File name: AdobeR.exe; and Generic.ZWE (Trojan Horse) File name: ctfmon.exe; with paths to the E drive (USB port).
I closed and ejected the flash drive, then ran the scan on my laptop and got no errors. I plugged back in the flash drive and got a Threat Detected message from avg showing 1 error: the autorun.inf file was infected. No other detections.
I did not execute/open any file on the flash drive.

I searched for answers on the net but found only ones in French and Vietnamese - Nothing in English. I translated the page but the translator did not do a good job. On antivirus websites I did not find any solutions, can someone point me in the right direction?

I was wondering:
1. How would I know if my laptop was infected?
2. Can I safely wipe the 2 errors from the virus vault? The software cannot heal the worm or trojan.
3. How do I disinfect the flash drive?

I found the autorun file on the flash drive and deleted it. It was created yesterday - which was when the drive was opened on the store's pc. I ran the scan again and found no threats: Does this mean I'm safe?
Thanks.
Lisa

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,791 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:42 PM

Posted 24 February 2008 - 03:03 PM

Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Please insert your flash drive before we begin!

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

When done remove any Startup RUN value by downloading and using Autoruns.

When an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive". If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be bad, you can delete it at any time.

"Understanding AVG7 Free Virus Vault"
"AVG FAQ #647: I have some files in the AVG Virus Vault. What next?"

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read Danger USB! Worm targets removable memory sticks.

I recommend disabling the Autorun feature on USB and removable drives (especially an external drive used for backup) as a method of prevention.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
  • After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
  • Uncheck the drives you want to disable AutoPlay on and click on Apply.
  • Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
  • Uncheck the box to disable Autoplay for a particular type of drive.
  • Click Apply.
See "Disable Autorun/AutoPlay" for instructions with screenshots.
When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Another prevention measure you can use is Symantec's NoScript utility. Scroll down to the section "How to disable (or re-enable) the Windows Scripting Host" to find the link and follow the instructions. Noscript will disable the Windows Scripting Host and prevent VBScripts from running on your machine until you run the utility again. Firefox also has a free NoScript Add-on for its browser.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 comstarr

comstarr
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 25 February 2008 - 06:35 AM

Thank you for your response. I will try the solution as soon as I get home from work and give you feedback. Thanks again. Lisa

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,791 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:42 PM

Posted 25 February 2008 - 08:50 AM

Ok. Post back if you encounter any problems.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#5 tenchisama

tenchisama

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 06 February 2009 - 05:10 PM

yeah quiteman thanks for the trojan horse infection....
I mean come on dont you have anything better to do than try and infect us when we are looking for a solution. :thumbsup:

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,791 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:42 PM

Posted 06 February 2009 - 10:34 PM

tenchisama I don't know what you are talking about. Please clarify.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#7 tenchisama

tenchisama

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 07 February 2009 - 12:29 PM

well basically as soon as I ran the flash disinfector my AV detected an infection Trojanhorse PSW.generic6.BCFK seems just a bit suspicious if you ask me.
Do you know what the flash disinfector is coded in?

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:42 PM

Posted 07 February 2009 - 12:46 PM

http://www.virustotal.com/analisis/cad2f3d...9a60c420c23d2b4

A-Squared Found nothing
AntiVir Found WORM/Generic.4084, APPL/NirCmd.2
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Malware.Generic
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found not-a-virus:RiskTool.Win32.NirCMD
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Application/NirCmd.A
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Jotti

Often powerful tools are detected as malware, in this case they are false positives

I install flashdisinfector on all computers and all drives
Chewy

No. Try not. Do... or do not. There is no try.

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 07 February 2009 - 12:52 PM

Hello tenchisama.

As you can see from the detection above, the nircmd.exe tool that is packed with FlashDisinfector was being detected. It is used for the message windows you see when the tool is run.

That file is being flagged because it includes some features that can potentially be used for malicious purposes, such as hiding windows.

Please see here for more information on that tool.

We can assure that you will not be told to download any files whose purpose is sinister.

With Regards,
The Panda

#10 tenchisama

tenchisama

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 07 February 2009 - 02:12 PM

well that bieng the case I must then apoligize to quietman for my hasty comment, my only excuse bieng the frustration of having spent the last few days cleaning and in then reformating just to think myself reinfected.
so once again excuse my ignorance.
thanks for the replys.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,791 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:42 PM

Posted 07 February 2009 - 05:17 PM

Not a problem tenchisama. We all certainly understand the frustration that comes from dealing with malware infections.

To expand on what PropagandaPanda and DaChew provided.

Certain embedded files that are part of legitimate programs or specialized fix tools, may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted program", or even "malware (virus/trojan)" when that is not the case.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users