Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disinfect My Usb


  • Please log in to reply
7 replies to this topic

#1 anirban

anirban

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 14 January 2008 - 10:34 AM

Hello everybody
first thanks for reading this post
I am having a problem with my comp system.My computer recently got infected by a virus and trojan
Avg 7.5 detected it as Virus win32/NSAnti and Trojan PSW.Legendmir.jej.It would detect these whenever I opened my hd partitions
I reinstalled Xp (sp2) to remove them and I think they were removed as AVG didnot give any warning
later when i inserted my usb pen drive, AVG again detected the virus and trojan.Even after removing the usbdrive AVG kept showing the threats
I then used TWEAK UI a powertoy for xp to disable all autorun for all drives except cdroms,formatted the pendrive and also used a usb disinfector progran(reliability unknown) with the pendrive inserted
Though Avg has stopped detecting the threats I believe the trojan might still be present
Though my is a new installation I may reinstall xp without much loss of data but can I safely use my pendrive
or is there any other measure that I must take before inserting the pen drive in the system the next time??
PLEASE HELP
ANIRBAN

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 AM

Posted 14 January 2008 - 02:04 PM

Well, you need to clean up your flash drive so you don't infect anyone else who may not have used TWEAK UI.

Please insert your flash drive before we begin!

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Are your partitions opening normally again?

Did your scan provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system? If your scan saved a log file, it should show exactly what and where the malware has been found so post that instead.

Edited by garmanma, 04 December 2008 - 08:33 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 anirban

anirban
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 16 January 2008 - 11:49 AM

Dear Quiteman 7

first of all thanks a lot for your quick help and sorry for my delay in replying to u :thumbsup:

I was having some problem with my broadband internet connection.
As u said I downloaded The Flash Disinfector , inserted the pen drive and ran it. it asked me to insert all removable drives.. (what else,is there anything else to do for the cd rom drives???? ) :flowers:

as far as the malwares are concerned
the partitions seem to open normally to a lame user like me(is there any way to check)

for logs I find AVG has test result section but it is a gui (how can paste it here?)

on 9 jan its scan shows 6 malware detection

Win32/NSAnti in C/Documents and Settings/anirban/localSettings/temp/a5lg8x2t.dll
(moved to vault )

and

5 instances of psw.legendmir.jej
in c:/system volume information/_restore{f9287d4d...}
(deleted)
since then I have done several checks but no threat has been detected and after using TWEAK UI
it doesnot show any warning even on opening the partitions

what next do I do???
ANIRBAN

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 AM

Posted 16 January 2008 - 12:32 PM

...it asked me to insert all removable drives.

Unless you know which removable media was responsible for the infection, you can insert other drives and reuse Flash_Disinfector.

When an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "False Positive". If that is the case, then you can restore the file. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be bad, you can delete it at any time.

"Understanding AVG7 Free Virus Vault"
"AVG FAQ #647: I have some files in the AVG Virus Vault. What next?"

The infected RP***\A0000**** file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SIV folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the System Volume Information folder is a protected directory, most scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

To remove the file(s) after your system has been cleaned of malware, the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.

Even though AVG says it removed those, files I would still recommend you Create a New Restore Point and use Disk Cleanup.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 anirban

anirban
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 17 January 2008 - 09:20 AM

Dear Quiteman 7

Thanks for the information :thumbsup:

I did as u said ,creating a new restore point and then a disk cleanup.

Do u think My system is clean now ? how do i Check that ? Also how do I prevent reinfection say from someone else's pendrive

A word of appreciation for ur prompt reply and help.
ANIRBAN

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 AM

Posted 17 January 2008 - 09:39 AM

Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read Danger USB! Worm targets removable memory sticks.

I recommend disabling the Autorun feature on USB and removable drives (especially an external drive used for backup) as a method of prevention.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
  • After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
  • Uncheck the drives you want to disable AutoPlay on and click on Apply.
  • Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
  • Uncheck the box to disable Autoplay for a particular type of drive.
  • Click Apply.
See "Disable Autorun/AutoPlay" for instructions with screenshots.
When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Always scan USB Flash Drives after they have been used in other computer systems, even your own. An easy way to do this is to download "ClamWin Portable", install it on your USB Flash Drive, update its definition files and perform a scan.

Another prevention measure you can use is to download Symantec's NoScript utility. Scroll down to the section "How to disable (or re-enable) the Windows Scripting Host" to find the link and follow the instructions. Noscript will disable the Windows Scripting Host and prevent VBScripts from running on your machine until you run the utility again.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1".
"Hardening Windows Security - Part 2".
"IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 anirban

anirban
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 18 January 2008 - 08:25 AM

Thanks for the help,I have taken the precautions as mentioned by you
does Avg 's not giving any threat makes sure that there is no virus/trojan ,how do I check the system is not infected now
ANIRBAN

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 AM

Posted 18 January 2008 - 08:58 AM

AVG detected the original malware so a least that appears to be resolved since it is no longer detecting that threat. You can always get another opinion by performing an Online Virus Scan.

No single product is 100% foolproof and can detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users