Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pen Drive - Infected?


  • Please log in to reply
11 replies to this topic

#1 NotVeryTechie

NotVeryTechie

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 April 2008 - 07:27 AM

Hi there

I have been doing some work on my sister's computer and she has been badly infected. She has found a worm and it looks as is there is a problem with scvhost. We have been cleaning the computer and using various tools, etc. Problem is we ran a backup to CD just when the problems started and I have also used my usb pen drive on her computer.

1) Will the backup be infected? How do we reload the files in the event of a complete crash without reloading the virus?

2) How do I find out if my pen drive is ok? I have tried various scan options and most of the antivirus software and the online scanner for scvhost don't allow for scanning of usb devises. I also understand that this particular trojan doesn't show up on most virus scans. I really don't want to lose the files on my pen drive and I don't want to infect any other computer. So is it possible that it has written itself into my files? How do I find out?

Hope you can help

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 AM

Posted 16 April 2008 - 08:22 AM

Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Please insert your flash drive. Hold down the Shift key when inserting the drive until Windows detects it to bypass the autorun feature and keep autorun.inf from executing automatically.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read Danger USB! Worm targets removable memory sticks.

You can hold down the Shift key when inserting the drive into your computer until Windows detects it to keep autorun.inf from executing automatically. However, I recommend disabling the Autorun feature feature on USB and removable drives as a method of prevention. This should keep the malicious file from automatically running upon insertion and infecting your system while allowing you to safely perform a scan.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
  • After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
  • Uncheck the drives you want to disable AutoPlay on and click on Apply.
  • Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
  • Uncheck the box to disable Autoplay for a particular type of drive.
  • Click Apply.
See "Disable Autorun/AutoPlay" for instructions with screenshots.
When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Always scan USB Flash Drives after they have been used in other computer systems, even your own. An easy way to do this is to download "ClamWin Portable", install it on your USB Flash Drive, update its definition files and perform a scan. Also scan the files you backed up to CD.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 NotVeryTechie

NotVeryTechie
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 22 April 2008 - 01:51 PM

Wow, thank you so much!! I will only be able to do this when I visit my friend as I don't have an internet connection, so it may be a few days, but I will follow all the steps above.

THANK YOU SO MUCH!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 AM

Posted 22 April 2008 - 01:59 PM

You're welcome and good luck.

Post back if you continue to have issues.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 NotVeryTechie

NotVeryTechie
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 23 April 2008 - 10:33 AM

One quick question. If I disable autorun on the CD/DVD drive, will it cause a problem if I need to boot from a CD at some point? I don't have a floppy drive.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 AM

Posted 23 April 2008 - 11:09 AM

A bootable CD is different from an AutoRun CD. A bootable CD-Rom is a CD from which you can boot the computer by loading a boot image from the CD-Rom.

Bootable CD FAQs
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 NotVeryTechie

NotVeryTechie
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 30 April 2008 - 05:15 AM

Hi there

Me again with another question. I would like to know what I should put on my computer to protect it. As I don't currently have an internet connection I just need to protect against stuff that could be hiding on my usb pen drives or CD/DVDs. I was looking at loading Avira Antivir. Should I also load a firewall (I am currently using the Vista one) and do I need anti-spyware? Not sure if I should load Comodo or something like that.

Hope you can help! :thumbsup:

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 AM

Posted 30 April 2008 - 07:15 AM

To protect yourself against malware and reduce the potential for re-infection, read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings".

As I already said, you can put "ClamWin Portable Antivirus", on your USB Flash Driveso its always available to perform a scan.

Another prevention measure you can use is Symantec's NoScript utility. Scroll down to the section "How to disable (or re-enable) the Windows Scripting Host" to find the link and follow the instructions. Noscript will disable the Windows Scripting Host and prevent VBScripts from running on your machine until you run the utility again. Firefox also has a free NoScript Add-on for its browser.

Yes having a firewall, is very important.
• Understanding and Using Firewalls
• What is a Firewall
• How Firewalls Work

If you choose to use a 3rd-party firewall, you need to disable the Windows firewall. Using two software firewalls on a single computer could cause issues with connectivity to the Internet or other unexpected behavior. Further, running multiple software firewalls can cause conflicts that are hard to identify and troubleshoot. Only one of the firewalls can receive the packets over the network and process them. Sometimes you may even have a conflict that causes neither firewall to protect your connection. However, you can use a hardware firewall (your router) and a software firewall (Kerio or ZoneAlarm) in conjunction. For more information see "The Differences and Features of Hardware & Software Firewalls" and "Choosing a Firewall: Hardware v. Software".

Choosing a firewall is a matter of personal preference, your technical experience and what will work best for your system. A particular firewall that works well for one person may not work as well for another. You may need to experiment and find the one most suitable for your use.

See BC's Freeware Replacements For Common Commercial Apps and List of Virus & Malware Resources.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 NotVeryTechie

NotVeryTechie
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 30 April 2008 - 08:14 AM

Thank you quietman7. Sorry to keep asking, I am struggling a bit to understand all the stuff. I did put ClamWin on my pen drive and want to load AntiVir.

I am still not sure if it will be ok to keep the Win firewall or if I should use Comodo instead. If I want to use Comodo, how do I disable the Win firewall.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 AM

Posted 30 April 2008 - 08:50 AM

Discontact your pen drive and load AntiVir as your primary anti-virus on your hard drive.

The Windows XP firewall protects against port scanning but has limitations and it is no replacement for a robust 3rd-party two-way personal firewall.
  • The XP firewall is not a full featured firewall. Normal firewalls allow you to specifically control each TCP and UDP port but XP’s firewall does not provide you with this capability. Instead, it takes a point and click approach to enabling or disabling a few common ports.
  • The XP firewall does a good job of monitoring, examining and blocking inbound traffic but makes no attempt to filter or block outbound traffic like most 3rd-party personal firewalls.
  • Thus, the XP firewall does not identify which programs attempt to initiate outbound network or Internet communications nor does it block the traffic when suspicious activity occurs.
    • This feature can be helpful in preventing many types of malware attacks that may attempt to open ports or communicate with outside servers without the user's knowledge or consent. It also means that if your system has been compromised, a hacker could use your machine as part of a distributed denial of service attack.
  • By default, Windows Firewall rejects all incoming traffic unless that traffic is in response to a previous outgoing request. If you're running Windows XP Service Pack 2 (SP2), Windows Firewall is turned on by default. If your Firewall is not turned on by default, then your using an unpatched OS and need to update your system to SP2.
How to turn on or turn off the firewall in Windows XP
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 LovingYou

LovingYou

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 19 October 2009 - 11:57 PM

Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Please insert your flash drive. Hold down the Shift key when inserting the drive until Windows detects it to bypass the autorun feature and keep autorun.inf from executing automatically.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read Danger USB! Worm targets removable memory sticks.

You can hold down the Shift key when inserting the drive into your computer until Windows detects it to keep autorun.inf from executing automatically. However, I recommend disabling the Autorun feature feature on USB and removable drives as a method of prevention. This should keep the malicious file from automatically running upon insertion and infecting your system while allowing you to safely perform a scan.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
  • After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
  • Uncheck the drives you want to disable AutoPlay on and click on Apply.
  • Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
  • Uncheck the box to disable Autoplay for a particular type of drive.
  • Click Apply.
See "Disable Autorun/AutoPlay" for instructions with screenshots.
When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Always scan USB Flash Drives after they have been used in other computer systems, even your own. An easy way to do this is to download "ClamWin Portable", install it on your USB Flash Drive, update its definition files and perform a scan. Also scan the files you backed up to CD.


Hi! Thanks for this one.. But I have a problem.. After I had done these steps, My drive C and D got the autorun.inf folder.. How did this happen? What should I do with it?

And lastly, my USB's folders got another folder copied with the same name but with .exe extension.. What happened to my USB and computer?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 AM

Posted 20 October 2009 - 06:59 AM

After I had done these steps, My drive C and D got the autorun.inf folder.. How did this happen? What should I do with it?

Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

LovingYou, if you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users