Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Flash Drives Are Infected


  • Please log in to reply
6 replies to this topic

#1 kjay58

kjay58

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Inverness, FL
  • Local time:03:03 AM

Posted 02 September 2008 - 08:08 PM

We had a pretty nasty case of Antivirus XP 2008 on a couple machines at the school where I work, so the tech guy and I decided to reimage those machines. Simple enough. Of course, I needed to offload some files onto a flash drive before reformatting. When I popped the drive into one of my machines at home, my Symantic Antivirus starts finding things and Antivirus XP 2008 has returned to haunt me. It was then that I noticed a little hidden file called System.exe lurking on the drive. I've never really encountered viral problems like this so I check two of my other thumb drives to see if they also had this file, and watched as the little bugger appeared. As I yanked out the drive before any other damage could be done, Symantic caught something called "Hacktool.Rootkit" and a few other bad files. So, in my ignorance, I've infected my thumb drives, and I miss them.

I found and joined this site and followed the directions to clean things before submitting a Hijack This log, and seem to have my computer running pretty close to normal again (and now with firewall protection). I'll finish with that in a different posting (it's not my main machine). I'd really like to have my thumb drives back, so I would appreciate some instructions on how to accomplish this without re-infecting either of my computers.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:03 AM

Posted 02 September 2008 - 08:37 PM

Hello and welcome.. Please follow quietman's instructions for Flash disinfector here in post #2.
Let us know how it goes.
http://www.bleepingcomputer.com/forums/ind...ash+disinfector
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 kjay58

kjay58
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Inverness, FL
  • Local time:03:03 AM

Posted 03 September 2008 - 09:01 AM

Thanks--So far, I tried the first part of the directions (Flash Deflector and that Clam Thingy), but that didn't work. I'll keep trying the other things...

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:03 AM

Posted 03 September 2008 - 10:03 AM

I went thru this last spring, I should have known better and not infected my drive and computer. After I had cleaned the malware from my computer(hint you need a clean computer), I then used subs disinfector to immunize my hard drives

I then formatted the usb flash drive(slow/fat32) and then immunized it
Chewy

No. Try not. Do... or do not. There is no try.

#5 kjay58

kjay58
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Inverness, FL
  • Local time:03:03 AM

Posted 03 September 2008 - 01:54 PM

I do feel like such a bonehead. I infected 4 of these drives before I figured out what was going on. However, I followed the directions for using Dr. WebCureIT and the drives are back to normal. The program found something called Win32.HLLW.Autoruner.2634 and Win32.HLLW.Autoruner.2630 and zapped them. What did you do to immunize the flash drives?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:03 AM

Posted 03 September 2008 - 02:36 PM

Flash_Disinfector.exe creates a hidden folder named autorun.inf in each partition and every external drive connected which helps protect all drives from future infection.

Flash (usb, pen, thumb, jump) drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

"Autorun" is the feature built into Windows that automatically runs a program specified by an "autorun.inf" file whenever a CD-ROM, DVD or USB drive is plugged into a Windows-based computer. Autorun is intended as a convenience to automatically start an installer when removable media is inserted into the computer.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read Danger USB! Worm targets removable memory sticks.

You can hold down the Shift key when inserting the drive into your computer until Windows detects it to keep autorun.inf from executing automatically. However, I recommend disabling the Autorun feature on USB and removable drives as a method of prevention. This should keep the malicious file from automatically running upon insertion and infecting your system while allowing you to safely perform a scan.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
  • After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
  • Uncheck the drives you want to disable AutoPlay on and click on Apply.
  • Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
  • Uncheck the box to disable Autoplay for a particular type of drive.
  • Click Apply.
If needed, see Disable Autorun/AutoPlay in XP with Tweak UI" for instructions with screenshots.

Note 1: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Note 2: Disabling autorun/autoplay does not prevent you from accessing your media sources. They are still available by opening My Computer and accessing the source drive (CD, DVD, usb/flash drive or external hard drive). Pictures on a camera can still be accessed through My Pictures and selecting "Get Pictures" from a scanner or camera. Media can also be accessed via the program you normally use it with such as music CDs accessed via Media Player, blank CDs via burning software, image handling software provided with the camera, etc. I strongly recommend you leave the autorun feature disabled and get into the habit of accessing your media devices manually.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 kjay58

kjay58
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Inverness, FL
  • Local time:03:03 AM

Posted 03 September 2008 - 03:11 PM

Thank you for the advice, quietman7. Whew! That's a lot for me to wrap my brain around. Just got home from work, so I'm going to tackle my "older" machine which may still have some problems. I think I'd like to try running the Dr. Web CureIT on this machine because it seems to be able to locate those autorun files, and then disable the autorun feature--that's a great idea.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users