Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse & Downloader viruses on Flash Drive


  • Please log in to reply
42 replies to this topic

#1 rabidrun

rabidrun

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 27 February 2009 - 01:23 AM

good morning, folks. this is my first time posting on your website. tonight Norton's virus history identified a Trojan Horse virus on the F drive (flash drive) located at F:\Autorun.inf while working on my old timey Compaq computer w/ MS Windows XP SP2.

I downloaded program flashdisinfector.exe, & inserted both flash drives when prompted by program. I shut down the PC, brought it back up, & then did a manual scan of E & F drives & got a message that I now have a Downloader virus w/ file name: autorun.exe located on F:\RECYCLER/RECYCLER\ & that Norton had quarantined it. Did I get Downloader virus from downloading flashdisinfector?

So I tried to run flashdisinfector program again & this time I pressed SHIFT when I inserted flash drives when prompted but the desktop icons never returned to the screen after about 25 minutes. I shut down system & when I started it back up it told me I was not protected by a firewall. I went into the control panel, windows firewall & saw that "on" was checked, so I'm not sure why i was told firewall was off. is there another firewall i need to check if enabled?

I desperately need to free up more space on my hard drive & was on the pc tonight trying to figure out which programs & files can be deleted. Can you recommend the bleepingcomputer forum that can help me identify which programs I really don't need (Genuine Check, Shockwave, VBA, Enuphon...?)?

This is the first time my flash drive & possibly comp[uter have been infected, & it has me very scared. any advice how to remove them much appreciated.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:55 AM

Posted 27 February 2009 - 09:15 AM

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#3 rabidrun

rabidrun
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 27 February 2009 - 01:15 PM

DaChew/Bleeping Computer staff,
1) can you tell me size of ATF Cleaner & Malwarebytes are as I only have 440 MB free space on c drive after running disk cleanup, defrag, CCleaner, & deleting a number of programs under add/remove programs. I may have to delete more programs before i can download & run those 2 programs but first need to find out what else can be deleted (for example can I delete WexTech AnswerWorks, VBA, WAP11 USB, Shockwave, WebFldrs XP, Easy Access Keyboard, Readiris, Adaptec, Enuphon, Vista Utils, NACNR, QMGR, Genuine Check, Sun, mmkeybd, SafeCast Shared Components, Quicktime, PeoplePC:PeoplePal Toolbar 6.5, Microsoft Windows Journal Viewer, AnswerWorks 4.0 Runtime - English, directx, etc?)

I have Compaq computer w/ MS Windows XP SP2 Intel Pentium III processor, 498 MHz, 256 MB of RAM. I use computer for little except running TurboTax, sending & reading emails in hotmail, using IE & Mozilla internet, & editing Word & Excel documents. I have dial up internet with peoplepc. If this info helps in what I can remove above to clear up space or if you can direct me to another forum that can help me today on this issue.

2) for your instructions below for ATF cleaner, can you also tell me what I need to do for IE?

3) can you tell me if I got Downloader virus from downloading flashdisinfector program?

4) I shut down system after running flashdisinfector.exe program, & after I set a new restore point, & when I started it back up it told me I was not protected by a firewall. I went into the control panel, windows firewall & saw that "on" was checked, so I'm not sure why i was told firewall was off. is there another firewall i need to check if enabled?

thank you so much!

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:55 AM

Posted 27 February 2009 - 01:42 PM

Did I get Downloader virus from downloading flashdisinfector?


No, make sure you always use links from trusted sources tho

Go to display in control panel then the screen saver tab in display properties

Next click on the power button on the bottom and then the hibernate tab

If you can do without this feature and have a desktop not a laptop, I would suggest unchecking it.

That will save 200+ megs of space

Next let's get rid of those old restore points

Go to Start > Run and type: Cleanmgr
Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
Click the "More Options" tab, then click the "Clean up" button under System Restore.
Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
Click Yes, then click Ok.
Click Yes again when prompted with "Are you sure you want to perform these actions?"
Disk Cleanup will remove the files and close automatically.

MBAM and ATFCleaner are small programs
Chewy

No. Try not. Do... or do not. There is no try.

#5 rabidrun

rabidrun
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 27 February 2009 - 02:05 PM

Thank you DaChew. I removed old restore points when I set a new restore point in wee hours earlier today.

1) i read a couple of places to never install more than 1 antivirus scanner on your system to avoid problems. Will downloading & running ATF cleaner , then immediately downloading & running Malwarebytes create problems for my system currently running Norton antivirus?

2) for your instructions below for ATF cleaner, can you also tell me what I need to do for IE?

3) I shut down system after running flashdisinfector.exe program, & after I set a new restore point, & when I started it back up it told me I was not protected by a firewall. I went into the control panel, windows firewall & saw that "on" was checked, so I'm not sure why i was told firewall was off. is there another firewall i need to check if enabled?

4) can you tell me which of the following programs i could probably delete to create space to download ATF cleaner &/or Malwarebytes, or can you direct me to a forum that can help me with this today? WexTech AnswerWorks, VBA, WAP11 USB, Shockwave, WebFldrs XP, Easy Access Keyboard, Readiris, Adaptec, Enuphon, Vista Utils, NACNR, QMGR, Genuine Check, Sun, mmkeybd, SafeCast Shared Components, Quicktime, PeoplePC:PeoplePal Toolbar 6.5, Microsoft Windows Journal Viewer, AnswerWorks 4.0 Runtime - English, directx, etc?)

Thanks!

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:55 AM

Posted 27 February 2009 - 02:14 PM

1) i read a couple of places to never install more than 1 antivirus scanner on your system to avoid problems. Will downloading & running ATF cleaner , then immediately downloading & running Malwarebytes create problems for my system currently running Norton antivirus?


they are not resident AV programs, please run them now

Let's focus on the infection first
Chewy

No. Try not. Do... or do not. There is no try.

#7 rabidrun

rabidrun
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 27 February 2009 - 11:29 PM

Thanks DaChew, I downloaded ATF Cleaner & Malwarebytes. Malwarebytes found 2 malware & removed them:

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

After running above 2 programs, I did a disk clean up, set a new restore point, & removed hibernate from screen saver. Thanks for the suggestions.

I read that it is best to hold down SHIFT key whenever plugging in a flash drive. Does this help with stopping autorun feature?

There is a message on my pc that an update of Java is available. I don't think i have room on harddrive to update Java.

Does older version of CCleaner on my computer duplicate what ATF Cleaner does? Should I remove it?

I think I messed up while downloading & running above 2 programs because I plugged infected flash drive & other flash drive into the computer, & then removed them, probably when programs were downloading. Would this have messed up integrity of either program downloading or running, or my computer?

I need the folders & documents on 3 flash drives, 1 of which flashdisinfector program said had 2 viruses, Downloader & Trojan Horse. What is next step that will enable me to open documents in 3 flash drives? I also need to move documents from infected flash drive to a 4th flash drive. How do I do all of this safely?

Thanks so much for your help!!!!!!!!!!!!!!!!!!!!

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:55 AM

Posted 27 February 2009 - 11:47 PM

I read that it is best to hold down SHIFT key whenever plugging in a flash drive. Does this help with stopping autorun feature?


That should be your mandatory procedure until this infection is cleared off every drive

It's in this guide


Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Run a virus scan with your antivirus on each usb drive
Chewy

No. Try not. Do... or do not. There is no try.

#9 rabidrun

rabidrun
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 28 February 2009 - 01:22 PM

Thank you DaChew! I am downloading flash disinfector from your hotlink, & will run a virus scan on each usb drive----assume you mean running my norton antivirus?

if no virus is detected on c drive or any of flash drives, is it safe to open flash drives/thumb drives, edit documents in them, & move these documents to a 4th flash drive?

one last question, my c drive free space dived from 574 to 91 mb after i logged on today for no apparent reason. similar thing happened yesterday & i ran disk cleaner & free space came back. does this sound like a trojan horse or other virus at work?

thanks again for all your help!

#10 rabidrun

rabidrun
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 28 February 2009 - 01:44 PM

DaChew, I tried to download flash disinfector from your hotlink but got 2 error messages: some files could not be created. please close all applications, reboot windows & restart installation. & when i closed those messages i got messages: Win Rar self-extracting archive cannot create flash_disinfector.cmd. there was also a third message: if you have a flash drive please plug it in the machine...

is the problem that i don't have enough free space on hard drive to download flash disinfector? why did my hard drive space reduce from 686 mb when i logged off last night to 574 mb when i logged on today, to 91.3 when i logged on 2nd time today? what is eating up my hard drive?

i did notice today when i went to start up pc that it was still on even though i told it to shut down last night. there was end program message, something about peoplepc having problems. help!

#11 rabidrun

rabidrun
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 28 February 2009 - 01:52 PM

DaChew/Bleeping Computer Staff: also just noticed when I went to disconnect from peoplepc dial up internet the icon was no longer on the bottom of the toolbar even though I was still connected by phone line (icon is always on the bottom toolbar until i disconnect). any suggestions how i disconnect from peoplepc, why my hard drive space keeps vanishing, & if trojan horse or other virus is interfering w/ this computer? thanks

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:55 AM

Posted 28 February 2009 - 03:31 PM

Disk cleanup should show what it's clearing

Run another quick scan with MBAM and post the whole log
Chewy

No. Try not. Do... or do not. There is no try.

#13 rabidrun

rabidrun
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 28 February 2009 - 06:38 PM

DaChew, I ran malwarebytes & here is entire log as requested (I was connected to peoplepc internet at time i ran scan):

Malwarebytes' Anti-Malware 1.34
Database version: 1811
Windows 5.1.2600 Service Pack 2

2/28/2009 6:10:02 PM
mbam-log-2009-02-28 (18-10-02).txt

Scan type: Quick Scan
Objects scanned: 67833
Time elapsed: 30 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

i tried to download flash disinfector.exe from your hotlink & it said i had it & it looks like it was downloaded 3 times on my desktop. I want to remove all of them right now & download a clean version because earlier today when i tried to download it i got 2 error messages: some files could not be created; please close all applications, reboot windows &* restart this installation; Win Rar self-extracting archive cannot create flash_disinfector.cmd. WHY DOESN'T FLASH DISINFECTOR SHOW UP UNDER "ADD OR REMOVE PROGRAMS" IN CONTROL PANEL? HOW DO I REMOVE 3 VERSIONS OF PROGRAM? DO YOU SEE ANY COMPLICATIONS IF I REMOVE ALL 3 VERSIONS OF FLASH DISINFECTOR.EXE FROM MY DESKTOP & THEN DOWNLOAD IT? THANKS!!!!!!!!!!!!!!!!!!!!!

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:55 AM

Posted 28 February 2009 - 06:59 PM

Flashdisinfector is a standalone executable, it doesn't install
Chewy

No. Try not. Do... or do not. There is no try.

#15 rabidrun

rabidrun
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 28 February 2009 - 07:08 PM

Thanks DaChew, so there should be no complications if i delete 3 versions of flash disinfector by deleting the folders/files on my c drive? i would then reinstall to try to get a clean version w/ no error messages.

any other things i can do that can free up some disk space on the hard drive? what about removing some of the following:
WexTech AnswerWorks, VBA, WAP11 USB, Shockwave, WebFldrs XP, Easy Access Keyboard, Readiris, Adaptec, Enuphon, Vista Utils, NACNR, QMGR, Genuine Check, Sun, mmkeybd, SafeCast Shared Components, Quicktime, PeoplePC:PeoplePal Toolbar 6.5, Microsoft Windows Journal Viewer, AnswerWorks 4.0 Runtime - English, directx, etc?

thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users