Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Which AV best for Real-time protection against USB drives?


  • Please log in to reply
5 replies to this topic

#1 vladmir21

vladmir21

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 09 May 2009 - 09:24 PM

I have just finished removing a total of 29 viruses/trojans from a friends laptop, its taken me about 4 hours to do that.
The laptop is completely clean for now.

I have run a boot scan using Avast.(found 21 trojans)
Then Webroot Spywsweeper (found only 'spy cookies' )
Then Ad Aware (found nothing)
Then Avira (found 9 trojans)
Then ran Malwarebytes antimalware, and a few assorted programs.

In the HJT log i noticed that 1 virus still remained, called sdra64.exe.
Neither Avast, nor AVG, nor Avira could remove it.
finally, using the solution below, i was able to kill it.
»mrmusicmaker.blogspot.com/2009/0···for.html

All this infections were the direct result of using infected USB drives.
The thing that worries me is that i had advised him to install USB Disk Security'
»www.zbshareware.com/
which creates an AUTORUN.INF folder on all your drives, including your USB drive.
I dont know if one of the trojans actually deleted this folder, and then installed its own malicious autorun.inf folder.
I didn't know they could do that! (if that is what happened)

Another thing is that the original AUTORUN.INF folders still were present in the C, D and E drives, so they weren't deleted.
I wonder how the one in the USB stick got deleted.
Anyway, one of the interesting things was that the virus would make a .exe using the same name as the parent folder!
So, if i have a folder named 'Stuff', then in this folder would be another folder named Stuff.exe.

Anyway, its all removed now, everything is clean.
I checked and double checked.

So, my question is, specifically for immediate real-time detection of autorun viruses in USB, which antivirus application is the best?
(Im asking because i myself dont use any antivirus software on my home computers. i practice safe hex which is why i never get infected, but thats another story.)

BC AdBot (Login to Remove)

 


#2 Someones

Someones

  • Members
  • 184 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 09 May 2009 - 10:32 PM

Disable Autorun. You can download a registry script to do that here.

#3 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 09 May 2009 - 10:58 PM

Disable Autorun. You can download a registry script to do that here.

hi Someones, i have already addeed Nick Browns .reg entry to the registy, its one of the first things i do.
What i am looking for however, is an application that has the best detection/shied against an inserted infected USB stick.
Which is the best AV that will hold its ground, isolate it, and delete successfully?

#4 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 13 May 2009 - 07:18 AM

ok, but i would still appreciate your opinion, so can i have it pls?!

Edited by vladmir21, 13 May 2009 - 07:19 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:08 PM

Posted 13 May 2009 - 09:58 AM

Autorun.inf is a text-based configuration file that provides instructions for the autorun feature and contains instructions for the operating system. Essentially it tells the operating system which executable to start, which icon to use, and which additional menu commands to make available. When a computer detects a removable device, it searches for the autorun.inf file for further instructions and writes the values in the MountPoint2 registry key. This registry key holds cached information on every device ever connected to the computer.

Flash (usb, pen, thumb, jump) drive infections usually involve malware that modifies and loads an autorun.inf (configuration) file into the root folder of all drives (internal, external, removable) along with a malicious executable. When removable media such as a CD/DVD is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer. In USB drives, it modifies Windows Explorer's right-click context menu and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Microsoft Security Advisory (967940): Update for Windows Autorun
How can I prevent users from connecting to a USB storage device?

Alternatively, you can download and use Panda USB Vaccine. Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 18 May 2009 - 12:32 AM

thanks for the reply.
of course, if you already have autorun.inf folders in your drives, thru using 'usb disk security' software,
then the panda vaccine will tell you you are already vaccinated.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users