Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB hidden file-GICAN/Prasican, autorun


  • Please log in to reply
3 replies to this topic

#1 DAngel

DAngel

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 24 September 2010 - 09:43 PM

Recently I've been having issues with my USBs. Whenever I plug them into a computer the image of the USB isn't a HD image but a file image, and I can never double click,right click explore or even autoplay (nothing happens)-I always have to wait for the window to pop up on its own and that takes 5 mins.

I brought my USB into uni and I see either two things, a hidden file by the name of GICAN (and within it something called Prasican.exe) or an autorun file that was not there before. I can delete the GICAN file but I can't delete the autorun file. Also I can never safely remove the usb as the computer says something is utilising the usb.

I think these two things are my problems because when I re-format my USBs they become normal but once I plug them back into my laptop or my desktop, the next time I bring it into uni I get the same problems all over again. (sometimes even with the virus alert). I've tried using Malwarebytes but it doesn't seem to detect it. I googled prasican and it's some kind of russian virus. What can I use to remove it?

Thanks!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:24 AM

Posted 25 September 2010 - 10:23 AM

Hello, I believe they are malware and of the autorun type. Probably tranferred via USB to any machine it touched.
Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



If this is XP/Vista
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 DAngel

DAngel
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 25 September 2010 - 08:59 PM

Hi,

for some reason the USB#1 that I have now doesn't have the GICAN file, my other USB(#2) has it but i won't get my hands back on it till Monday (I'll post another reply then). But below are the results of USB#1:

autorun.inf
avast! --- VBS:Malware-gen
GDATA --- VBS:Malware-gen
SOPHOS--- Mal/AutoInf-A

kolonija.exe
bitdefender ---Gen:Variant.Kazy.788
F-Secure ---Gen:Variant.Kazy.788
Dr.Web ---Trojan.Packed.21005
GDATA ---Gen:Variant.Kazy.788
NOD32 ---Win32/Kryptik.GXU


I've ran flash disinfector and I now see the file created by the program. The program is I had to reformat the drive before I could run the program cause the program didn't have any effects prior to reformatting the drive (what happens is same thing as before, after running flash, the USB just won't open, pop up in a few mins and I still see the old autorun and kolonija files).

Does that mean these files are in my laptop and they'll continue to infect any USBs that I plug in?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:24 AM

Posted 26 September 2010 - 12:47 PM

Yes you will need to run FD on any PC that infected USB was plugged unto.

•Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users