AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > AnimeSuki & Technology > Tech Support

Reply
 
Thread Tools
Old 2008-06-12, 12:10   Link #1
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 26
Virus from USB stick o.o;

Very strange, I don't know how it got on my USB, though I'm thanking school's failing virus scan and protector for it but on my USB stick i suddenly have these two virusses

win32/NSAnti
win32/Heur

Every time i open go into my USB to open a file my AVG blarres about there being a virus being cumped on my pc and removes it.
I scanned the USB stick, it gave me those two virusses and removed them, or so it said.. i plugged the usb out and back in to see if it worked but they are still there

how do i get rid of those virusses?
reformat the USB stick, though id have to copy paste all my data, but doesnt the virus get copied as well?
-KarumA- is offline   Reply With Quote
Old 2008-06-12, 13:18   Link #2
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 28
I'm not sure what information AVG gives you, but it should tell you what the name of the file is that's infected. When AVG says it found and removed the files, see what the files were called (and where they were located, if it tells you that) and make sure that they're really removed. If they're not, manually delete them.

If the files truly are gone then one possibility is that your computer is infected with those viruses. If that's the case then AVG's detections of the viruses on your USB drive would be AVG detecting the viruses as they replicate themselves. Have you run a system scan recently?
__________________
Ledgem is offline   Reply With Quote
Old 2008-06-12, 15:52   Link #3
Eps~
Busy busy busy
*Graphic Designer
 
 
Join Date: Mar 2008
Location: Slovenia
Age: 26
You can also set your antivirus that it runs at the beggining when you reset your pc and leave the usb plugged - then it should check the usb storage device aswell. Since you still wont be in windows the virus wont be able to reproduce itself.
__________________
Eps~ is offline   Reply With Quote
Old 2008-06-12, 16:44   Link #4
Generic Asian Guy
^_^
 
 
Join Date: Dec 2007
Age: 25
Send a message via MSN to Generic Asian Guy
Press SHIFT when putting in your USB stick to bypass the autorun.inf file. Then go to Windows Explorer, enable the option to view all hidden files and folders, then right-click on Autorun.inf, Edit, then look to see the name of the malicious executable. When you have identified it, delete both the Autorun.inf and the malicious executable files from your USB stick (This is the manual way of removing the virus from your USB stick)

You may have to do this for your C drive too.
Generic Asian Guy is offline   Reply With Quote
Old 2008-06-13, 00:07   Link #5
sa547
Senior Member
*Author
 
 
Join Date: Oct 2007
Location: Philippines
Age: 37
I hardened my USB sticks (and all types of flash memory) by throwing in a folder that's named AUTORUN.INF with +S +H +R attributes.

My workstation has also been modified not to use AUTORUN.INF by tweaking the user policy settings. If you're using XP Professional on your home system, I'd say

1.) Start > Run > GPEDIT.MSC then
2.) Go down this tree: Local Computer Policy > Computer Configuration > Administrative Template > System > Turn off Autoplay
3.) At that point, double click on Turn off Autoplay
4.) Then set it to Enabled before Turn off Autoplay on (All Drives)
5.) Now go to this tree: Local Computer Policy > User Configuration > Administrative Template > System > Turn off Autoplay
6.) Double click on Turn off Autoplay
7.) Then set it to Enabled before Turn off Autoplay on (All Drives)
8.) Close the Policy Settings window, then reboot.

One more thing: I think it's high time to tell your school's system administrator to start cleaning up their machines before installing AVG8 Free or any antivirus software, before lecturing everyone on how to keep their USB sticks secured, and be wary of downloading everything from the Internet, especially those so-called screensavers and slideshows made by those script kiddies.
__________________
sa547 is offline   Reply With Quote
Old 2008-06-13, 00:16   Link #6
nines
I much prefer the 2d
 
 
Join Date: Dec 2007
Location: Frontier
Age: 21
Ah I got a similar problem it dosn't have to do with the USB but i got 2 viruses that pop up one that contains like 3 viruses and another 1 and when my spybot finds it and I press clean it says its caleaned then I got back and rescan still there. Still keeping my comp virus owned, sorry to steal thunder but if any one knows how to fix its called Virtumonde and its keeping my screen so it just shows my backround and nothing else on it before it kept flasing between backround and backround fixer but I fixed that and now its still, and still here. so I gotta open everything threw ctrl+alt+delete x.x
__________________
nines is offline   Reply With Quote
Old 2008-06-13, 00:21   Link #7
sa547
Senior Member
*Author
 
 
Join Date: Oct 2007
Location: Philippines
Age: 37
Quote:
Originally Posted by nines View Post
Ah I got a similar problem it dosn't have to do with the USB but i got 2 viruses that pop up one that contains like 3 viruses and another 1 and when my spybot finds it and I press clean it says its caleaned then I got back and rescan still there. Still keeping my comp virus owned, sorry to steal thunder but if any one knows how to fix its called Virtumonde and its keeping my screen so it just shows my backround and nothing else on it before it kept flasing between backround and backround fixer but I fixed that and now its still, and still here. so I gotta open everything threw ctrl+alt+delete x.x
It's manual removal all the way: that tough French sucker had to removed by rebooting to Safe Mode (command line only), hunt down the files as specified by the antivirus utility, then delete them. Furthermore, you may have to get Rootkit Revealer to weed out what's left of the sucker.

Other utilities such as Spybot and vUndofix (not really sure about this one) can attempt to kill it.

Oh, yes, I also googled for some removal instructions and other info:
http://www.bleepingcomputer.com/forums/topic18610.html
http://forums.majorgeeks.com/showthread.php?p=1167068
http://forums.techguy.org/malware-re...irtumonde.html
http://www.dslreports.com/faq/13619
__________________

Last edited by sa547; 2008-06-13 at 00:31.
sa547 is offline   Reply With Quote
Old 2008-06-13, 00:24   Link #8
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 26
Quote:
Originally Posted by Ledgem View Post
I'm not sure what information AVG gives you, but it should tell you what the name of the file is that's infected. When AVG says it found and removed the files, see what the files were called (and where they were located, if it tells you that) and make sure that they're really removed. If they're not, manually delete them.

If the files truly are gone then one possibility is that your computer is infected with those viruses. If that's the case then AVG's detections of the viruses on your USB drive would be AVG detecting the viruses as they replicate themselves. Have you run a system scan recently?
You were right, I did a full system scan >.< 3 hours later lol, but it found those two virusses in my registry as well, they have been removed and now my USB isn't acting fishy any longer, I guess the files on my hard disc triggered it all
this afternoon I'm going to run one more full system scan to see if anything has returned but I don't think this is the case, but you'll never know until you peek =3

thanks for the responses, glad I didn't lose all my USB data
cookies for all of you and Nines no problem =3 a virus gives right to steal thunder,s pecially with my problem solved XD
-KarumA- is offline   Reply With Quote
Old 2008-06-13, 08:13   Link #9
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 26
Okay i just did another scan but at the bootup AVG already gave me a warning that those two vorisses are still in tact
one being again the Win32/NSanti in my localsetting/Temp folder and after manually deleting it it returned right back when i did another scan on the folder
the other which was once again the heur virus was back as well, i guess its going to be safe mode and manual delete for me =<

edit: well the heur is gone, atleased nos ign for it so far in the system32 folder now scanning my temp folder

edit2: both are now gone, manual delete proved itself worthy =3

Last edited by -KarumA-; 2008-06-13 at 10:48.
-KarumA- is offline   Reply With Quote
Old 2008-06-13, 11:32   Link #10
sa547
Senior Member
*Author
 
 
Join Date: Oct 2007
Location: Philippines
Age: 37
Quote:
Originally Posted by -KarumA- View Post
Okay i just did another scan but at the bootup AVG already gave me a warning that those two vorisses are still in tact
one being again the Win32/NSanti in my localsetting/Temp folder and after manually deleting it it returned right back when i did another scan on the folder
the other which was once again the heur virus was back as well, i guess its going to be safe mode and manual delete for me =<

edit: well the heur is gone, atleased nos ign for it so far in the system32 folder now scanning my temp folder

edit2: both are now gone, manual delete proved itself worthy =3
Good job. ;D You've learned some very good antivirus kung-fu today.
__________________
sa547 is offline   Reply With Quote
Old 2008-06-13, 12:18   Link #11
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Mucking about
Age: 64
Quote:
Originally Posted by soulassassin547 View Post
My workstation has also been modified not to use AUTORUN.INF by tweaking the user policy settings.
As a Linux user, I'm just a curious observer here, but this discussion made me wonder whether the autorun "feature" is still enabled by default in Vista? I'm pretty sure recent versions of IE no longer run ActiveX controls by default to prevent "drive-by" infections. Autorun is a similarly dangerous technology because it trusts any random file that's defined in AUTORUN.INF and executes it. I would hope that it's shut off entirely in Vista or at a minimum requires user confirmation before something is executed.

To me, USB sticks are a hell of lot more dangerous vector of infection than traditional scanning targets like email, which nowadays is often scanned by ISPs before delivery, or web browsing. There's always the chance you'll download and run "video.exe" to see "Br1tn@y NOOD," but in most cases you have to choose to run the file. In contrast, autoplay is a security nightmare because the process of infection takes place invisibly.

USB sticks follow a rather promiscuous lifestyle in computing terms so their chance of becoming infected is quite high. I find the scenario that -KarumA- originally brought the virus home from school much more plausible than the reverse scenario where the virus was already on her machine from another vector. Where was AVG in all this, I ask? It obviously recognizes these viruses, so how could it let autoplay execute the file that installed them onto her computer? At a minimum a resident scanner should examine any file referenced in AUTORUN.INF and block the execution of infected ones by autorun. Isn't this why people have resident scanners?

soulassassin547 has some great advice here about how to protect a USB stick from infection and how to turn off autorun. If I were running a campus Windows network (oh, the horror!) I wouldn't let any machine use autorun.

Oh, one other question? If -KarumA- was running without Administrator privileges both at home and at school, could she have become infected through autorun? She said she found the viruses "in the registry" on her computer; could she have written to the registry if she weren't running with privileges?
__________________

Last edited by SeijiSensei; 2008-06-13 at 12:36.
SeijiSensei is online now   Reply With Quote
Old 2008-06-13, 16:20   Link #12
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 26
Quote:
Originally Posted by soulassassin547 View Post
Good job. ;D You've learned some very good antivirus kung-fu today.
kung fu failed me again
the heur virus is still coming back but on a different location where i couldnt get to it manually, in the C:/ system volume something folder
even if removing it after a couple of hours it pops up again on another location, together with a trojan but not always
it is so annoying, no matter how many times AVG vaulths it and deletes it it comes back even when manually deleting it

here the HijackThis file if it is any use, ive never used it before and have no idea what it does

Spoiler for hijackthisref:


btw what do you press again to get into save mode on windows XP, going to do a full system scan in savemode tommorow >.<

Last edited by -KarumA-; 2008-06-13 at 16:50. Reason: made another scan without having explorer etc. eopen =3
-KarumA- is offline   Reply With Quote
Old 2008-06-13, 17:06   Link #13
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 28
It's probably contained in your System Restore files, if you have system restore enabled. System restore can be useful, but the big pain about appears in these situations: it'll back up infected files and it's nearly impossible to clean them out of there. I've never heard of an infection spreading from system restore backups, but it's possible. Disabling system restore and then trying to scan and clean it out might help.

To get into safe mode, I believe the key to press during bootup is F8.
__________________
Ledgem is offline   Reply With Quote
Old 2008-06-13, 17:35   Link #14
nines
I much prefer the 2d
 
 
Join Date: Dec 2007
Location: Frontier
Age: 21
[Im running spybot atm i dled one of the virtumonde things from this link
http://www.bleepingcomputer.com/forums/topic18610.html

now my backround still keeps flashing it shows all my icons and bar at the bottom heres pics i still got these things open but the backround stuff will be there and gone and it just keeps flashing back and forth and causes major lag

Spoiler for Normal Screen:


Spoiler for Virus Screen:


and like i said keeps flashing back and forth and deselects everything and if i open wow keeps minimizing me

lol 19 viruses found gonna rescan and see if virtumonde still there still
Spoiler for Virus Scan Done:
__________________

Last edited by nines; 2008-06-13 at 18:20.
nines is offline   Reply With Quote
Old 2008-06-13, 21:38   Link #15
sa547
Senior Member
*Author
 
 
Join Date: Oct 2007
Location: Philippines
Age: 37
Quote:
Originally Posted by -KarumA- View Post
kung fu failed me again
the heur virus is still coming back but on a different location where i couldnt get to it manually, in the C:/ system volume something folder
even if removing it after a couple of hours it pops up again on another location, together with a trojan but not always
it is so annoying, no matter how many times AVG vaulths it and deletes it it comes back even when manually deleting it

here the HijackThis file if it is any use, ive never used it before and have no idea what it does

Spoiler for hijackthisref:


btw what do you press again to get into save mode on windows XP, going to do a full system scan in savemode tommorow >.<
Just as Ledgem said, it's F8. Before your Windows boots up you have to press F8 in order to switch into Safe Mode.

Deciphered the hijackthis results and you have a bad guy residing in there. His name is KAVO.EXE and it's a trojan built to steal off online game accounts, especially MMOGs made in China and South Korea:
http://www.sophos.com/security/analy...jlineagaw.html
http://www.symantec.com/security_res...742-99&tabid=2

Method of removal is outlined in this tab:
http://www.symantec.com/security_res...742-99&tabid=3

Just turn off System Restore before taking him out, as these pests sometimes try to reside in the SR backup files to defy deletion. To do it:

1.) Right-click on My Computer > Properties
2.) Find the System Restore tab and remove the check mark for System Restore in order to turn it off.
3.) Click on Ok

Quote:
Originally Posted by nines View Post
[Im running spybot atm i dled one of the virtumonde things from this link
http://www.bleepingcomputer.com/forums/topic18610.html

now my backround still keeps flashing it shows all my icons and bar at the bottom heres pics i still got these things open but the backround stuff will be there and gone and it just keeps flashing back and forth and causes major lag

Spoiler for Normal Screen:


Spoiler for Virus Screen:


and like i said keeps flashing back and forth and deselects everything and if i open wow keeps minimizing me

lol 19 viruses found gonna rescan and see if virtumonde still there still
Spoiler for Virus Scan Done:
Hmmm... which one did you ran? Spybot or that vUndofix?

@Seijisensei: For some reason known only to Microsoft (and they've yet to understand that this feature is an easy target for local script kiddies out for bragging rights), they still kept AUTORUN enabled by default.

So I had this little registry adjustment I found from Nick Brown, who used this kung-fu style to add runtime restriction to AUTORUN.INF files:

Code:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Copy and paste the code into Notepad before saving it as "NORUN.REG" (All Files, not Text Files). Then double-click on the registry mod.

If, for some strange reason, you want Autorun back, Brown gives us a restoration skill:

Code:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
WARNING: That registry mod can be only used in Windows XP (all versions) and possibly in Windows Vista. For other problems regarding Autoplay in Vista, see Mark Russinovich's comment regarding a missing Autorun function.

Update: I'm going to check out AutoRunGuard, which is freely available.
__________________

Last edited by sa547; 2008-06-14 at 23:51.
sa547 is offline   Reply With Quote
Old 2008-06-14, 03:58   Link #16
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 26
Quote:
Originally Posted by soulassassin547 View Post
Just as Ledgem said, it's F8. Before your Windows boots up you have to press F8 in order to switch into Safe Mode.

Deciphered the hijackthis results and you have a bad guy residing in there. His name is KAVO.EXE and it's a trojan built to steal off online game accounts, especially MMOGs made in China and South Korea:
http://www.sophos.com/security/analy...jlineagaw.html
http://www.symantec.com/security_res...742-99&tabid=2

Method of removal is outlined in this tab:
http://www.symantec.com/security_res...742-99&tabid=3

Just turn off System Restore before taking him out, as these pests sometimes try to reside in the SR backup files to defy deletion. To do it:

1.) Right-click on My Computer > Properties
2.) Find the System Restore tab and remove the check mark for System Restore in order to turn it off.
3.) Click on Ok

okay ill follow those steps to remove the KAVO.EXE
i scanned in save mode this morning, no idea if it found anything because i was away when it did, it was a dos scanning by AVG that clsoed itself down automatically after finishing, i checked the registery and saw Kavo in the list and am now working to get rid of it =3

one question fromt he removal in the registry step 5

Restore the registry entries to the following registry subkeys to their previous values, if required:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden\SHOWALL \"CheckedValue"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\"Hidden"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\"ShowSuperHidden"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Pocilies\Explorer\"NoDriveTypeAutoRun"

havent checked yet if they are there or deleted, but how do i restore them?
i made a back up of my registry

edit: removed Kavo.exe fromt he registery, the other files are still there so no restore needed, but still how do you restore a missing reg piece?
just curious and in case something like that does happen

btw is it save to turn on system restore again after deleting kavo? and ofc after the system scan
no sign from win32/heur so far
-KarumA- is offline   Reply With Quote
Old 2008-06-14, 05:04   Link #17
Eps~
Busy busy busy
*Graphic Designer
 
 
Join Date: Mar 2008
Location: Slovenia
Age: 26
Probably the easiest was of restoring the registry is just click on the registry file(value) and go to file > export. And if anything goes wrong, just re import them since they already have a determined path.

And yes, it's safe to turn on restore if there aren't any traces of viruses left.
__________________
Eps~ is offline   Reply With Quote
Old 2008-06-14, 06:27   Link #18
demonix
Senior Member
 
 
Join Date: Jul 2006
Location: Hayes, Middx UK
Age: 34
Send a message via Yahoo to demonix Send a message via Skype™ to demonix
On the hijack this log I suggest you go back in and fix the following entry.

O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe

I ran the log through an analysis site and it flagged that one up as a nasty plus I googled the file itself and all it came up with links to remove it.
demonix is offline   Reply With Quote
Old 2008-06-14, 11:09   Link #19
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 26
Quote:
Originally Posted by demonix View Post
On the hijack this log I suggest you go back in and fix the following entry.

O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe

I ran the log through an analysis site and it flagged that one up as a nasty plus I googled the file itself and all it came up with links to remove it.
thank you for that, everything is gone now and no virus alerts at all either =3 cookies for you
-KarumA- is offline   Reply With Quote
Old 2008-06-14, 22:45   Link #20
Claies
Good-Natured Asshole.
 
 
Join Date: May 2007
Age: 24
Quote:
Originally Posted by demonix View Post
On the hijack this log I suggest you go back in and fix the following entry.

O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe

I ran the log through an analysis site and it flagged that one up as a nasty plus I googled the file itself and all it came up with links to remove it.
For the record, what's this HijackThis analysis site? Is it automatic (I hope so) or is there a community reading this for you?
Claies is offline   Reply With Quote
Reply

Tags
usb, virus, win32heur, win32nsanti

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 23:23.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
We use Silk.