2008-06-12, 12:10 | Link #1 |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Virus from USB stick o.o;
Very strange, I don't know how it got on my USB, though I'm thanking school's failing virus scan and protector for it but on my USB stick i suddenly have these two virusses
win32/NSAnti win32/Heur Every time i open go into my USB to open a file my AVG blarres about there being a virus being cumped on my pc and removes it. I scanned the USB stick, it gave me those two virusses and removed them, or so it said.. i plugged the usb out and back in to see if it worked but they are still there how do i get rid of those virusses? reformat the USB stick, though id have to copy paste all my data, but doesnt the virus get copied as well? |
2008-06-12, 13:18 | Link #2 |
Love Yourself
Join Date: Mar 2003
Location: Northeast USA
Age: 38
|
I'm not sure what information AVG gives you, but it should tell you what the name of the file is that's infected. When AVG says it found and removed the files, see what the files were called (and where they were located, if it tells you that) and make sure that they're really removed. If they're not, manually delete them.
If the files truly are gone then one possibility is that your computer is infected with those viruses. If that's the case then AVG's detections of the viruses on your USB drive would be AVG detecting the viruses as they replicate themselves. Have you run a system scan recently?
__________________
|
2008-06-12, 15:52 | Link #3 |
Busy busy busy
Graphic Designer
Join Date: Mar 2008
Location: Slovenia
Age: 36
|
You can also set your antivirus that it runs at the beggining when you reset your pc and leave the usb plugged - then it should check the usb storage device aswell. Since you still wont be in windows the virus wont be able to reproduce itself.
__________________
|
2008-06-12, 16:44 | Link #4 |
^_^
|
Press SHIFT when putting in your USB stick to bypass the autorun.inf file. Then go to Windows Explorer, enable the option to view all hidden files and folders, then right-click on Autorun.inf, Edit, then look to see the name of the malicious executable. When you have identified it, delete both the Autorun.inf and the malicious executable files from your USB stick (This is the manual way of removing the virus from your USB stick)
You may have to do this for your C drive too. |
2008-06-13, 00:07 | Link #5 |
Senior Member
Author
Join Date: Oct 2007
Location: Philippines
Age: 47
|
I hardened my USB sticks (and all types of flash memory) by throwing in a folder that's named AUTORUN.INF with +S +H +R attributes.
My workstation has also been modified not to use AUTORUN.INF by tweaking the user policy settings. If you're using XP Professional on your home system, I'd say 1.) Start > Run > GPEDIT.MSC then 2.) Go down this tree: Local Computer Policy > Computer Configuration > Administrative Template > System > Turn off Autoplay 3.) At that point, double click on Turn off Autoplay 4.) Then set it to Enabled before Turn off Autoplay on (All Drives) 5.) Now go to this tree: Local Computer Policy > User Configuration > Administrative Template > System > Turn off Autoplay 6.) Double click on Turn off Autoplay 7.) Then set it to Enabled before Turn off Autoplay on (All Drives) 8.) Close the Policy Settings window, then reboot. One more thing: I think it's high time to tell your school's system administrator to start cleaning up their machines before installing AVG8 Free or any antivirus software, before lecturing everyone on how to keep their USB sticks secured, and be wary of downloading everything from the Internet, especially those so-called screensavers and slideshows made by those script kiddies.
__________________
|
2008-06-13, 00:16 | Link #6 |
I much prefer the 2d
Join Date: Dec 2007
Location: Frontier
Age: 31
|
Ah I got a similar problem it dosn't have to do with the USB but i got 2 viruses that pop up one that contains like 3 viruses and another 1 and when my spybot finds it and I press clean it says its caleaned then I got back and rescan still there. Still keeping my comp virus owned, sorry to steal thunder but if any one knows how to fix its called Virtumonde and its keeping my screen so it just shows my backround and nothing else on it before it kept flasing between backround and backround fixer but I fixed that and now its still, and still here. so I gotta open everything threw ctrl+alt+delete x.x
__________________
|
2008-06-13, 00:21 | Link #7 | |
Senior Member
Author
Join Date: Oct 2007
Location: Philippines
Age: 47
|
Quote:
Other utilities such as Spybot and vUndofix (not really sure about this one) can attempt to kill it. Oh, yes, I also googled for some removal instructions and other info: http://www.bleepingcomputer.com/forums/topic18610.html http://forums.majorgeeks.com/showthread.php?p=1167068 http://forums.techguy.org/malware-re...irtumonde.html http://www.dslreports.com/faq/13619
__________________
Last edited by sa547; 2008-06-13 at 00:31. |
|
2008-06-13, 00:24 | Link #8 | |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Quote:
this afternoon I'm going to run one more full system scan to see if anything has returned but I don't think this is the case, but you'll never know until you peek =3 thanks for the responses, glad I didn't lose all my USB data cookies for all of you and Nines no problem =3 a virus gives right to steal thunder,s pecially with my problem solved XD |
|
2008-06-13, 08:13 | Link #9 |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Okay i just did another scan but at the bootup AVG already gave me a warning that those two vorisses are still in tact
one being again the Win32/NSanti in my localsetting/Temp folder and after manually deleting it it returned right back when i did another scan on the folder the other which was once again the heur virus was back as well, i guess its going to be safe mode and manual delete for me =< edit: well the heur is gone, atleased nos ign for it so far in the system32 folder now scanning my temp folder edit2: both are now gone, manual delete proved itself worthy =3 Last edited by -KarumA-; 2008-06-13 at 10:48. |
2008-06-13, 11:32 | Link #10 | |
Senior Member
Author
Join Date: Oct 2007
Location: Philippines
Age: 47
|
Quote:
__________________
|
|
2008-06-13, 12:18 | Link #11 | |
AS Oji-kun
Join Date: Nov 2006
Age: 74
|
Quote:
To me, USB sticks are a hell of lot more dangerous vector of infection than traditional scanning targets like email, which nowadays is often scanned by ISPs before delivery, or web browsing. There's always the chance you'll download and run "video.exe" to see "Br1tn@y NOOD," but in most cases you have to choose to run the file. In contrast, autoplay is a security nightmare because the process of infection takes place invisibly. USB sticks follow a rather promiscuous lifestyle in computing terms so their chance of becoming infected is quite high. I find the scenario that -KarumA- originally brought the virus home from school much more plausible than the reverse scenario where the virus was already on her machine from another vector. Where was AVG in all this, I ask? It obviously recognizes these viruses, so how could it let autoplay execute the file that installed them onto her computer? At a minimum a resident scanner should examine any file referenced in AUTORUN.INF and block the execution of infected ones by autorun. Isn't this why people have resident scanners? soulassassin547 has some great advice here about how to protect a USB stick from infection and how to turn off autorun. If I were running a campus Windows network (oh, the horror!) I wouldn't let any machine use autorun. Oh, one other question? If -KarumA- was running without Administrator privileges both at home and at school, could she have become infected through autorun? She said she found the viruses "in the registry" on her computer; could she have written to the registry if she weren't running with privileges?
__________________
Last edited by SeijiSensei; 2008-06-13 at 12:36. |
|
2008-06-13, 16:20 | Link #12 | |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Quote:
the heur virus is still coming back but on a different location where i couldnt get to it manually, in the C:/ system volume something folder even if removing it after a couple of hours it pops up again on another location, together with a trojan but not always it is so annoying, no matter how many times AVG vaulths it and deletes it it comes back even when manually deleting it here the HijackThis file if it is any use, ive never used it before and have no idea what it does Spoiler for hijackthisref:
btw what do you press again to get into save mode on windows XP, going to do a full system scan in savemode tommorow >.< Last edited by -KarumA-; 2008-06-13 at 16:50. Reason: made another scan without having explorer etc. eopen =3 |
|
2008-06-13, 17:06 | Link #13 |
Love Yourself
Join Date: Mar 2003
Location: Northeast USA
Age: 38
|
It's probably contained in your System Restore files, if you have system restore enabled. System restore can be useful, but the big pain about appears in these situations: it'll back up infected files and it's nearly impossible to clean them out of there. I've never heard of an infection spreading from system restore backups, but it's possible. Disabling system restore and then trying to scan and clean it out might help.
To get into safe mode, I believe the key to press during bootup is F8.
__________________
|
2008-06-13, 17:35 | Link #14 |
I much prefer the 2d
Join Date: Dec 2007
Location: Frontier
Age: 31
|
[Im running spybot atm i dled one of the virtumonde things from this link
http://www.bleepingcomputer.com/forums/topic18610.html now my backround still keeps flashing it shows all my icons and bar at the bottom heres pics i still got these things open but the backround stuff will be there and gone and it just keeps flashing back and forth and causes major lag Spoiler for Normal Screen:
Spoiler for Virus Screen:
and like i said keeps flashing back and forth and deselects everything and if i open wow keeps minimizing me lol 19 viruses found gonna rescan and see if virtumonde still there still Spoiler for Virus Scan Done:
__________________
Last edited by nines; 2008-06-13 at 18:20. |
2008-06-13, 21:38 | Link #15 | ||
Senior Member
Author
Join Date: Oct 2007
Location: Philippines
Age: 47
|
Quote:
Deciphered the hijackthis results and you have a bad guy residing in there. His name is KAVO.EXE and it's a trojan built to steal off online game accounts, especially MMOGs made in China and South Korea: http://www.sophos.com/security/analy...jlineagaw.html http://www.symantec.com/security_res...742-99&tabid=2 Method of removal is outlined in this tab: http://www.symantec.com/security_res...742-99&tabid=3 Just turn off System Restore before taking him out, as these pests sometimes try to reside in the SR backup files to defy deletion. To do it: 1.) Right-click on My Computer > Properties 2.) Find the System Restore tab and remove the check mark for System Restore in order to turn it off. 3.) Click on Ok Quote:
@Seijisensei: For some reason known only to Microsoft (and they've yet to understand that this feature is an easy target for local script kiddies out for bragging rights), they still kept AUTORUN enabled by default. So I had this little registry adjustment I found from Nick Brown, who used this kung-fu style to add runtime restriction to AUTORUN.INF files: Code:
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist" If, for some strange reason, you want Autorun back, Brown gives us a restoration skill: Code:
REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] Update: I'm going to check out AutoRunGuard, which is freely available.
__________________
Last edited by sa547; 2008-06-14 at 23:51. |
||
2008-06-14, 03:58 | Link #16 | |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Quote:
okay ill follow those steps to remove the KAVO.EXE i scanned in save mode this morning, no idea if it found anything because i was away when it did, it was a dos scanning by AVG that clsoed itself down automatically after finishing, i checked the registery and saw Kavo in the list and am now working to get rid of it =3 one question fromt he removal in the registry step 5 Restore the registry entries to the following registry subkeys to their previous values, if required: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden\SHOWALL \"CheckedValue" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\"Hidden" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\"ShowSuperHidden" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Pocilies\Explorer\"NoDriveTypeAutoRun" havent checked yet if they are there or deleted, but how do i restore them? i made a back up of my registry edit: removed Kavo.exe fromt he registery, the other files are still there so no restore needed, but still how do you restore a missing reg piece? just curious and in case something like that does happen btw is it save to turn on system restore again after deleting kavo? and ofc after the system scan no sign from win32/heur so far |
|
2008-06-14, 05:04 | Link #17 |
Busy busy busy
Graphic Designer
Join Date: Mar 2008
Location: Slovenia
Age: 36
|
Probably the easiest was of restoring the registry is just click on the registry file(value) and go to file > export. And if anything goes wrong, just re import them since they already have a determined path.
And yes, it's safe to turn on restore if there aren't any traces of viruses left.
__________________
|
2008-06-14, 06:27 | Link #18 |
Senior Member
|
On the hijack this log I suggest you go back in and fix the following entry.
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe I ran the log through an analysis site and it flagged that one up as a nasty plus I googled the file itself and all it came up with links to remove it. |
2008-06-14, 11:09 | Link #19 | |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Quote:
|
|
2008-06-14, 22:45 | Link #20 | |
Good-Natured Asshole.
Join Date: May 2007
Age: 34
|
Quote:
|
|
Tags |
usb, virus, win32heur, win32nsanti |
|
|