Autorun Infections on USB Drives

[Tatterdemalion]

When my Router broke at the start of the week, I used an old computer and
USB ADSL  modem to contact my ISP and arrange its replacement. During
 that time I was transferring the USB drive where I store my e.mail plus
a larger external hard drive of audio files between machines.

Now that my new Router has arrived and my main laptop is able to
connect to the internet, I have those two drives hooked into it and
Avast Anti-Virus has found infections.

I have run scans and have deleted the rogue items but I would
like to know if this is a safe time to plug in and test other drives
that may have been affected.

My situation currently is that Avast alerted me to an
autorun.inf infection on the larger hard drive. I deleted it
and then found the same item on the smaller flash drive.

I scanned the small drive in full and Avast reported :

RECYCLER/autorun.exe

Malware Name : Win 32 : Delf.NDH [Drp]

I scanned the large drive and the same

RECYCLER/autorun.exe

was found plus multiple instances of

BV : AutoRun-G [Wrm]

The scan also mentioned that

setup.exe
instmsia.exe
instsmsiw.exe

are "Decompression Bombs".

I don't know what that means. The software I have deliberately
put on the drive are installers for Direct X, Open Office and the
Demo of the driving game Dirt 2.

During the scanning of the large drive, Norton said it had
removed

W32.Polip

as a security risk.

I do NOT have Norton installed. There is a splash screen
advert for it that appears whenever I boot up. It is a trial that
came pre-installed with the laptop. I have never run it.
I chose Avast.

After scanning the external hard drives separately - and
deleting the autorun.inf and autorun.exe
 infections, I ran a full scan of "My Computer" so that those
drives would be scanned again and the C: drive for the
irst time.

No infections were reported at the end of the scan
and I would like to know if it is safe for me to plug in
and test additional hard drives that may have been
compromised.

THANK YOU FOR BEING THERE

[evilfantasy]

Flash Drive Cleanup

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Please have all your removable storage devices ready for disinfection.

Download Flash Disinfector by sUBs and save it to your desktop.
 
* Double-click Flash_Disinfector.exe to run it.
* Your desktop and icons may disappear. This is normal.
* It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
* Follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* There will be no GUI interface or log file produced.
* Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

----------

Panda USB and AutoRun Vaccine

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Download Panda USB and AutoRun Vaccine and save it to your desktop.

* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.

Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

----------


Now you need to clean the malware from the computer. Follow the directions in the below link and post the logs.

http://www.computerhope.com/forum/index.php/topic,46313.0.html

[Tatterdemalion]

Thank you very much for this advice.

Am I correct in understanding that both of these applications should be run on every one
of every kind of data-storing USB drive that I own, (not just the ones that Avast identified
as having a problem) from 2GB memory sticks to the 1.5TB external hard drives that are
supposed to be dismounted using the "Safely Remove Hardware" option ?

[evilfantasy]

You can run them on everything that plugs in to your computer that has storage capabilities from flash drives, mp3 players, phones etc.

You can also take the extra measure of manually disabling autoruns.

AutoRun Cleanup

Download and Install Microsoft's TweakUI
* Once installed start TweakUI.
* Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
* Turn off the checkbox next to every drive letter to disable AutoPlay except your CD/DVD drive letters.

[Tatterdemalion]

Thank you.

One more question before I start, I was initially alerted to this infection by Avast which found a RECYCLER/autorun.exe on two external drives that were plugged in simultaneously.

Is this the program that SPREADS th infection ?

I ask because I want to establish whether a third drive has avoided contagion or whether it is another carrier.

I inserted that third drive into the laptop that has Avast by using the SHIFT key method to avoid autorun.inf starting and then scanned it. Avast did not report RECYCLER or any other problem.

Does that mean that drive has escaped being hit ?

[evilfantasy]

If you can I would suggest also running another scan on any drive that was plugged in to the infected machine for a "second opinion". Never hurts to be sure.

The autorun/recycler virus can be hard to get rid of but getting the host machine cleaned up will make cleaning the other drives much easier.

Run this on the other drives. Dr.Web CureIt

[Tatterdemalion]

Hi

I ran Flash Disinfector whilst my 120GB USB hard drive and the flash memory stick that MIGHT not have the virus on it were connected to my laptop's USB ports.

I do not know if the program treasted BOTH drives.

When it had finished I got an alert box from BOClean, it said :

NIRCOMMAND VARIANT STOPPED BY BOCLEAN

Location of startup: FILE
C:DOCUMEN~\SCOUT\LOCAL~1\TEMP\NIRCMD.EXE

This trojan horse program was found on your machine. It has been shut down, but the FILE from which it started still remains and can be started up again.

Do you want the file removed also ?

Should I reposnd with a "Yes" or a "No" ?

Do I need to treat all of the drves I own NOW before re-booting to move onto the Panda Utility ?

I have other drives that have DEFINITELY NOT been infected yet and I wonder if they could be immunised later on AFTER the malware has been identified and cleared from this laptop.

[evilfantasy]

NIRCOMMAND VARIANT STOPPED BY BOCLEAN

Location of startup: FILE
C:DOCUMEN~\SCOUT\LOCAL~1\TEMP\NIRCMD.EXE

That's part of Flash Disinfector. You need to allow it.

Do I need to treat all of the drves I own NOW before re-booting to move onto the Panda Utility ?

Go ahead and restart then run Panda. Either way though should be fine.

I have other drives that have DEFINITELY NOT been infected yet and I wonder if they could be immunised later on AFTER the malware has been identified and cleared from this laptop.

It never hurts to check when you have the extra time.

[Tatterdemalion]

Hi

When I installed the Panda Vaccination software I did not check any of the
boxes and I did not select the NTFS option as it said it was in BETA.

I have immunised my Flash FAT 32 memory sticks. My larger "fixed" drives
are in the NTFS format and have not been vaccinated.

I assume I can vaccinate all my PCs and/or use the TWEAK application
to allow me to confidently attach my 1.5TB drives again.... ??

I have followed the Six Step set of Malware Guidelines.

STEP 1

I saw a program in my Add/Remove Programs list called "Keynote
Connector".I don't know what it is. I can't see a date for its
installation and no file size is given.

I am also unfamiliar with "PC-Doctor 5 for Windows" but perhaps it
is part ofthe OS. It's installation date was probably the day I got the laptop.

STEP 3

I scanned just my C: Drive using SUPERAntiSpyware.

I did not scan any additional external drives.

The result was :

"Scanning is complete. No harmful software was detected."

STEP 4

I updated MBAM to Version 3703 and ran the scan.

The result was :

"The scan completed successfully. No malicious items were detected."

STEP 5

My Java Version is now at V6 Update 18

STEP 6

I'm a bit confused by the renaming here.

I ran the scan by double-clicking
the "Shortcut to sniper.exe" icon

I will try to attach the log to the next thread.

[Tatterdemalion]

This should be my Hi-Jack This log

[Saving space, attachment deleted by admin]

[evilfantasy]

Keynote Connector -  I'm not sure what this is but came up with this. http://panel.webeffective.keynote.com/

PC-Doctor 5 for Windows - http://www.bleepingcomputer.com/uninstall/2442/PC-Doctor-5-for-Windows.html



Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[Tatterdemalion]

I have downloaded the Disable/Remove Messenger program, unzipped and run it.

I had to try twice to get it to "Uninstall Windows Messenger", it says it has but I can't see any new files on the Desktop.

There is a Box with the heading : "Advanced INF Install"

It contains the text : "You must restart your computer before the new settings will take effect.
                                  Do you want to restart your computer now ?

                                  YES     NO    "

Please let me know if I should agree to this or continue with the HijackThis scan without re-booting - which I think I am supposed to run by clicking on "Shortcut to Sniper.exe".

[evilfantasy]

Go ahead and restart first.

[Tatterdemalion]

Hi

My result said "No threats found".

Does that mean there wikll be no log generated ?

[evilfantasy]

Yes there will be no log.

Final suggestions.

Use the Secunia Software Inspector to check for out of date software.

* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.