Trojan Phim nguoi lon.exe from a USB stick? Help!

[LaStar]

Hi!

A USB key from someone who travels a lot & was in Vietnam was stuck into my sister's laptop, & scanned with Avast (Home Edition) that found Trojans: secret.exe which I promptly put into 'treasure vault', then it found a file that sounded vietnamese, & I couldn't get the owner on the phone & didn't know what to do, I was afraid to possibly erase anything he might still need, so I stopped Avast scan & took the USB key out.
the file was: F:/RECYCLER/Phim nguoi lon.exe/ [PE Compact]
(just slashes in the other direction)
Win 32: Agent-TFA [Trj]

Then I had the good sense to google it on the other computer & found this thread: http://forum.avast.com/index.php?topic=35011.0 and some others.
Of course I got quite scared, & sis scanned her laptop with Avast immediately, nothing was found.
She hasn't turned the laptop off yet, & we don't know whether to do a search in the registry first (or what registry is! & how to find it

She has Windows XP (original) &  we are now not sure what to do (if anything).
The USB wanted to be opened first, like all USB keys in Windows, but I clicked 'exit' on the pop-up window, so basically nothing was opened, just scanned by Avast.
The system detected the new USB key as a new hardware, could anything be downloaded then already?

Our neighbour said to maybe just get the photos and then scan with antivirus, not sure if that's a smart idea?
Is it smart to re-insert the USB key (to get photos for an article - I know it's a bad way to share files, next time hopefully will try to find a better way).

I just thought the person had scanned his USB key before, he had loaned it to other people around here before & he said no one had complained about anything before, & that maybe we had a better antivirus?

So, what to do?
Any help would be greatly appreciated!! (Especially as I'm on a deadline for the article & he is returning to Asia soon - do I just not use these photos or is there a way to retrieve them safely? Do I go for help into a computer store & ask if they can retrieve them for me? I don't want to infect any other computers-? Is sister's laptop safe or might already be infected?) BIG THANKS to anyone who might answer!

[.: L' arc :.]

 As of the possible spread of infection, it would be very low in percentage but remains possible since XP has autoplay enabled.

 About the USB, recycler is a containment for previously deleted files, so in that case, I believe, the said file inside recycler is unwanted. The decision is yours of whether to delete it or [better] move it to chest so you may still be able to retrieve the file in case you need it.

[LaStar]

Thanks!

I have been reading the stickies here & rather complicated procedures are mentioned, that it's best to check out iffy stuff online and follow the procedure for removing it, & only put into virus chest if you can't find what else to do with it?

If it's in Recycler/previously deleted, is the file at all dangerous or is it disabled already?

The owner of USB key said he can't remember having any programs on it, & to destroy an iffy file if needed.

Can I disable autoplay in XP & thus minimize possibilities of any infection?

[polonus]

Use this tool to cleanse the infected USB stick/pendrive: http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

How to use:

1. Download Flash Disinfector from here

2. Double click Flash_Disinfector.exe, follow the prompts

3. Your desktop may vanish for a while and then reappear back to normal

4. Wait till it finishes the scan, and then exit the program   

That's it in a nutshell,

polonus

[LaStar]

Polonus, thanks!

How safe is it to use? Are the photos etc safe? (It's not my USB drive..)
Also, will the USB key then be okay to use on the computer, or would further precautions be necessary? (such as disabling autoplay or similar?)

I assume Avast (or another antivirus program - we have Bitdefender on another computer) can be turned on normally, while this Flash Disinfector is working?

[polonus]

Hi LaStar,

It is safe, we have recommended the use of it many times and the disinfector was produced by the maker of Combo_Script and the link is found at G2G where the helpers are qualified and trained malware eliminators, use it on that USB stick and the owner of it will be grateful to you for doing so. That is all I can say,

polonus

[LaStar]

Polonus, thanks!

Still haven't dared to do this
What do you think about this thread: "Do not recommend Flash Disinfector any longer but an alternative!" - there seemed to be some doubts about using this? http://forum.avast.com/index.php?action=printpage;topic=42967.0 and some reviews here: http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/ eg review #175: "THIS PROGRAM DOES NOT ACTUALLY REMOVES THE TROJAN, IT JUST SUPPRESSES IT ONCE U REMOVE THE AUTORUN.INF FOLDER CREATED BY THIS SOFTWARE THE TROJAN GETS RE-ACTIVATED AGAIN. JUST TRY TO FORMAT YOUR FLASH DRIVE ONCE U RUN THE PROGRAM, IT JUST POPS BACK AGAIN." (?)
and review#174: "Sorry, it didn´t work on mine, afte trying several times the autorun.inf still appears. Any other solution?."

If I did the Disinfector thing, I suppose I would need to tell the USB owner to not remove that autorun.inf file?
Would  it be better to run it through Avast first & then do the Disinfector?

Sorry, I am a bit frazzled & not sure what to do...

[.: L' arc :.]

 Well, if that's the case, the best one would be to completely disable autoplay

(1) Open Run and type: gpedit.msc
(2) You will see the Group Policy window. You should select Administrative Templates \ System in the tree view
(3) You will see an item in the right side pane called “Turn off Autoplay”
(4) Double click the item, and set the radio button to Enabled, and change the “Turn off Autoplay on” to All Drives.
(5) Click OK

 With this all autoruns that want to run automatically will not run. Activation of autoruns will be manual.

[hsobrevilla02]

Well, if that's the case, the best one would be to completely disable autoplay

I think you can also use windows xp powertoys tweak UI.
you can download it here:
http://www.microsoft.com/windowsxp/Downloads/powertoys/Xppowertoys.mspx
select tweak UI to download.

i hope this would help others to disable autorun in their pc`s.

harold

[.: L' arc :.]

 So far, even if you disable autoplay manually or via Tweak UI, the threats wont be gone, the spread will just be halted.

 Disabling autoplay will not disinfect removable drives so, use it instead to get a chance to scan the media first.