Virus : Phim Nguoi Lon.exe

[Peanuts]

Hi everybody,

Today I went to print some textes with my USB (to the print-shop), and the USB got inmediately infected.

A strange folder got created : Phim Nguoi Lon, and, back home, AVAST detected the following bad files :

1- AutoRun.inf
2- xih9.cmd
3- Secret.exe
4- phim nguoi lon.exe

all of them are now in the Quarantine (the security zone, which was what Avast recommend me to do). I scanned them again in the Quarantine folder and Avast told me the files themselves were clean now.

Anyway, I have kept the files there, just to prevent. So here are the automatic questions I put myself :

1- Should I delete them all ?
2- Or should I restore some of them ?
3- Should I ketp them in the quarantine zone forever ?

4- Is my USB and computer in a save mode now ?

I've done, later, a scan with the online service Kaspersky offers, and my USB seems to be clean.
I'll probably do the same with the whole computer.

But by now, I'd like to know how to deal with the infected files, and how to know if my USB is still needing some extra action to restore its original health.

Thanks very much if someone can help me.

 

[Jtaylor83]

My suggestion is:

1. Keep them in the virus chest for a few weeks.

2. Disinfect your USB drive with Flash Drive Disinfector.

[Peanuts]

Thanks v. m. for the help Taylor.

I run the program with the USB connected and an message have pop up saying all is OK now.

Related to the infected files, should I delete them in some weeks ?

[Jtaylor83]

Rescan the files in the virus chest after a few weeks, if they're still detected, delete them.

[Peanuts]

Thanks again.

I realise I forgot to mention two other detected files: hope it doesn't make ant difference.

- ise32.exe (Win32:Trojan-gen)
- isee.exe (Win32:AutoRun-ACX[Wrm])

and the details for the malware already pointed :

- AutoEun.inf (BV:AutoRun-H[Wrm])
- xih9.cmd (Win32:Gamona [trojan])
- Secret.exe (Win32:VB-KQF[Wrm])
- phim nguoi lon.exe (Win32:VB-KQF[Wrm])

[polonus]

Hi Peanuts,

Read the information on phim nguoi lon.exe or Secret.exe here:
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t157586.html
and here: forums.mcafeehelp.com/showthread.php%3Ft%3D219224+phim+nguoi+lon+virus
The usb or card readers are infected from CameraShops,

polonus

[Peanuts]

Hi Polonus, thanks for the info. However, it seems that Flash Drive Disinfector disabled the Plug and Play function of the USB drive, so the PC doesn't opens the automatic window when I plug it, even if the drive is detetcted and operational.

I'm running over Windows Vista.

Does somebody knows how to fix it ? thanks.

[Tech]

so the PC doesn't opens the automatic window when I plug it, even if the drive is detetcted and operational.
Does somebody knows how to fix it ? thanks.

I wish to know also... I've lost my autoplay function and cannot have it back. I've googled, I've checked the Windows registry, services, autoplay settings... it just does not open...

[Peanuts]

Hi again there,

I'm not a pro in computers, so I don't know if this could be related. It makes, however, sense to me.

Please, if someone can "certify" that could be the issue, drop a line here !

The link : http://www.jamiiforums.com/technology-science-forum/23289-how-remove-flash-disinfector-protection-autorun-inf-folder.html

[polonus]

Hi Peanuts,

Some folks ruined their autorun registry settings, while using and advising to others the flash disinfector tool (not working alike on all pen drives apparently), but the following tool that I have found up will disable/enable everything properly again. It is also very handy in the struggle against some of the known  Conficker worm spreading routines. You can find it here:
http://www.uwe-sieber.de/drivetools_e.html#autorun

Enjoy,

polonus

[Tech]

Some folks ruined their autorun registry settings, while using and advising to others the flash disinfector tool (not working alike on all pen drives apparently), but the following tool that I have found up will disable/enable everything properly again. It is also very handy in the struggle against some of the known  Conficker worm spreading routines. You can find it here:
http://www.uwe-sieber.de/drivetools_e.html#autorun

Fully agree. I stop recommending Flash Disinfector.

[DavidR]

As far as I'm aware the flash disinfector doesn't modify any (autorun) registry settings (see image) but relies on cleaning any infection on the USB stick and creating hidden autorun.inf folder in a) HDD partitions b) any USB stick you insert and run flash disinfector.

Which is why I liked flash disinfector as it didn't mess with the registry. There have also been a number of sudo solutions suggesting hacking the registry to disable autoruns and I most certainly wouldn't recommend this as after any heat dies down, people forget that they applied a registry hack.

I'm also against any tool that completely disables autorun as there are times when it actually gets used for its correct purpose, CD media.

So I haven't seen anything about different or not working alike on all pen drives 'apparently' and when we have a word like apparently you might as well just 'we don't know for sure.' So I'm not going to allow speculation to guide me but facts, so if anyone has any 'facts' I would be happy to check them out.

Since there are two distinctly different types of pen drive bog-standard USB 1 or 2 and the U3 variety which operate totally different from the bog-standard and don't require autorun.inf, it wouldn't be totally surprising to find that there 'might' be a different effect with a U3 pen drive to a bog-standard USB drive.

However there is nothing in the above quote or link which states flash disinfector is an issue, so it just muddies the water.

[Tech]

Creating hidden autorun.inf folder in a) HDD partitions

I do not want to be unfair or make FUD with Flash Disinfector. But, by now, it was due to that changing...

[polonus]

Hi DavidR,

I did not know about the situation until Tech reported it to me in a P.M. We searched and searched what it could be, and it gave us both two or three extra gray hairs. The alternate solution I have found on a forum, so because Tech could not return to his original settings I passed that info to him (and now others). You and I can speculate, but as long as Tech can say he has the experience (yes, he experienced this himself) and I have to trust his word for that, I have put Flash Disinfector "in limbo". Like to hear a definite about this issue to clear this up. That said Microsoft did not come up with a definite solution for its feature (seen in the lights of recent outbreaks) as the tools I present can be toggled off and on, I can not see what is wrong with that. Certainly the user should know what he or she is doing or have it done for him or her when not experienced users, but that is normal in malware fighting routines - it is not for the n00b,

polonus

[DavidR]

There have also been two windows security update relating to this autorun issue, The second in the last Patch Tuesday (KB960715 10 Feb 2009), because MS stuffed up the first one as it didn't do what it was supposed to do (autorun still worked under certain circumstances and OSes). So two KBs for this and either could have had an impact, so I'm sorry but for me this isn't proven.

Yes that tool is handy to get back to original settings, but that is all, it would do nothing to address those who have already been hit by the infection.