Avast WEBforum
Other => General Topics => Topic started by: Avastfan1 on March 07, 2009, 08:18:04 PM
-
Dear Forum Gurus,
Could somebody please advise how to ascertain whether I have a virus or installed legitimate software?
Is it usual for new USB memory sticks, once plugged in, to install software to be able to read them?
I had a lapse in judgement and after plugging a new USB memory stick into my laptop a grey box appeared. It stated something like 'This USB stick requires the installation of additional software to be used'.
To be honest I was extremely tired and stressed and clicked yes. I don't remember exactly the process but it installed (no boxes appeared or anything). Can't remember if it needed a reboot but I was able to read the stick afterwards.
My computer appears to be functioning completely normal. No slow down in speed, strange messages or crashes. I checked C:\ and there was no autorun.inf file there. I even changed the setting to 'show system files' and 'don't blend hidden files out' in Window$ Explorer.
In hindsight it was stupid of me. I am now worried that I have installed malware, spyware or something else bad.
I run Avast Pro, MBAM resident, ZA Pro, SAS on demand, Window$ XP SP3.
There were no warnings from Avast. My regular scans of Avast, MBAM and SAS have detected nothing. A HJT log posted to the www.hijackthis.de website didn't show any malicious items.
I would be really grateful for you comments, thoughts and suggestions.
Many thanks,
Avastfan1
-
Is it usual for new USB memory sticks, once plugged in, to install software to be able to read them?
Speaking from experience with my own USB stick, Yes. Every Computer I plug it in (supposing it wasn't pluged in that computer before) does the same routine automatically without any input from me. I see it in on the right side of the Taskbar where I get a notification that new hardware is being installed. I've only noticed this in Windows Vista and XP. I used the same stick in Linux and got no notification (maybe it's a difference of OS, who knows)
Cheers
-
Hi Confused Computer User,
Firstly, thanks for your response. I too am used to the automatic Window$ response to a new USB stick. Specifically, the yellow bubbles that pop up from the taskbar saying 'USB XX found' which end with 'USB stick ready to use'.
The case I mentioned in my first post didn't follow the same procedure. Instead of the yellow bubbles from the task bar a regular grey box (window) appeared. The text stated something to the effect 'the usb stick needs to install additional software for use'.
This is why I am worried. Have you ever had the grey box appear rather than the yellow bubbles?
I am using Window$ XP SP3.
Thanks for your help. I keenly await your (and others) answer.
Avastfan1
-
The text stated something to the effect 'the usb stick needs to install additional software for use'.
Most like a new driver needed to be installed for that USB. Not unusual and not something to get paranoid about IMHO. :)
-
Hi Bob3160,
Thank you for your response. I am starting to feel a little more relaxed. :-)
Stupid question but where is the driver installed from? The USB stick itself?
Is there a way I can check whether it was a legitimate driver? Is there an installation log? Is there a Window$ file or directory I can check?
Thanks,
Avastfan1
-
Well that is strange. I have used the stick on a XP SP3 with no such outcome. But as Bob pointed out it depends on the product. If you used Avast, MBAM and SAS and they haven`t detected anything then your OK. No reason to panic.
Since you use ZA Pro than any unknown attempt to send out info would have been picked up. So again no worries. Just a standard install.
-
Hi, is this one of those flash drives with U3 software preinstalled?
http://www.u3.com/ (http://www.u3.com/)
I bought a ScanDisc drive one time with this on it.
-
Dear Avast Forum Users and Gurus,
Many thanks again for the ongoing support. Confused Computer User's reassurance with the security products is also welcome news. So thanks for that.
Unfortunately the flash drive belonged to a friend so I don't know which brand or model it was. However, I can remember what it looked like and it looked a lot like the one in RNfromTN's link! Specifically, the silver bit that plugs into the computer retracted into the plastic part of the USB stick.
RnfromTN: When you bought the ScanDisc drive you mentioned, did you get a grey box pop up when you plugged it in advising that additional new software needed to be installed to use the USB stick?
Has anybody else had a similar experience with the grey box I describe (ie. a normal installation window) rather than the usual 'yellow bubbles' in the taskbar?
Thanks again and I look forward to your response!
Avastfan1
-
You don't say what type of USB stick this is as other than U3 as mentioned, you shouldn't need to install anything as Windows should have all the needed USB drivers, especially if this is a later version of windows.
USB2 flash drives are pretty bog standard and windows XP/Vista should be able to cope with those without having to download anything. It may well say new hardware detected for the new USB but it should still be able to use a pre-installed USB driver.
-
Hello DavidR,
Many thanks for your contribution as well! In hindsight I also found it a little strange that the installer window appeared. As mentioned, I stupidly clicked ok due to stress and fatigue. But that's my problem :-(
I assume it is a U3. I am not really across the different USB types. My experience up until now was when plugging a 'new' UBS stick in, the yellow bubbles would appear on the taskbar. For example, 'USB X detected' followed by 'USB now ready to use'.
Further perusal of this forum finds the PREVX mentioned frequently. I downloaded the free scan directly from their website. It came up with nothing. Tomorrow I will run a boot-time scan with Avast Pro, a full MBAM scan and a SAS scan. Moreover I will repost a HJT log to www.hijackthis.de for analysis.
Can you recommend any other steps I could take to check whether I have accidentally installed some malware or spyware piece of scheiße?
I already looked for an autorun.inf file on my hard disk. There were none in C:\ and I therefore think it was not an autorun virus.
Would really appreciate any expert help on this I could receive. I'm very open to suggestions and always read, and hold, the advice provided on this forum with very high regard.
Many thanks!!!
Avastfan1
-
You are worried about something that isn't there.
It's normal when you first plugt a new USB drive into your system that you get a message that
it's been detected and that the driver has been installed.
This is only information for you to know that the new USB drive is ready to be used.
-
Hi Bob3160,
Thanks for the reassurance :-) I agree it is normal for the driver to be installed for a new USB stick.
The only thing I found a little odd was the method (ie. a grey install box/window) instead of the usual 'yellow bubbles' which appear on the taskbar for Windows XP.
Thanks for your advice!!!
Best wishes,
Avastfan1
-
If you don't know what type of devise it is I would suggest it isn't U3, more likely to be USB2 as U3 flash drives, a) generally costs more money, b) they make a big deal about it marketing, packaging, etc. They also normally come pre loaded with some U3 programs.
What is on the flash drive ?
U3 normally has some sort of launcher program, not generally autorun.inf.
When connected if you right click on the properties it should give some general info, see images.
Whilst it is usual to get messages (new hardware detected, etc.) when you first connect a USB device (memory stick), I have 'never' been asked to install anything. So I don't agree that when you load a new usb stick it is normal to install a driver, especially if you have a recent OS and you haven't confirmed what yours is.
-
RnfromTN: When you bought the ScanDisc drive you mentioned, did you get a grey box pop up when you plugged it in advising that additional new software needed to be installed to use the USB stick?
Hi, I do remember getting a remember getting a popup of some type from my hips program,seems it was launchpad, been so long ago :-[
If you run xp you should install http://download.microsoft.com/download/f/c/a/fca6767b-9ed9-45a6-b352-839afb2a2679/TweakUiPowertoySetup.exe (http://download.microsoft.com/download/f/c/a/fca6767b-9ed9-45a6-b352-839afb2a2679/TweakUiPowertoySetup.exe), not sure if it's vista compatable, and prevent autoruns. See screenshot. Hope this helps
-
Hi DavidR, RNfromTN and other Gurus,
Sorry if I'm not explaining myself fully :-(
I am running Windows XP SP3. I don't actually know what was on the USB stick. I believe it was empty however I can't be sure. Worse yet - my friend is now overseas so I have no chance to re-examine the USB stick :-(
Perhaps you are correct and it is a USB 2. Not a USB 3. I just thought it might have been as it looked like the one in the link above which one lad kindly provided.
Can anybody therefore provide any tips to lessen my fears that I inadvertently installed something bad?
I will schedule an Avast boot-time scan, run a full MBAM scan, an SAS scan, Blacklight, Spybot, ZA-antispyware scan, post a HJT log to www.hijackthis.de, I've already run PREVX which came up with nothing.
Thanks for you help and please keep the suggestions coming!!!
Avastfan1
-
Hello Forum,
Thanks for the continuing support!
Here are the results of the tests and scans I have run:
- Avast Pro boot-time scan: No infection found (selected scan option all folders and files)
- Prevx Scan: No infection found
- Spybot: No infection found
- Dr. Web Cure.It: No infections found (1 false positive - refer thread http://forum.avast.com/index.php?topic=43119.0 (http://forum.avast.com/index.php?topic=43119.0))
- MBAM: No infection found (complete scan)
- SAS: No infection found (complete scan)
- ZA Pro - Anti-Spyware: No infection found (deep inspection)
- HJT log submitted to hijackthis.de: No red cross items or yellow question mark items
- Rootalyzer: No infection found
- Blacklight: No infection found
- Trendmicro RootkitBuster: No infection found
- Manual check of C:\ for an autorun.inf file: No such file found
- Ran Ccleaner.com: Successfully cleaned temp files
Does anybody have any other suggestions for tests, scans or other measures I can take?
Thanks!
Avastfan1
PS: Here is my setup:
Operating System: Windows XP SP3 (fully updated and patched)
User Account: Restricted Account (ie. a non-admin account)
Web Browser: Firefox 3.0.7 (Noscript 1.9.0..8 and AdblockPlus ver 1.0.1)
Firewall: ZA Pro 8.0.298.000 (fully updated)
Virusscaner: Avast Pro 4.8.1335 (all modules active and rootkit scan on startup enabled)
Resident Anti-Malware: Malwarebytes 1.34 (fully updated and resident module activated)
On-Demand Spyware/Malware: (note: none of the following are resident or active, rather on-demand)
- Spybot (version 1.6.2 updated but Tea-timer not active)
- Spybot's RootAlyzer (latest version)
- SuperAntiSpyware (version 3.9.1008 - fully updated)
- F-secure Blacklight (latest version)
- ZAlarm Pro's Anti-Spyware Module (fully updated)
Other Tools:
- Hijackthis 2.02
- PrevX (latest updates)
- Dr. Web Cure.It (latest updates)
-
Hello Avast Fans,
Some more information:
My friend also put the USB stick into another computer with Window$ XP SP3 and Panda Anti-virus after my machine (also Window$ XP SP3).
Panda Anti-virus recognised adware in the file k:\setup.exe.
Why didn't Avast recognise anything?
Unfortunately I don't have the USB stick nor the above disinfected file on hand to analyse.
Any further suggestions?
I am now really confused. All the programs from my previous post say I'm clean. Yet Panda recognised something on the other machine? :o
Please help!!!
Avastfan1
-
No single AV will detect everything and we don't know if Panda's detection was good either. That is why we suggest the likes of virustotal to confirm one way one another.
So this go to show the installation wasn't a normal occurrence for plugging in a USB (still don't know if this is a U3 stick) and you should be alert to this in the future a lesson learnt, hopefully without too much pain.
Whatever this setup.exe was responsible for attempting/installing doesn't appear to have been too successful or is very cleaver to have avoided detection from a whole slew of anti-malware products. Given that panda says this is adware I wouldn't have thought that it was the latter option, a very cleaver piece of malware that has defeated all scanning attempts.
Remember the other applications never scanned the USB only your HDD, so we only have one detection that needs confirmation. So further analysis needs to be done on this file at virus total and or Anubis: Analyzing Unknown Binaries, is another scanning tool that is useful, Anubis: Analyzing Unknown Binaries (http://anubis.iseclab.org/?action=home).
-
Hello DavidR,
I must thank you again for your timely response.
On my computer I have Avast Pro installed and its resident scanner would have scanned the USB stick and the setup.exe as it executed though.
I have just completed a full scan with Panda (http://www.pandasecurity.com/homeusers/solutions/activescan/ (http://www.pandasecurity.com/homeusers/solutions/activescan/)). It also returned no infections and no suspicious files.
I am loathe to download and 'trial' the Panda Antivirus Pro 2009 as I already have Avast Pro installed.
I shall try and contact my friend and obtain the 'setup.exe' file from the USB stick. However if Panda has already disinfected it, will virustotal's results still be relevant to my machine?
I will also upload it to the Anubis link you provided.
Meantime - are there any other suggestions to examine my machine?
Thank you again for you time!
Avastfan1
-
Now you have done a panda scan don't be surprised when avast alerts on panda files it dumps in the system folders as it doesn't encrypt its signature files.
Panda removal tool: http://www.pandasoftware.com/resources/sop/UNINST_v1012.exe (http://www.pandasoftware.com/resources/sop/UNINST_v1012.exe), I don't know if this also removes the remnants of the on-line scanner.
Personally I would be surprised if it disinfected it as like a trojan much of the content would be malicious rendering the file useless or the better option would have been removal/quarantine as any file that is suspect wouldn't get a second chance to make a first impression on my system.
This is even more relevant when you have no idea what the setup.exe does or what program it is associated with.
No other suggestions.
-
Hello DavidR and Avast Gurus,
Thank you for the follow-up reply. I now have some more information:
- The USB stick is a Kingston USB data-traveller
- It was purchased in India
- I myself took it out of the packaging (ie. it was BRAND new)
- Then I put it in my computer and the grey box came up
It was then put into a Window$ XP computer after mine with Panda. Panda removed the file and now the only files left in the root directory are listed below (with their contents).
What should I do now? :O
Thanks!
Avastfan1
----------------------------------------------------
Autorun.inf:
[autorun]
open=wscript.exe VirusCleaner.vbe
shell\open=Open
shell\open\Command=wscript.exe VirusCleaner.vbe
and
Substitute.txt
V I R U S A L E R T
The original message part containing a virus has been removed
from this message and replaced with this warning because ....
Virus signature(s) for 'VBS/Solow-Gen' were found in VIRUSCLEANER.VBE
Please ask the sender of the message to disinfect their original
version and send you a clean copy if it is required.
-
Right, that looks bad for users if a sealed stick is infected before you get it, though this has happened before with some hard disks infected at factory level.
So it pays to be on your toes, the first time you plug in a USB be that new or from another source, friend, etc.
Delete the autorun.inf on the root folder, do a search for VirusCleaner.vbe, if found:
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
Submit to virustotal and report findings.
Don't worry about wscript.exe that is a legit windows scripting function required to run the viruscleaner.vbe to start the ball rolling. The file viruscleaner.vbe by its name alone I suspect will have been a fake security alerts style rogue program. So if you aren't getting any rogue alerts, which I doubt you are, it looks like it didn't get established.
-
Dear DavidR,
Again my sincere thanks for your time and support. I agree completely with your comments regarding my stupidity in letting my guard down. Stress and fatigue are no excuse. I will take heed of them for the future.
I have done a search for viruscleaner.vbe on my Windows XP SP3 system. It returned no matches. I selected 'show hidden files and folders' and deselected 'hide protected operating system files' in Windows Explorer.
Moreover I selected 'search system folders', 'search hidden files and folders' and 'search subfolders' under Windows search function.
I repeated the same procedure for 'autorun' and found only the following files (contents are listed below):
C:\IBMTOOLS\APPS\DVDPLAY\AUTORUN.INF
[AutoRun]
OPEN=SETUP.EXE
ICON=SETUP.EXE,0
C:\IBMTOOLS\APPS\NORTONAV\AUTORUN.INF
[AutoRun]
Open=CDStart.Exe
Icon=CDStart.Exe
Shell\Install=Install
Shell\Install\Command=navsetup.exe
C:\IBMTOOLS\DRIVERS\VIDEO\AUTORUN.INF
[autorun]
open=setup.exe
C:\Program Files\HP\Digital Imaging\{4....E}\AUTORUN.INF
[content to long to post here - so here are the first few lines]
[autorun]
open=setup.exe
icon=setup.exe,0
[Version]
C:\Program Files\HP\Digital Imaging\{5....5}\AUTORUN.INF
[content to long to post here - so here are the first few lines]
[autorun]
open=setup.exe
icon=setup.exe,0
[Version]
I have submitted the above files to virustotal.com and they all come back with no finding.
You are correct in that I am not getting any rogue alerts.
Has my system been compromised though? Is my system still compromised? Should I run the battery of tests again to double-check? Is there anything else I can do?
Thanks again for the help. I really appreciate it.
Avastfan1
-
I've also run a full Kaspersky online scan.
Anybody have any wise suggestions?
Does this 'issue' mean that I should format the hard drive and reload everything?
Am really angry at my lapse in safe anti-virus prevention :-(
-
The autorun.inf files you listed all look legit, commonly they in image/restore or tools folders. So I'm not too surprised nothing was found.
The main area of concern would be if the autorun.inf file were in a root/partition folder, e.g. c:\, d:\ or any other partitions you might have on your hard disk as these would be likely to auto run when you access that drive/partition.
To avoid the potential in the future you should run this tool on your hard disk, and then for all your USB sticks to prevent future infection.
1. Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) and save it to your desktop.- Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
- The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
- Wait until it has finished scanning and then exit the program.
- Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
Also see this link for more information on Flash Disinfector, http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/ (http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/)
-
Hi DavidR,
I will download that tool and definitely run it.
In your learned and esteemed judgement would you class my system as clean?
What would you do if you were in my situation?
Thanks!!
Avastfan1
-
I would say with the slew of scanners you have thrown at it, then that is a strong likelihood.
Though me, being me probably wouldn't give that 'clean' assurance as nothing is that black and white ;D
The only thing you can do is monitor your system for unusual occurrences which I would have though you would already have seen.
-
Hi DavidR,
That sounds like a reasonable and appropriate strategy. I agree I have exhausted the arsenal of scanners which could have detected anything!
Personally I do not hold the more commercial programs like Norton and McAfee in high regard at all. The only reason I used Panda's online scanner was that it detected something on the other computer.
Feel a little better know that a guru has judged my system to be clean to a high probability!!
Thank you for your patience, wise words and prompt advice. I hope you win the lottery or something this week.
Best regards,
Avastfan1
-
You're welcome.
There other on-line scanners that don't deposit rubbish in the system folders.
RejZoR's Website - Security Ops
On-line Virus Scanners and other useful Links Security-Ops.eu.tt (http://www.security-ops.eu.tt).
-
Hi DavidR,
Thanks for the tip! I will have a look at the on-line scanners you recommended.
Best regards,
Avastfan1
-
Hi Avastfan1,
What I should do is to take a good look with some scanners at the folder where you normally download with MBAM or SAS updated to the latest versions. You could also perform a full online scan. It will not cleanse or remove, but you can get an idea if you are infected with something by running a full pestscan in IE: http://www.ca.com/US/securityadvisor/pestscan/
I would also give the computer a good cleansing for temporal files with two programs: ATF cleaner 3.0 (tick all): http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25
Another good one to use is ClearProg: http://www.clearprog.de/download.php?id=40
But I think you only will establish the fact that your computer is clean and what you downloaded were the normal install routines for a pendrive that was ready for its initial install,
Take care and stay malware free and secure online, is the wish and command of,
polonus (malware fighter)