Author Topic: USB Infection  (Read 3011 times)

0 Members and 1 Guest are viewing this topic.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
USB Infection
« on: July 15, 2013, 11:50:16 AM »
Hety, recently I installed MCShield for USB Protection because I felt I needed it. When I installed it, it by default ran a Temp.Ini scan and it said it was infected. Nothing wrong with that. It said autorun.inf was clean at first, then said it was Malware. Then procceded to delete my PowerPoint Presentation. I can't locate the log. It's in the MCShield Program File (Not x86) but it's not appearing. Is it hidden by default?
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37615
  • Not a avast user
Re: USB Infection
« Reply #1 on: July 15, 2013, 11:55:16 AM »
contact MCShield support here.  mcshield.support@gmail.com


Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: USB Infection
« Reply #2 on: July 15, 2013, 12:29:00 PM »
Hi alan1998,
No, MCShield not hidden any logs, it would be pointless. Please check "logs" folder:
Start -> All Programs -> MCShield -> Logs


Quote
When I installed it, it by default ran a Temp.Ini scan and it said it was infected.
I can not understand what happened, could you please clarify this?



I would like to analyse your system too if you wish.

Download DDS and save it to your Desktop from here:
http://www.bleepingcomputer.com/download/dds/

Double click dds to run the tool.

    * When done, DDS will open two (2) logs:
        1. DDS.txt
        2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: USB Infection
« Reply #3 on: July 15, 2013, 02:29:53 PM »
DDS and Attach logs.

To clarify MCShield, When I installed MCShield it did an Autorun scan of my USB Thumbdrive. It said it was infected and not to do anything. What I don't understand is though, how did my PowerPoint become infected? I only use the USB for School work and only on my PC and the Netbook. Chances of the Netbook being infected are slim since ALL known malicous/suspicous domains are blocked by default and my Computer at home. Well very good. recent scans though didn't show anything other then a PUP file.

Also still can't find the Logs. I'm using Windows 8. I believe those instructions are for 7
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: USB Infection
« Reply #4 on: July 15, 2013, 02:36:35 PM »
I just found it under my Gaming folder. Log attached.

If you look under the J:\ it says this.

 >>> J:\autorun.inf > Legitimate file.

>>> J:\~$Essay Francais.pptx - Malware > Deleted. (13.07.14. 21.40 ~$Essay Francais.pptx.213833; MD5: 0e024a6e015e9d499741dc7438ea45e8)

>>> J:\autorun.inf - Malware > Deleted. (13.07.14. 21.40 autorun.inf.475181; MD5: 3796d86cdba036a1ebe7a7d3ed048f16)

so it's identified the first line as clean, but the exact same file in the Third as Malware. Doesn't make sense to me.
« Last Edit: July 15, 2013, 02:39:21 PM by alan1998 »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: USB Infection
« Reply #5 on: July 15, 2013, 03:18:10 PM »
Hi,

Thouse word files has been caught becouse of new MCS's Gamarue heuristics detections, or to be more precise, becouse of "~$" prefix in the filename.

>>> J:\~$Essay Francais.pptx - Malware > Deleted. (13.07.14. 21.40 ~$Essay Francais.pptx.213833; MD5: 0e024a6e015e9d499741dc7438ea45e8)

"~$" prefix is in hidden file that Word creates when opening a document. That word file of yours is legit. Sorry about that detections.
Not a big deal, the original word file should remain intact. This is something that happens in the background. Or you may restore that file from quarantine or make whitelist yourself in MCShield Control Panel.

USB based malware isn't autorun.inf related anymore. At least not as often as before. USB based malware mainly uses new ways and technology for exploit system. Win32:Gamarue malware has recently been upgraded and very often in world-wide. For this reason, MCShield recently got a very powerful heuristic_behavior detection of this malware that is USB based.

We know for this FP detection and it should been corrected a few days ago. If not, it will be corrected these days, I didn't check the database.

> Right click on MCShield icon in system tray > Update. I've report this topic to the MCS author.


--------------------------


Related to Windows 8 and DDS. DDS is Windows 8 compatible. DDS logs is clean, and I think there is no need to execute additional checks because your problem is not malware related.

But you need to delete C:\_OTL <--- OTL quarantine folder. That would be removed if you click on OTL CleanUp! button to uninstall OTL.


« Last Edit: July 15, 2013, 03:21:06 PM by magna86 »

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: USB Infection
« Reply #6 on: July 15, 2013, 03:33:34 PM »
Otl shall go then. Kind of forgot about OTL. Thanks for the help and explaining the FP's to me. I was a little worried their.

Thanks
michael
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: USB Infection
« Reply #7 on: July 16, 2013, 12:46:46 AM »
@alan1998

Just wish to report that problem with this kind of FP detection should be solved in the latest 2.7.4.23 update.


Cheers