Something creates volumeInformation.exe on my USB Flash Drive - how to prevent ?

[REDACTED]

Hi, something began to create on every USBFlash Drive I plug into my laptop a separate invisible folder with no name, an invisible file called "volumeInformation.exe" and a shortcut (connected with the .exe file) with the name of the USB Drive.

 As soon I plug in a flash drive into my laptop it moves all the data on the flash drive into the hidden folder. If I want to see the data I must click on the shortcut icon.

I thought it was a new security measure. But now I think it is a Trojan probably. Avast was not able to recognize it. I have uninstalled the avast antivirus.

 My computer is doing the same thing every time I plug in any USB flash drive.

How can I deactivate this?

[Pondus]

see instructions here  >>  https://forum.avast.com/index.php?topic=194892.0

scroll down to  SPECIFIC INFECTIONS LOGS  and follow MCShield instructions

copy paste the log here

[Pondus]

I thought it was a new security measure. But now I think it is a Trojan probably. Avast was not able to recognize it. I have uninstalled the avast antivirus.

So now you dont have antivirus?

[REDACTED]

yes temporary

[Pondus]

yes temporary

smart   

[REDACTED]

I have installed McShield and got its log:



MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<


3.02.2017 19:07:30 > Drive H: - scan started (no label ~1999 MB, FAT flash drive )...


>>> H:\Removable Disk.lnk - Suspicious > Renamed. (MD5: a8b113f476db2a0a384718453200af7a)

>>> H:\VolumeInformation.exe - Suspicious > Renamed. (MD5: 25deec9470c0a47d45e536fac2e9422d)


=> Suspicious files  : 2/2 renamed.

____________________________________________

::::: Scan duration: 5min 40sec ::::::::::::
____________________________________________





 I have also uploaded the suspicious file  volumeInformation.exe to virustotal.com and It says... to be more precise, 4 Antiviruses (Antiy-AVL, E SET - NOD 32, Invicea and Jingmin) from  57 in total say it is a Trojan.


 As I understand MCShield neutralized it only on a flash drive. What can I do now to remove the Trojan from my Windows 7 (64 bit) system?

[Pondus]

always post link to virustotal scan result or we miss lots of extra info


Have you installed a Antiransomware tool, Like Cybereason RansomFree ?

[REDACTED]

always post link to virustotal scan result or we miss lots of extra info

Here it is: https://www.virustotal.com/en/file/14cd141da5e0ea4f89da57cd427860c971778b5d4cef0eaa516855ef5d53fdcd/analysis/1486999602/

Have you installed a Antiransomware tool, Like Cybereason RansomFree ?

Is it able to remove the Troyan from the system? Than I will try.

[Pondus]

Is it able to remove the Troyan from the system? Than I will try.

No but it will create random files/folder as a trap for ransomware, and many that install this program miss this info and think it is malware files/folders


I suggest you go back to instuctions and run the two first programs in the guide
- Malwarebytes
- Farbar Recovery Scan Tool

These logs (3) you attach, not copy paste

A malware expert will then be notified and assist you, he may not be online before tomorrow

[Pondus]

Here it is: https://www.virustotal.com/en/file/14cd141da5e0ea4f89da57cd427860c971778b5d4cef0eaa516855ef5d53fdcd/analysis/1486999602/

VolumeInformation.exe.zip

If possible, dont scan files zipped, reason is that all the extra info given will be for the zip and not the file inside, as that is the info we want   

also if you see file as scanned before, always click rescan for a fresh result

[REDACTED]

Here it is: https://www.virustotal.com/en/file/14cd141da5e0ea4f89da57cd427860c971778b5d4cef0eaa516855ef5d53fdcd/analysis/1486999602/

VolumeInformation.exe.zip

If possible, dont scan files zipped, reason is that all the extra info given will be for the zip and not the file inside, as that is the info we want   

also if you see file as scanned before, always click rescan for a fresh result

https://www.virustotal.com/en/file/0e239235388c2c6d015c942dd66acf46580d897041bf218cb3a7a136c733eee8/analysis/

[TrueIndian]

First submission 2016-12-12 10:38:08 UTC ( 2 months ago )

Wondering why it isn't well detected if this is malware?

[Eddy]

100% protection/detection is simply not possible.

[TrueIndian]

100% protection/detection is simply not possible.

What is really interesting is the age of the sample and the detection ratio on VT makes anyone wonder how many more of this are still around infecting users.

[Pondus]

First submission 2016-12-12 10:38:08 UTC ( 2 months ago )

Wondering why it isn't well detected if this is malware?

It may also be a FP

If you click on "additional info" and see previous file names? google them
If you click on "file detail" legit file?

anyway one detection engine name it sality (file infector) ... legit file injected with malicious code?


@dbrisendine    will find out if he post back the requested logs