USB Memory Stick Virus or Legit Install Software?

[Avastfan1]

Hello Forum,

Thanks for the continuing support!

Here are the results of the tests and scans I have run:
- Avast Pro boot-time scan: No infection found (selected scan option all folders and files)
- Prevx Scan: No infection found
- Spybot: No infection found
- Dr. Web Cure.It: No infections found (1 false positive - refer thread http://forum.avast.com/index.php?topic=43119.0)
- MBAM: No infection found (complete scan)
- SAS: No infection found (complete scan)
- ZA Pro - Anti-Spyware: No infection found (deep inspection)
- HJT log submitted to hijackthis.de: No red cross items or yellow question mark items
- Rootalyzer: No infection found
- Blacklight: No infection found
- Trendmicro RootkitBuster: No infection found
- Manual check of C:\ for an autorun.inf file: No such file found
- Ran Ccleaner.com: Successfully cleaned temp files

Does anybody have any other suggestions for tests, scans or other measures I can take?

Thanks!

Avastfan1

PS: Here is my setup:

Operating System: Windows XP SP3 (fully updated and patched)
User Account: Restricted Account (ie. a non-admin account)
Web Browser: Firefox 3.0.7 (Noscript 1.9.0..8 and AdblockPlus ver 1.0.1)
Firewall: ZA Pro 8.0.298.000 (fully updated)
Virusscaner: Avast Pro 4.8.1335 (all modules active and rootkit scan on startup enabled)
Resident Anti-Malware: Malwarebytes 1.34 (fully updated and resident module activated)
On-Demand Spyware/Malware: (note: none of the following are resident or active, rather on-demand)
- Spybot (version 1.6.2 updated but Tea-timer not active)
- Spybot's RootAlyzer (latest version)
- SuperAntiSpyware (version 3.9.1008 - fully updated)
- F-secure Blacklight (latest version)
- ZAlarm Pro's Anti-Spyware Module (fully updated)
Other Tools:
- Hijackthis 2.02
- PrevX (latest updates)
- Dr. Web Cure.It (latest updates)

[Avastfan1]

Hello Avast Fans,

Some more information:

My friend also put the USB stick into another computer with Window$ XP SP3 and Panda Anti-virus after my machine (also Window$ XP SP3).

Panda Anti-virus recognised adware in the file k:\setup.exe.

Why didn't Avast recognise anything?

Unfortunately I don't have the USB stick nor the above disinfected file on hand to analyse.

Any further suggestions?

I am now really confused. All the programs from my previous post say I'm clean. Yet Panda recognised something on the other machine?

Please help!!!

Avastfan1

[DavidR]

No single AV will detect everything and we don't know if Panda's detection was good either. That is why we suggest the likes of virustotal to confirm one way one another.

So this go to show the installation wasn't a normal occurrence for plugging in a USB (still don't know if this is a U3 stick) and you should be alert to this in the future a lesson learnt, hopefully without too much pain.

Whatever this setup.exe was responsible for attempting/installing doesn't appear to have been too successful or is very cleaver to have avoided detection from a whole slew of anti-malware products. Given that panda says this is adware I wouldn't have thought that it was the latter option, a very cleaver piece of malware that has defeated all scanning attempts.


Remember the other applications never scanned the USB only your HDD, so we only have one detection that needs confirmation. So further analysis needs to be done on this file at virus total and or Anubis: Analyzing Unknown Binaries, is another scanning tool that is useful, Anubis: Analyzing Unknown Binaries.

[Avastfan1]

Hello DavidR,

I must thank you again for your timely response.

On my computer I have Avast Pro installed and its resident scanner would have scanned the USB stick and the setup.exe as it executed though.

I have just completed a full scan with Panda (http://www.pandasecurity.com/homeusers/solutions/activescan/). It also returned no infections and no suspicious files.

I am loathe to download and 'trial' the Panda Antivirus Pro 2009 as I already have Avast Pro installed.

I shall try and contact my friend and obtain the 'setup.exe' file from the USB stick. However if Panda has already disinfected it, will virustotal's results still be relevant to my machine?

I will also upload it to the Anubis link you provided.

Meantime - are there any other suggestions to examine my machine?

Thank you again for you time!

Avastfan1

[DavidR]

Now you have done a panda scan don't be surprised when avast alerts on panda files it dumps in the system folders as it doesn't encrypt its signature files.

Panda removal tool: http://www.pandasoftware.com/resources/sop/UNINST_v1012.exe, I don't know if this also removes the remnants of the on-line scanner.

Personally I would be surprised if it disinfected it as like a trojan much of the content would be malicious rendering the file useless or the better option would have been removal/quarantine as any file that is suspect wouldn't get a second chance to make a first impression on my system.

This is even more relevant when you have no idea what the setup.exe does or what program it is associated with.

No other suggestions.

[Avastfan1]

Hello DavidR and Avast Gurus,

Thank you for the follow-up reply. I now have some more information:

- The USB stick is a Kingston USB data-traveller
- It was purchased in India
- I myself took it out of the packaging (ie. it was BRAND new)
- Then I put it in my computer and the grey box came up

It was then put into a Window$ XP computer after mine with Panda. Panda removed the file and now the only files left in the root directory are listed below (with their contents).

What should I do now? :O

Thanks!

Avastfan1

----------------------------------------------------

Autorun.inf:

[autorun]
open=wscript.exe VirusCleaner.vbe
shell\open=Open
shell\open\Command=wscript.exe VirusCleaner.vbe

and

Substitute.txt

                  V I R U S  A L E R T

The original message part containing a virus has been removed
from this message and replaced with this warning because ....

   Virus signature(s) for 'VBS/Solow-Gen' were found in VIRUSCLEANER.VBE

Please ask the sender of the message to disinfect their original
version and send you a clean copy if it is required.

[DavidR]

Right, that looks bad for users if a sealed stick is infected before you get it, though this has happened before with some hard disks infected at factory level.

So it pays to be on your toes, the first time you plug in a USB be that new or from another source, friend, etc.

Delete the autorun.inf on the root folder, do a search for VirusCleaner.vbe, if found:
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Submit to virustotal and report findings.

Don't worry about wscript.exe that is a legit windows scripting function required to run the viruscleaner.vbe to start the ball rolling. The file viruscleaner.vbe by its name alone I suspect will have been a fake security alerts style rogue program. So if you aren't getting any rogue alerts, which I doubt you are, it looks like it didn't get established.

[Avastfan1]

Dear DavidR,

Again my sincere thanks for your time and support. I agree completely with your comments regarding my stupidity in letting my guard down. Stress and fatigue are no excuse. I will take heed of them for the future.

I have done a search for viruscleaner.vbe on my Windows XP SP3 system. It returned no matches. I selected 'show hidden files and folders' and deselected 'hide protected operating system files' in Windows Explorer.

Moreover I selected 'search system folders', 'search hidden files and folders' and 'search subfolders' under Windows search function.

I repeated the same procedure for 'autorun' and found only the following files (contents are listed below):

C:\IBMTOOLS\APPS\DVDPLAY\AUTORUN.INF
[AutoRun]
OPEN=SETUP.EXE
ICON=SETUP.EXE,0

C:\IBMTOOLS\APPS\NORTONAV\AUTORUN.INF
[AutoRun]
Open=CDStart.Exe
Icon=CDStart.Exe
Shell\Install=Install
Shell\Install\Command=navsetup.exe

C:\IBMTOOLS\DRIVERS\VIDEO\AUTORUN.INF
[autorun]
open=setup.exe

C:\Program Files\HP\Digital Imaging\{4....E}\AUTORUN.INF
[content to long to post here - so here are the first few lines]
[autorun]
open=setup.exe
icon=setup.exe,0
[Version]

C:\Program Files\HP\Digital Imaging\{5....5}\AUTORUN.INF
[content to long to post here - so here are the first few lines]
[autorun]
open=setup.exe
icon=setup.exe,0
[Version]

I have submitted the above files to virustotal.com and they all come back with no finding.

You are correct in that I am not getting any rogue alerts.

Has my system been compromised though? Is my system still compromised? Should I run the battery of tests again to double-check? Is there anything else I can do?

Thanks again for the help. I really appreciate it.

Avastfan1

[Avastfan1]

I've also run a full Kaspersky online scan.

Anybody have any wise suggestions?

Does this 'issue' mean that I should format the hard drive and reload everything?

Am really angry at my lapse in safe anti-virus prevention :-(

[DavidR]

The autorun.inf files you listed all look legit, commonly they in image/restore or tools folders. So I'm not too surprised nothing was found.

The main area of concern would be if the autorun.inf file were in a root/partition folder, e.g. c:\, d:\ or any other partitions you might have on your hard disk as these would be likely to auto run when you access that drive/partition.

To avoid the potential in the future you should run this tool on your hard disk, and then for all your USB sticks to prevent future infection.

1. Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Also see this link for more information on Flash Disinfector, http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/

[Avastfan1]

Hi DavidR,

I will download that tool and definitely run it.

In your learned and esteemed judgement would you class my system as clean?

What would you do if you were in my situation?

Thanks!!

Avastfan1

[DavidR]

I would say with the slew of scanners you have thrown at it, then that is a strong likelihood.

Though me, being me probably wouldn't give that 'clean' assurance as nothing is that black and white

The only thing you can do is monitor your system for unusual occurrences which I would have though you would already have seen.

[Avastfan1]

Hi DavidR,

That sounds like a reasonable and appropriate strategy. I agree I have exhausted the arsenal of scanners which could have detected anything!

Personally I do not hold the more commercial programs like Norton and McAfee in high regard at all. The only reason I used Panda's online scanner was that it detected something on the other computer.

Feel a little better know that a guru has judged my system to be clean to a high probability!!

Thank you for your patience, wise words and prompt advice. I hope you win the lottery or something this week.

Best regards,

Avastfan1

[DavidR]

You're welcome.

There other on-line scanners that don't deposit rubbish in the system folders.
RejZoR's Website - Security Ops
On-line Virus Scanners and other useful Links Security-Ops.eu.tt.

[Avastfan1]

Hi DavidR,

Thanks for the tip! I will have a look at the on-line scanners you recommended.

Best regards,

Avastfan1