PDA

View Full Version : The virus that copies itself on flash drives! help!



forrest44
08-02-2009, 09:05 AM
OK so my step sisters computer was looking rather sick, so I put Spybot S&D on my flash drive and took to it...

1) Spybot S&D would not run. Installs fine, but the program won't come up. Is some spyware stopping it? Doesn't work in Safe mode either.

2) I put my flash drive back into my windows XP computer and after a few minutes, AVG antivirus complains it has detected a suspiscious file being opened/accessed or something

So I open up the flash drive in Explorer, and there are two new files, both hidden - Autorun.inf and system.exe.

I was guessing it was the Downadup worm, so I downloaded a Downadup removal tool and scanned my computer. ( http://www.softpedia.com/progDownload/W32-Downadup-Removal-Tool-Download-118447.html ) Came up with nothing. An AVG scan came up with nothing either (!)

But whenever I plug my flash drive in to my computer, those two files are always created again, Autorun.inf and system.exe.

help help!
What do I do?
What is it?
How do I get rid of it?

Why can't everyone just use linux?? :confused::confused::confused:

gary67
08-02-2009, 09:21 AM
First turn off system restore the download and install Hijack this copy and paste the log here. Have you tried MS own conficker removal tool?

ronyville
08-02-2009, 09:21 AM
Have you tried scanning your pc with Trojen remover and malwarebytes? And also if i was you than i would copy all you data off the flash drive and than format it. Has happened to me before as well.

LynX
08-02-2009, 10:24 AM
This is a typical autorun virus. The virus somehow lodged inside the infected computer, and if its files are deleted, it would just make new ones. If you format your flash drive, and plug into the infected computer, it would be infected again.

I tried to Google "remove system.exe (http://www.google.co.nz/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=gwZ&q=remove+system.exe&btnG=Search&meta=)", but I saw a nonsense instruction, and another few sites advertising their own removal programs.

(in response to 1)) Yeah, MS make it easy for general users, but at least in Linux you can run it in terminal and see what error codes it give out. It does not give ANY responses after you click it? you may have to try to upload it here (http://www.threatexpert.com/submissionapplet.aspx), and see whether it's a virus or not.

forrest44
08-02-2009, 11:27 AM
First turn off system restore the download and install Hijack this copy and paste the log here.
Who else didn't understand that sentence? :)

forrest44
08-02-2009, 11:30 AM
Seeing AVG isn't so good anymore, I'm thinking of changing my antivirus software.

I was thinking of installing the Comodo security suite (antivirus, firewall...) and using that. Is their antivirus software any good?

plod
08-02-2009, 11:33 AM
MS has released a patch for this hole, it would seem someone has updated windows lately

radium
08-02-2009, 11:42 AM
Who else didn't understand that sentence? :)

I understood it, he meant "then".

Speedy Gonzales
08-02-2009, 11:52 AM
Seeing AVG isn't so good anymore, I'm thinking of changing my antivirus software.

I was thinking of installing the Comodo security suite (antivirus, firewall...) and using that. Is their antivirus software any good?

DONT use the AV in the suite, its still in beta (it wouldnt pick up much)

Untick its option if you install it, and install Avast

gary67
08-02-2009, 01:29 PM
First turn off system restore the download and install Hijack this copy and paste the log here. Have you tried MS own conficker removal tool?

Ok I made a small typo it should have said then AND had some puntuation, I was in a rush to go out. Nobodies perfect not even me.

ZapperBoy10647
08-02-2009, 09:48 PM
Ok I made a small typo it should have said then AND had some puntuation, I was in a rush to go out. Nobodies perfect not even me.

Sorry gary; you seem to be the only imperfect one one this forum. bummer ....

For everyone who is perfect however lets have a perfect party! and lets do some perfect dancing! because were perfect

P.S Spam
PP.S Too much use of the word perfect

Curbd
09-02-2009, 08:26 AM
"only imperfect one one this forum"
Sorry, looks like you're not invited either ;P

Anyway, if you look through task manager under processes you can usually find the virus's process in there, and shut it down. Do this before you plug in the flash drive and you should be good to go, I realise that this is only a temporary fix but it may help.
You could possibly even stop it from booting by using 'Msconfig' in run, then find and untick it's process.

Hope it's helpful in some way atleast.

Now.... who's bringing the scones? ;D

Blam
09-02-2009, 09:22 AM
Run FLASHDISINFECTOR.

Should do everything for you

blanco
09-02-2009, 10:06 AM
Run a HJT scan and post the log file here.