Can NOD kill USB2.0 capability on external HDD?

Discussion in 'ESET NOD32 Antivirus' started by muf, Oct 22, 2010.

Thread Status:
Not open for further replies.
  1. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Is it possible for NOD32 to corrupt the drivers held on the password partition of an external HDD? My Toshiba drive stopped working with USB2.0 after NOD falsely identified two of the files in the DRIVERS folders of the password partition as malware. SwitchFK.exe and Desktop.ini

    It tried to remove both files and showed them in quarantine but when I tried to restore them it said it failed. Then I restored them to my desktop and tried to copy them back in but it said the drive was protected and read only. After a full reboot, the Toshiba drive still shows the two files but ever since the detection, Windows now tells me the device could run faster on USB2.0 I have other USB2.0 devices and they all work fine at USB2.0

    So is it possible for NOD to compromise that Password partition. I've been trying to get ESET tech support to help but they are claiming my drive is faulty and that NOD cannot compromise the files on the Password partition. But I'm not convinced and I'm not knowledgeable enough to know for certain. I hope someone here can help me because as things stand, my external drive is not practical being only at USB1.1 speed.

    I have attached a screenshot of the Password partition.

    Thanks,
    Paul
     

    Attached Files:

  2. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    from the screen it seems XP? 32bit? what sort of encryption and software is used? SwitchFK.exe and Desktop.ini are neither drivers, unless disguised.

    in this Toshiba forum the matter was discussed already back in 2006, exactly the same files were marked malicious by various AV then http://forums.computers.toshiba-europe.com/forums/thread.jspa?threadID=16522

    are those 2 files genuine by the virtual drive encryption software?

    is it the first time the drive got connected to an NOD protected machine? got it connected to that machine prior NOD was installed/running?
     
    Last edited: Oct 22, 2010
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Could you paste here the relevant record from your threat log containing the detection name ?
     
  4. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Thanks for the help. Here is some information as requested.

    I originally used the external HDD with my old internal HDD. My AV at that time was Kaspersky but I had also used Antivir on it as well. I never got any alert from them. Then my internal HDD died and I bought a new one. Installed Windows XP SP3 32 bit and put NOD on the new internal HDD to give it a try. Once I switched on the external Toshiba HDD, NOD detected the threats below. It was the first time my Toshiba external HDD had been in contact with NOD. The two files have been on the drive ever since I bought it from Costco in 2006.


    Here are the log files

    15/09/2010 18:55:01 Real-time file system protection file F:\Driver\desktop.ini Win32/VB.NEI worm cleaned by deleting (after the next restart) - quarantined BD3EFBA70B884F6\muf Event occurred during an attempt to access the file by the application: C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe.

    15/09/2010 18:55:02 Real-time file system protection file F:\Driver\SwitchFK.exe Win32/VB.NEI worm cleaned by deleting (after the next restart) - quarantined BD3EFBA70B884F6\muf Event occurred during an attempt to access the file by the application: C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe.

    Having just read through the mentioned link, I find it hard to belive that Norton and McAfee detected the same files on the same Toshiba external HDD. This would suggest Toshiba released the drive with the infections on it. I'm finding that a bit much to take!
     
    Last edited: Oct 22, 2010
  5. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    that thing is known well since 2006

    http://www.eset.eu/buxus/generate_page.php?page_id=12690&lng=en

    strange that the other AV did not pick it up. hope that it is just a false positive. else if a real infection you may want to monitor your outbound traffic to prevent it from sending emails, though NOD would probably pick that up already.

    how is it possible that the drive can still connect now to that machine without being alerted again, after NOD picked up those 2 files - did you turn off protection on the machine/drive/folder?

    although it is currently only USB 1.1 you can still access all your files on the encrypted drive partition? if so it might be useful to back them up until this gets sorted.

    it would not be the first time that USB drives released from manufactures carrying malicious files. from that thread it cannot be determined whether those files turned out later false positive or not. they may as well be harmless. without having access to those files it is hard to know what they are performing.
    if I got right from that Toshiba thread something must autorun and creating a virtual read-only cd drive, holding the actual encryption software to the USB partition, hence there must be some drivers getting injected at kernel mode (similar to malicious stuff) and thus perhaps causing the NOD alert.

    perhaps Marcus will let you know how to further proceed, e.g. submitting the files to the Eset labs for testing.

    meantime and if feasible you may see what others AV engines currently think of those files by uploading to http://www.virustotal.com. you may however not post the link or the results here, there is a rule on the forums against it, it still can get you a feel about the files.

    also you could try Hitman Pro as second opinion - on demand cloud scanner featuring various AV engines - due to the cloud nature you machine needs to be connected to the inet during the scan
     
    Last edited: Oct 22, 2010
  6. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I did an incremental backup of only 15gb with USB1.1 and it took 3.5 hours where 200gb used to take 35 mins using USB2.0. I have 257gb on that drive so to transfer everything would take 60 hours none stop. Ouch! I have to disable NOD whenever I want to go into that drive. I do that not because I'm stupid but because I'm convinced it's not a real detection. If the rumour is true that the password partition is hardware then it couldn't have got infected while connected to my pc as it's not possible to infect a hardward partition, is it. I really just don't know? I've also read that someone having the same problem believes the detection is based on the way it's packed rather than the file itself. All very curious.
     
  7. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    seems that the software for your drive stems from AcomData. and probably their USB 2 driver for XP is currently not loading anymore, hence USB 1.1

    just downloaded one of their driver kits, containing SwitchFK.exe, which came up clean in NOD - though of course this and yours can be different versions, or yours got infected with something, which however should not as being on a virtual ROM drive, unless it got off the factory with some nasty stuff on it.

    23-10-2010 00-26-36.png 23-10-2010 01-07-18.png
     
    Last edited: Oct 22, 2010
  8. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    NOD may still prevent the AcomData USB 2 driver for XP from being injected - what do you actually disable in NOD? Reckon if you disable it entirely the AcomData USB 2 driver will load again, though it is not advisable to leave the machine/system unprotected and prior the sanity of the files has been tested by Eset. or put that virtual ROM drive in the NOD exclusion zone (provided it has the same drive letter assigned every time, then disconnect and reconnect), yet maybe only after Eset has established whether the files are malicious or not.

    on a second thought - the AcomData USB 2 driver might got wiped from your machine, not the ROM drive, by NOD during the reboot when trying to clean your machine. not sure whether this would show in the NOD log somewhere.

    perhaps you could also state the version of NOD you are using and copy/paste the information from NOD about
     
    Last edited: Oct 22, 2010
  9. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    NOD version is 4.2.64.12

    I just disable Real-time file system protection by RMB on sys tray icon and selecting. Maybe I should uninstall and try my HDD again? That may be a plan.
     
  10. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    you are aware of the risk if it is not a FP... because it strange that it gets NOD flagged your end but not on mine.
     
  11. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Yes, I am aware of the risk. But I look at the logic behind it. This is said to be a hardware partition, so therefore in theory nothing should be able to infect it. So unless it came out of the Toshiba factory with it on it then it surely has to be a false positive. My head won't take in that in came out of the Toshiba factory already infected. That just doesn't happen. So that leaves me at 100% certain it's a FP. Also, I re-enable NOD afterwords and run a full scan and there is nothing found. So there is no sign of propagation going on, which is highly unusual for a worm.
     
  12. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
  13. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Ok, fair point. It's possbile I suppose, but then wouldn't it be expected to transfer itself from the external drive to my internal one? It's not going to do much sat on there and nothing from that drive has instigated a network connection. So far not seen anything to confirm any strange going on's but as my drive is obviously USB2.0 hosed I'm going to purchase a new one and transfer all the files over. Should be fun. 60 hours of fun to be precise.

    Thanks,
    Paul
     
  14. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    I don't recall the detail, and TBH I've had too many glasses of shiraz to go back and check, but have you tried the HD in another computer?


    Jim
     
  15. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Yep, my dads laptop which is USB2.0 compliant. It says the same message on his. Along the lines of "this device would run faster at USB2.0 etc...". Not sure what went wrong with it but it's a massive coincidence that it all started after NOD idnetified those two files in the toshiba's driver folder. Never had any problems with the drive running at USB2.0 before that. Personally, I think NOD screwed my drive but ESET are denying it. How can I prove it? Can't, so I move on and buy another drive and trust their 'opinion'.

    Paul
     
  16. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    how can NOD impact an external virtual ROM drive the same when connected to different machines? perhaps the drive reached somehow the end of its lifespan, like your internal drive did earlier
     
Thread Status:
Not open for further replies.