Malware on a flash drive

Discussion in 'malware problems & news' started by razorboy, Dec 27, 2010.

Thread Status:
Not open for further replies.
  1. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    200
    Location:
    North
    Well now, the Panda vaccine sounds pretty nifty, except for one little stipulation:
    Also keep in mind that USB drives that have been vaccinated cannot be reversed except with a format.
     
  2. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,289
    Location:
    Pennsylvania.
    Thanks got the panda USB thing installed now. :D I have my computer vaccinated.
     
  3. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    200
    Location:
    North
    Question: If you use the Nick Brown hack:

    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS: DoesNotExist"


    how do you undo it if you want to?

    Thanks
     
  4. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    REGEDIT4
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS: DoesNotExist"
     
  5. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    I've had this problem constantly in my activity: most flash drives from third party plugged in my computers are infected. An excellent method has already been mentioned in this thread, that is Sandboxie. The problem with Sandboxie is that it has to be properly configured, and one mistake could spell disaster.

    Over the years the easiest way to deal with infected flash drives has been light virtualization, and it is really very simple even to most laymen: Returnil (there is a free version), Shadow Defender (payware, but very reasonable, DeepFreeze (also payware)to name a few that I can recommend because I've used them.

    Once the system is virtualized you can plug anything you fancy onto it, and no matter how infected the flash drive is, once you reboot your system will be exactly as you had it before the virtual session, the whole process lasting the time of a normal reboot. It couldn't be easier and painless than this. Last but not least if you wish to keep something from the flash drive then a couple of good scanners should be able to notify you of any known malware. Unknown malware is precisely unknown: the only way to avoid it is not to download/copy/execute anything from suspicious sources.
     
  6. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    200
    Location:
    North
    Thank you, but what I meant was: if you use that hack to disable autorun,
    how do you turn autorun back on? What is the process and syntax for enabling it again? Just delete that registry item? [I'm not up to hacking registry, except by cut and paste.]
     
  7. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,742
    Guys did you forget about No Auto run. Install and go to configuration put your check marks. It will lock up any malicious files everytime you insert the USB drive and you just delete them and it's free. It can be enabled and disabled at any time. When ever you make a change from enable or disabled reboot your computer for the change to take place.

    No hacks needed. Here is the link.



    @Razorboy

    There is a free version of Sandboxie you can use just to browse and it will keep your computer clean. The person that mentioned if SB is used USB & CD,s and is not configured properly spells disaster is right that's why I suggested No Auto Run it's so simple to use.
     
    Last edited: Dec 30, 2010
  8. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
  9. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    The difference between Disabling and Enabling is the (-)minus sign in the Re-enabling which means to delete the subsequent entries from the registry or to delete the registry key

    Under admin, to re-Enable Autorun:

    Cut/copy and paste the ff. text below to notepad and then save as a registry file like for e.g as "re-Enable_autorun.reg"...

    Code:
    REGEDIT4
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"
    
    Just double click the .reg file to re-enable autorun.

    To disable Autorun once again:

    Code:
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"
    
    ... saved as Disable_Autorun.reg

    Just double click the above reg file to disable once again Autorun.

    To prevent messing up, the usual admonition to alway do a full image back up which you have validated that it can be restored successfully is a wise thing to do. In short if editing the registry is not your cup of tea, follow the suggestion of others on the alternate ways to protect from malwares coming from removable devices.
     
    Last edited: Jan 1, 2011
  10. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    200
    Location:
    North
    Well, I finally used the Panda solution, then scanned the whole palacity with NOD32 and Malwarbytes.............. and found NOTHING on the flash drives!! [The c: drives were scanned first, thoroughly, without the flash drives present.] So, the Kryptyk trojan [variant of] must have arrived by other than the flash drives, I suppose. I hit two computers, not networked but using the same broadband connection: one wired, one by router in another room. It is unlikely that we both surfed the same site and got it, and it seems to have got past got past NOD, Spywareblaster, and Spybot immunization. NOD identified it later, so I suppose it was in the wild, maybe a Christmas special. I sure would like to know just how it arrived.

    Anyway, thanks to all for the assistance, it is much appreciated.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.