Removing a USB Virus

Discussion in 'other anti-malware software' started by Cloud_Shadow, Sep 30, 2009.

Thread Status:
Not open for further replies.
  1. Cloud_Shadow

    Cloud_Shadow Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    46
    So guys a couple of days ago i was infected with a USB Virus. Due to some reasons i wasn't able to use an antivirus to remove the virus, and instead of doing that i did a format of the USB drive.

    What it did was that the main vriuses were gone but it left one thing called 9iyhdum8.exe and it trys to invade C:\WINDOWS\explorer.exe(this is what kaspersky says on my College's Computer).

    The only thing is that kaspersky it self doesn't detect this virus, and what it does is that, when ever i open the usb by double clicking it, the virus executes and the USB opens in a new window.

    The Problem is that i need a software that can get rid of this, i tried kaspersky removal tool and Dr Web but both dont actually detect anything.

    Any recommendationso_O Any help would be great.
     
  2. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    I sympathize with your problem, i know how annoying it is to have this worm/rootkit/whatever it is invade your USB stick and then your computers, and infact any other computer you happen to connect to, which dosent have proper security measure in place to stop it.

    After following the steps below, i am rid of the USB reinfections for good.
    Everyday my friends want some song, movie or other stuff from my laptop,
    and 90% of their USB drives are infected with some autorun virus,
    but my laptop never gets infected. :thumb:

    Step 1: I have disabled autorun on all my drives.
    http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx
    Step 2: Apply the free Panda USB Vaccine
    http://www.pandasecurity.com/homeusers/downloads/usbvaccine/
    Step 3: Install USB Disk Security
    The great thing about this program is that it creates AUTORUN.INF folders in all your disk drives,
    and removable drives, that cant be deleted even if you do a Shift+Del.
    http://www.zbshareware.com/
    Step 4: DefenseWall HIPS :argh: :D
    Automatically run applications from removable sources as untrusted is checked by default in the 2.56 version.
    http://www.softsphere.com/online-help/defensewall/removabledevices.htm
     
  3. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    If I were you, I'd download a-squared's hijackfree. Find the process loading, check to delete file and kill process.

    hijack free.jpg

    I'd also check your 'autoruns', remove anything suspicious starting up on the college comp, and go one-by-one and check your services running. Anything which isn't labelled as 'Microsoft', or your 'audio driver', and so on, I'd google and investigate. You can stop the service and uninstall it if necessary.

    It's quick to just press the 'arrow down key'. Keep an eye on the company, copyright, and file name. Anything you don't recognise, be sure to search for what it is. If you're certain something is 'malicious', stop the service and uninstall (see side panel).
    Services 1.jpg
    services 2.jpg


    Screenshots on what the program can search for:
    http://www.hijackfree.com/en/hijackfree/

    Direct download link (free program from emsisoft)
    http://download2.emsisoft.com/a2HiJackFreeSetup.exe


    You could also try a file deletion tool, like Malwarebytes's FileASSASSIN to delete the file manually.
    http://www.malwarebytes.org/fileassassin.php
     
  4. Cloud_Shadow

    Cloud_Shadow Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    46
    Thanks Saraceno hijakfree solved the problem, really thank you.

    @Lebowsky
    Thanks for replying, i knew beforehand about Panda USB Vaccine and Defensewall, but didn't ever try disabling autorun on all drives.
     
  5. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    No problem, good to see you've got rid of the problem. :thumb:

    I use the program instead of windows task manager to shut down any processes which are taking too long to close.

    As you would have seen, it is also able to 'kill and delete' any process making an outbound connection.

    And you can double-click on any process to bring up the windows properties dialog box.

    A small amount of your own thinking is required but it's a great tool.
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    As Lebowsky stated in step 1, this is the way to disable autorun globally, infact is how Panda does it in step 2 I believe.
     
  7. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    I think so, but the paranoid in me dosent want to leave room for doubt. :eek:
    @ Cloud_Shadow
    Great to see you get rid of it!
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    ESET has the option to disable USB-Ports. But the best way is to disable
    autostart overall (i did since years for usb, cdrom and other external drives).
    i am still no friend of any cleaning action so a clean backup/image is best
    way to get rid of. (inclusive a slap for usb-stick owner :D)
     
  9. CustomHVAC

    CustomHVAC Registered Member

    Joined:
    Mar 10, 2007
    Posts:
    57
    I use the freeware USBVaccine, to stop the auto-runs
    (I think It was recommended here at Wilders, not sure.)
     
  10. huntnyc

    huntnyc Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    976
    Location:
    Brooklyn, USA
    Just plugged in an old external UDB drive and Avira Free denied access to a trojan. Could you please step-by-step go over how I can safely delete this trojan so I can reformat this disk and thanks. I am just not familir with the programs mentioned and what I need to do. Would I need to do something with Avira Free first and then use one of these programs? Thanks again. Glad to see this thread - very helpful.

    Gary
     
  11. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,212
    Like Lebowsky my computers are always under threat from USB flash drives (2 out of 3 are usually infected). Disabling autorun is the first thing to do, but the flash drive might have other infections and having an updated top notch AV is also helpful.

    I also would never plug somebody else's flash drive without my system being sandboxed or virtualized. With ShadowUser first, DeepFreeze for x64 versions, and now Shadow Defender, I often let the malware run as I often have to see the contents of the flash drive. Rebooting the system has always cleaned everything in 4 years of activity (I had Nod32 and now Avira, I'm not kidding but they both detected at least 200 different types of malware from flash drives).

    I've also noticed that both Nod32 and Avira (virtualized for safety) most of the times they could 'delete' the threat, or at least deny access; if they ever missed anything I wouldn't have known because of the virtual session, but I have never restored an image as a result of these threats.
     
    Last edited: Oct 3, 2009
  12. huntnyc

    huntnyc Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    976
    Location:
    Brooklyn, USA
    Avira let me delte the file and then I delted the infected partition. Hope that takes care of it fo rnow. No more alerts from Avira on this dik for now. Shows again - a layered defense is necessary.

    Gary
     
  13. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,212
    I have AE V3 on one computer (VISTA), AE V2 on another (XP Home) and Avira premium with XP PRO on the machine most exposed to threats, all virtualized with Shadow Defender and ShadowUser. You are right with AE nothing runs if it isn't whitelisted, although Rmus found some vulnerabilities within AE V3 and DLL based malware.
    I think that used in conjunction with Shadow Defender the system is extremely tight.
     
  14. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    I use Flash Disinfector and ComboFix
     
  15. plainjoe

    plainjoe Registered Member

    Joined:
    Nov 12, 2009
    Posts:
    2
  16. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    You could delete/recreate an autorun.inf in the root of each each drive with the below batchfile which needs to be run from within where it will be created.

    http://forums.whirlpool.net.au/forum-replies.cfm?t=1312273&p=2
    Quote Half a Crank:
     
  17. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    IMO, the Panda USB Vaccine is the best overall approach for most users. It's simple and it works. Just install, immunize the PC and all USB drives that one comes in contact with. (Personally, even though it give you the option, I don't let the Panda tool run all the time to auto immunize non-immunized USB drives. But I understand the risks and am willing to live with them.)

    The only downside is with drives that need/use an autorun.inf for a reason (like U3 drives.) Replacing these autorun.inf files with a locked one will give undesireable results.
     
Loading...
Thread Status:
Not open for further replies.