I got infected last night via an USB drive. I inserted it, copied a .doc and a .xls to my computer and removed it. I didn't opened the files. I have Autorun disabled. Next thing I know, my laptop is slow, as in SLOW. So I downloaded CureIt and it found the following: c:\windows\system32\amvo.exe c:\windows\system32\amvo0.dll c:\nlblkhq.com d:\nlblkhq.com z:\nlblkhq.com All identified as Win32.besso by CureIt. BTW, my friend, who owned the usb drive, was also infected, but the file was named help.exe, also win32.besso. after deleting the files, I wasn't able anymore to open any of the disks, when double-clicking or when trying to explore, it launched the list for choosing a program to open. So, time to go back in time with System Restore and it was solved. One last check with CureIt, one check with AVP tool and one check with SAS. All clean. Time for me to go to sleep. But my question is: how could this happen if I didn't executed anything and Autorun is disabled? Maybe there was another culprit I'm not aware of or can't remember? I blame the usb drive because both me and my friend where infected, I didn't installed or downloaded anything yesterday and I do all my browsing sandboxed. Would an app like AntiExecutable have helped in this case? Is it possible to open USB-drives sandboxed? Are there any problem if I do so? PS: NOD32 has let me down a bit to often lately...maybe time to move on...
Do you have your hidden files and folders displayed? Choose to show them otherwise. Regarding this trojan you could have stop it from doing its thing by: 1. Using a HIPS that monitors the processes in your system. 2. Running in a restricted account and thereby have write/change permissions disabled for root, windows, programfiles and HKLM. It was presumably loaded into the explorer.exe process. /C.
Yeah, probably a HIPS is the best way, but I don't feel I'm ready to safely use a HIPS. I know that eventually I'm going to click the wrong option and/or I'm going to get bored of the pop-ups... Almost 6 months now and still can't decide myself on trying a HIPS.
See here for a possible explanation: Code: [autorun] open=kwjkpww.exe shell\open=Open shell\open\Command=kwjkpww.exe shell\open\Default=1 shell\explore=Explore shell\explore\Command=kwjkpww.exe Using TweakUI the right way Sure. Or a HIPS. Or a behav. blocker. Or LUA + SRP. I don't know about Sandboxie, but in GeSWall you can make custom rules to treat removable drives as always untrusted.
Thanks lucas..that was an interesting read... After this, I'm trying ThreatFire... let's see how it goes....
Anti-executable may have helped. I've noticed that if i insert a flashdrive containing exe files and go to view the contents i get pop ups from AE telling me those exe's have been blocked.