Thumbdrive got virus/trojan on it: want to make sure I’m ok

Topic

New Reply

Hi folks,

I took my thumb drive to the local UPS store for them to print out something for me, and they were nice enough to put a virus/trojan from their computer on it! :o: Ugh. I came home, put the thumb drive in my computer and did a routine scan on it with Microsoft Security Essentials (as I always do after using it at a place like that). And this is what I got back from the scan:

TrojanSpy:MSIL/Hakey.A

Category: Trojan Monitoring Software

Description: This program is dangerous and records user activity.

Recommended action: Remove this software immediately.

Items:
file:G:E Video and other stuff.exe
file:G:Trader Joe’s.exe
file:G:Uke Club.exe
file:G:VF.exe

These are names of folders on the thumbdrive, and it looks like .exe files were created with the same names. Is that how this sort of thing works? I never actually opened the thumbdrive to see these files on it, just saw that they were detected by MSSE. I chose to remove the files and it did so from the thumbdrive. I updated MS Security Essentials and Malwarebytes Anti-Malware (free) to the newest definitions and scanned the thumbdrive again and it showed clean. I searched for one of the files on my hard drive and nothing came up, but I’m running full scans with MS Security Essentials, Malwarebytes Anti-Malware (free), and the old Spybot right now to be sure.

If those all come up clean, do I have anything to worry about?

Would I have to of run one of those .exe files that were created in order for the trojan monitoring software to take effect?

Could something bad have “jumped” to my laptop from the thumbdrive without my opening the thumbdrive?

I have autoplay/autorun turned off on my laptop, as far as I know (running Windows 7 Home Premium 64-bit). (Note: I do not have this month’s Windows Updates applied as of yet, per Woody’s alert notice.)

Any help is appreciated — thanks!

Reply | Quote

Replies

If they were detected by MSE I think it’s pretty safe to conclude they were not executed, or MSE would have detected the execution as well.
With thumb drives, just as with optical disks, the problem may be your autorun settings. It is possible, via autorun, that malware set to execute will be executed.

In your situation, as I said, it’s safe to conclude the malware was not executed. I would take a look to see if there are more files that were not there before the visit to the UPS store, just to make sure there is nothing that could have escaped MSE’s and Malwarebytes detection.

Reply | Quote

Have MSE remove the Trojan, then run MBAM to confirm you are free of it.

Reply | Quote

If you have copies of what’s on the thumb drive, you might want to reformat it before you use it again.

Jerry

Reply | Quote

Thanks, everyone. Done and done! Everything looks good, from the various scans.

How can I check my autorun/autoplay settings? What do I set to make sure a thumbdrive isn’t run automatically? (I’m pretty sure I have it set now not to, but want to double-check.)

Also, how necessary is it to reformat the thumbdrive at this point?

Thanks again!

Reply | Quote

A very detailed explanation on various methods and downloaded registry files that can be used can be found here:

http://www.sevenforums.com/tutorials/216706-autoplay-enable-disable.html

No, I don’t think you need to reformat the drive, per the reasons stated before, but you can always do it for extra assurance, if you feel so inclined.

Reply | Quote

I agree with Rui about reformatting. I only suggested it if you have other copies of the data and wanted an extra level of assurance. It’s purely optional. I’ve successfully cleaned several hard drives of heavy virus infections (hits in the hundreds with Malwarebytes and having to resort to other methods of cleanup) without reformatting and have never had a callback.

Jerry

Reply | Quote

Just a suggestion, but you might want to let UPS know what happened so they can attempt to prevent this on someone else’s PC that is not so vigilant.

Reply | Quote

I actually immediately called UPS and let them know.

Thanks again, everyone!

Reply | Quote

There is a program that provides a means of securing USB drives, and is designed to prevent infections transmitted via removable drives. It is called MCShield.
This program has no association with McAfee.

Download site for MCShield:
http://amf.mycity.rs/mcshield/downloads.html
Save to the Desktop.

Double-click the MCShield-Setup to install the program.
Follow the prompts.

Once at the program console, click Run for MCShield to finish its initial scan.

Under the General and Scanner tabs, use the defaults items already checked.

Click: OK

Plug in your USB storage device to the computer (only one at a time).
Scanning is done automatically. (Uses a heuristic engine to detect and neutralize threats in real-time.)

When all done, a report is created.

The report can be found when you go to: Start > All Programs > MCShield > Logs

If any malware is found, please post the McShield report in your reply.

Reply | Quote

Another useful product would be Panda’s USB Vaccine, available at:
http://research.pandasecurity.com/Panda-USB-and-AutoRun-Vaccine/

From their site:

The free Panda USB Vaccine can be used on individual USB drives to disable its AUTORUN.INF file in order to prevent malware infections from spreading automatically. When applied on a USB drive, the vaccine permanently blocks an innocuous AUTORUN.INF file, preventing it from being read, created, deleted or modified. Once applied it effectivelly disables Windows from automatically executing any malicious file that might be stored in that particular USB drive.

Reply | Quote

Had the same problem. I renamed the .exe back to folder, then opened the folder and copied my files.
Good luck.

Reply | Quote

I use a free program called Protect My Disk, available at http://secusimple.com/protectmydisk.html. It creates a hidden directory named Autorun.inf on a USB drive, which prevents any malicious software on another computer from putting its own autorun.inf file on it. It is seems to be similar to Panda USB Vaccine. Works quite well, so far as I can tell.

Reply | Quote

If you can find a thumb drive with a hardware write-protection switch, it should be immune to such shenanigans.

SD Cards, while they have a write-protect switch, are actually no good for this purpose because it’s not actually hardware write protection – at best the card reader sends a signal to the operating system that the drive should be treated as read-only. The write-protect switch on the cards is read by a sensor that’s part of the card reader, and the card reader then passes along to the operating system whether the card is read-only. (From http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/)

That same URL also discusses issues with software-based and OS-based write-protection.
HTH.

Reply | Quote

Good post cosmlou;

I would also suggest a scan by Super-Anti-Spyware in normal mode; it can catch things MBAM leaves behind. The other good thing about it, is you don’t usually have to boot to safe-mode to make sure everything that is possible to detect is removed. I make a pretty good living cleaning up trashed machines that relied on MSE – I can’t see what people like about it, other than maybe it is light on resources. It is hardly a thorough solution.

Reply | Quote

source of your acclaim for the program /

I found this:
SUPERAntiSpyware received a “POOR” rating from PC Magazine, which complained that it had no real-time protection and the lowest detection rate and lowest score in a malware removal test.

Good post cosmlou;

I would also suggest a scan by Super-Anti-Spyware in normal mode; it can catch things MBAM leaves behind. The other good thing about it, is you don’t usually have to boot to safe-mode to make sure everything that is possible to detect is removed. I make a pretty good living cleaning up trashed machines that relied on MSE – I can’t see what people like about it, other than maybe it is light on resources. It is hardly a thorough solution.

Reply | Quote

source of your acclaim for the program /

I found this:
SUPERAntiSpyware received a “POOR” rating from PC Magazine, which complained that it had no real-time protection and the lowest detection rate and lowest score in a malware removal test.

I would agree that the real time protection is probably not needed as it doesn’t really help on restricted rights accounts, although it might be fine for administrator accounts. However – I must vehemently disagree on SAS’s ability to scan and destroy malware. I have cleaned up innumerable PCs that had vexing infections, and I consider it a TOP tool for my malware fighting tool kit. I ‘ve just seen too many times where SAS found malware where the other missed it, or just couldn’t detect it. It says volumes for it, that it doesn’t need safe mode to do a rocking good job cleaning things up. It also does a very good job cleaning up registry trash left over with fights between malware and other removal tools. So – I’m sorry PC magazine doesn’t particularly like it, but I can’t do without it, and I’m out here in the combat zone!

I only use tools and utilities that pass MY tests in the honey pot lab, and SAS is golden in my not so humble opinion!! I do not work for anyone, and in fact do not sell software either; so I have no ax to grind, except the one that hates criminal efforts in the INFOSEC world. I will do anything to foil there dastardly designs.

Reply | Quote

i have one that goes to various sites for use there

you could try using it in write only mode from your pc
if really concerned then run a virus remover at antoher pc like library or the uni
then reformat it when you come home
and start over again

Reply | Quote

Thanks to all for an interesting and helpful discussion. I checked on both the Panda and ProtectMyDisk sites and found this on the Panda site:

Panda USB Vaccine currently only works on FAT & FAT32 USB drives. Also keep in mind that USB drives that have been vaccinated cannot be reversed except with a format.

That last sentence about not being reversible except with a format put me off a bit. Here’s what I found on the ProtectMyDisk site under FAQ:

What happens with my existing autorun.inf file?
Before applying protection, your autorun.inf file is backed-up on your drive. If you want to restore, click Restore. If the autorun file was infected, you need to restore it manually.

Perhaps I’ve misunderstood something here, but clicking Restore seems easier to me than reformatting the drive, so although both programs are probably very helpful and do the job, I’m going to give ProtectMyDisk a try first.

Hope this helps.

Cheers,
Al

Reply | Quote

… if you have a Mac or Linux machine handy, you can safely pop in a PC (FAT) formatted USB stick, see everything that’s on it, and delete what doesn’t belong, because any .exe files on the stick won’t run.

The local Kinko’s consistently left malware on my USB sticks, and although I told them about it repeatedly, either they didn’t care or they were clueless. Taking a precautionary peek with my old MacBook became my routine whenever I came back from using their print services.

Reply | Quote

The 2 USB drives I use in clients’ systems are both formatted NTFS (to accomodate large files). I set permissions so that only my user account has Modify and Write privileges. The Administrators group and Everyone are limited to Read, List, Execute. On 1 I also use True Crypt.

Reply | Quote