Jump to content

Strange Virus Issue

buckdog05
 Share

Recommended Posts

buckdog05

buckdog05

Posted
Posted

I have been having some really strange issues lately. I fix malware issues on people's computers using various programs contained on a flash drive such as Combofix, Malwarebytes, and AVG Free. Recently when I plugged my flash drive into a computer with AVG Free installed, it told me that there was a virus on the flash drived in the "system.exe" file on the root of the drive.

I went ahead and deleted the file, and later AVG came up and told me that a file called "autorun.inf" was infected. I also removed this file, but the next time that I plugged the flash drive into a computer and tried to click on it in My Computer, I got an error saying that it was inaccessible. I figured out that I could remedy this issue by going to "run" and entering the path of the drive, but I would rather be able to click on the drive inside of My Computer.

Anyways, that is not the real issue. Commonly I reformat and reinstall Windows on computers in order to fix malware problems. I have reformatted three computers since I started having the flash drive issue, one using a university copy of XP, one using an OEM Dell copy of XP, and one using the built-in recovery partition (gateway). After I reformat computers, I always install SP3 from a flash drive to speed the update process. The installation of SP3 went fine, but when I installed AVG, it came up and told me that there was a virus in "svchost.exe" located in C:\program files\microsoft common. I did a little research and it looks like viruses can indeed be located in svchost.exe in this location, but I know that svchost.exe is an important system file. I went ahead and deleted it anyways, and the next time I restarted the computer, the desktop picture came up but there were no icons.

The only way that I could get the desktop was manually browsing to system restore from the run menu that I got when I hit "ctrl+alt+del," but that of course restored the svchost.exe file. This time I added it to AVG's exception list, and the computer seemed to be working fine, except for a 15-30 second delay before the icons came up on the desktop (I assume AVG is finding the svchost.exe file during this time and processing the exception).

I am stumped as to whether there is a virus on my flash drive automatically replicating itself on the computers that I insert in or not. It seems like if that was the case, removing it would not cause the flash drive to stop working properly. Also, I have never seen viruses like this before, does such a thing really exist? The last thing that I want to do is infect every computer that touches my flash drive as I use it heavily in many computers.

What I am kind of thinking is that because I put my flash drive in so many infected computers that it obtained some kind of infection, but besides the AVG warnings, the computers that I have inserted it in do not seem to be acting strangely.

I am happy to run virus scans and remove the viruses, but I obviously can't make the computer so that the desktop does not come up.

Any suggestions would be greatly appreciated! Thank you!

Link to comment
Share on other sites

reghakr

reghakr

Posted
Posted

I would suggest downloading a spyware (malware) detector in addition to your Anti-virus.

svchost.exe shouldnever be located in that directory.

If it's the flash drive, you might have to bite the bullet and reformat it.

Link to comment
Share on other sites
buckdog05

buckdog05

Posted
  • Author
Posted
I would suggest downloading a spyware (malware) detector in addition to your Anti-virus.

svchost.exe shouldnever be located in that directory.

If it's the flash drive, you might have to bite the bullet and reformat it.

Sounds good, I'll do that. What confuses me if that it's not supposed to be there than why do the icons not come up on the desktop after it is removed from that directory.

Link to comment
Share on other sites
reghakr

reghakr

Posted
Posted (edited)
I would suggest downloading a spyware (malware) detector in addition to your Anti-virus.

svchost.exe shouldnever be located in that directory.

If it's the flash drive, you might have to bite the bullet and reformat it.

Can you do a stsrem restore to a point before you got this virus warning,

That will rmove those files.

If they come back after that, then the USB flash drive has the virus on it.

Edited by reghakr
Link to comment
Share on other sites
buckdog05

buckdog05

Posted
  • Author
Posted
I would suggest downloading a spyware (malware) detector in addition to your Anti-virus.

svchost.exe shouldnever be located in that directory.

If it's the flash drive, you might have to bite the bullet and reformat it.

Sounds good, I'll do that. What confuses me if that it's not supposed to be there than why do the icons not come up on the desktop after it is removed from that directory.

can you do a stsrem restore to a point before you got this virus warning,

That will rmove those files.

If they come back after that, then the USB flash drive has the virus on it.

What is strange is that I have not gotten this warning on my own computer, also running AVG Free 8.5. I have used one of the flash drives in my computer (I use two flash drives, one stays at home, one is on my keys) that came up with the virus warning on another computer (this computer running McAfee), but I guess that I have not ran anything from the flash drive on my computer, just had it in to add files to it. I am a little reluctant to run one of the files on my flash drive on my computer because I do not want to infect it if it's not already infected.

Besides my personal computer, the other computers are back with their owners, but I could get them back to remove the virus if I need to. What I am trying to figure out if it is a really a virus, and how it replicates. Would it be possible for a virus to get installed on a computer from a flash drive just by inserting it in a computer, or does a program from it have to be run. The only programs that I ran from it on the other computers were Windows XP Service Pack 3 Network Install, AVG Free 8.5, Firefox, and Flash.

It seems like if the virus had attached itself to any of these files that I'd get a warning saying that it was in these files, not in autorun.inf or system.exe, but yeah, doing a system restore would help determine if the virus is on the flash drive or not.

I'm really confused, thanks for the help!

Link to comment
Share on other sites
reghakr

reghakr

Posted
Posted

Autorun.inf is a common file, system.exe is the one that bothers me.

Try a spyware remover that has the option to right-click on a directory or drive?

You could put the flash drive in, then use Windows Explorer, locate the correct letter, right-click and choose Scan with....

I use PCTools Spyware Doctor w/ Antivirus and it has this option

Link to comment
Share on other sites
rajesh.kumar

rajesh.kumar

Posted
Posted

You must access usb drives ONLY after doing the following steps.

1) installing xp after clean formating

2) install sp3

3) all post-sp3 hotfixes

4) install antivirus and update it to the present day and configure it for how it handles the realtime scan and configure the builtin firewall.

if u access usb drives before these above steps, probable chance is your system getting infected with virus definitely.

to make things easier, for steps1,2,3, create an unattended distribution of xp and install. then install antivirus.

There is no compromise in these steps coz any usb drive can have any number of viruses of any kind.

Link to comment
Share on other sites
DreamSkape

DreamSkape

Posted
Posted
"Would it be possible for a virus to get installed on a computer from a flash drive just by inserting it in a computer, or does a program from it have to be run.
"

On most XP computers, your flash drives can be infected even if you open it and do nothing. I faced such problems wherein I opened the Flash drive just to check if certain files were there and it got infected. So, same may have happened in your case too.

I agree with the person who asks you to run the system restore and see if you get the icons back. Other than this, you can download something like a SpyBot, recommended by MS, and see if the Flash Drive is infected. I guess the Spybot will clear any malware on the Flash drive eliminating the need for formatting it. Just check it out as there is no harm in it. Otherwise, as suggested above, you will have to go for the format.

All the best!

--

Regards,

DreamSkape

Signed: Friday, May 15, 2009, 1:42:53 PM IST

Link to comment
Share on other sites
buckdog05

buckdog05

Posted
  • Author
Posted

Thanks for all of the help. I have scanned my personal computer and found a lot more malware than I thought I had, and am working on figuring out a non-destructive way to fix the other computers with this virus that still allows the icons to come up on the desktop.

Any insight into why deleting the svchost.exe that is in the wrong location would cause the computer to stop functioning properly would be much appreciated, though.

Perhaps when I get my hands on one of the computers that was having this issue, I'll see if the svchost was deleted from it's original location and moved? That's all I can think of, thanks!

Link to comment
Share on other sites
buckdog05

buckdog05

Posted
  • Author
Posted

Thank you very much for all of you help. I figured out that if I run Combofix from a flash drive it fixes the problem. Even though the desktop won't come up, if you hit control+alt+delete, open a command prompt window, and than browse to combofix on the flash drive it will open and remove with virus without crippling windows. I really love Combofix, it's saved my butt multiple times.

Here's an article on using it properly with download links:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link to comment
Share on other sites
adityastar

adityastar

Posted
Posted

I once had this problem, then I reformatted my Computer, installed avast 4 free edition and scanned my flash drive and external HDD's for viruses, then I copied data.

Now my PC is safe atleast for now as I always scand all the flash drives.

Link to comment
Share on other sites
rwycuff

rwycuff

Posted
Posted

Ok first thing your infection is called autoruns detected by most major AV and it does not inject itself into any of the files but rather replaces the autorun.inf and has other files that will hook itself into that .inf and then it uses removable media to spread to other computers and then if the computer you was scanning with infections has it then the usb will get it and if you have windows auto run turned on on your pc you now have it on there too.My suggestion is to 1) Whip your thumb drive and do not back up for those files could be infected too and then use malwarebytes or something of that sort to scan the actual system to make sure it did not spread

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...