We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Malware spread by memory stick
john_s_2
Posts: 698 Forumite
in Techie Stuff
Sorry for the long post...
Just recently we keep getting some sort of malware (Downadup according to AVG) on our PCs. I believe it is from my daughter's memory stick, which she uses to take files to and from school, and I strongly suspect she is getting it from her school.
We use XP Home.
I cleared the infection from the stick and PC (using AVG) and confirmed the files were no longer there in Windows Explorer afterwards. But after coming back from school AVG threw a wobbly again, and sure enough it was back on the stick.
There's various questions I have, and please note, at this point I'm not interested in a discussion about the merits of running AVG Free.
1. We ignore (press cancel) the "what do you want to do with this?" window that comes up when plugging in the stick, and navigate it using Windows Explorer (WE). But a DLL file still gets copied across into:
C:\Documents and Settings\[user name]\Application Data
And a registry entry to run this DLL file on startup.
This is despite the stick being used on a limited account. According to this article...
http://www.geocities.com/kilian0072002/registry/lockreg.htm#1.1
... a limited user can edit the HKCU part of the registry. I don't know enough about this but does this explain how the malware can create a registry entry despite only running on a limited account?
2. As explained above, we do not choose any of the options on the window that appears when plugging in the stick. But the files (and registry modification) still seem to happen. Does something still run automatically when plugging in the stick regardless of what action is chosen on this window? According to this article...
http://antivirus.about.com/od/securitytips/ht/autorun.htm
... it is possible to completely disable autorun on removable media, which suggests that something is autorunning. As the fix involves modifying the registry I'm wary of doing this as I'm not expert enough. (The article suggests creating a .reg file, which seems simple enough. But a little knowledge...)
As I said, AVG has cleared the infection (deleted the DLL file) but it leaves the registry entry so on startup we get a rundll error. I have inhibited this error by unchecking the appropriate entry using MSCONFIG but obviously this is treating the sympton rather than the cause.
I realise there are probably better security packages to use (Avira / Malware Bytes) that should deal with this but at the moment I'm most interested in the two questions above.
Ultimately I want to be able to insert the stick, confident that XP will not not take any action with it, which will then let me scan it (using AVG, or whatever) for malware. I suspect this means following the advice (or similar) on the about.com article above but I'd be grateful for any clarification / comments :-)
Just recently we keep getting some sort of malware (Downadup according to AVG) on our PCs. I believe it is from my daughter's memory stick, which she uses to take files to and from school, and I strongly suspect she is getting it from her school.
We use XP Home.
I cleared the infection from the stick and PC (using AVG) and confirmed the files were no longer there in Windows Explorer afterwards. But after coming back from school AVG threw a wobbly again, and sure enough it was back on the stick.
There's various questions I have, and please note, at this point I'm not interested in a discussion about the merits of running AVG Free.
1. We ignore (press cancel) the "what do you want to do with this?" window that comes up when plugging in the stick, and navigate it using Windows Explorer (WE). But a DLL file still gets copied across into:
C:\Documents and Settings\[user name]\Application Data
And a registry entry to run this DLL file on startup.
This is despite the stick being used on a limited account. According to this article...
http://www.geocities.com/kilian0072002/registry/lockreg.htm#1.1
... a limited user can edit the HKCU part of the registry. I don't know enough about this but does this explain how the malware can create a registry entry despite only running on a limited account?
2. As explained above, we do not choose any of the options on the window that appears when plugging in the stick. But the files (and registry modification) still seem to happen. Does something still run automatically when plugging in the stick regardless of what action is chosen on this window? According to this article...
http://antivirus.about.com/od/securitytips/ht/autorun.htm
... it is possible to completely disable autorun on removable media, which suggests that something is autorunning. As the fix involves modifying the registry I'm wary of doing this as I'm not expert enough. (The article suggests creating a .reg file, which seems simple enough. But a little knowledge...)
As I said, AVG has cleared the infection (deleted the DLL file) but it leaves the registry entry so on startup we get a rundll error. I have inhibited this error by unchecking the appropriate entry using MSCONFIG but obviously this is treating the sympton rather than the cause.
I realise there are probably better security packages to use (Avira / Malware Bytes) that should deal with this but at the moment I'm most interested in the two questions above.
Ultimately I want to be able to insert the stick, confident that XP will not not take any action with it, which will then let me scan it (using AVG, or whatever) for malware. I suspect this means following the advice (or similar) on the about.com article above but I'd be grateful for any clarification / comments :-)
0
Comments
-
from the article:....(The article suggests creating a .reg file, which seems simple enough. But a little knowledge...)
Save the file as something.reg. (You have to be sure to change the "Save File as Type" to "All Files" before saving, or Windows will try to save it as a .txt even if you typed in .reg.
then its just a case of double clicking the reg file and clicking yes when prompted to add the keys to the registry0 -
Cheers gaming_guy. Although when I said, "But a little knowledge..." I assumed people would guess that I meant it should be followed by "... is a dangerous thing."
I know enough about the registry to know that I shouldn't modify it on the advice of a random website. Although I guess about.com are fairly authoritative?0 -
i've just found an MS KB article here which goes into more detail on how to disable it on certain drives. however, i'd disable autorun for all drives just as a precautionCheers gaming_guy. Although when I said, "But a little knowledge..." I assumed people would guess that I meant it should be followed by "... is a dangerous thing."
I know enough about the registry to know that I shouldn't modify it on the advice of a random website. Although I guess about.com are fairly authoritative?
look under the section 'How to disable all Autorun features in Windows XP Home Edition and other operating systems'
edit - just re-read your post and you mentioned malwarebytes. its worth installing as avg free is just a virus scanner not a malware/spyware scanner like malwarebytes0 -
I'm pleased to say I just found a non-techy way (ie doesn't even involve running .reg files) of disabling autoplay. The MS Powertoy: Teak UI. I came across it on this thread:
http://www.annoyances.org/exec/forum/winxp/t1151603426
I had already installed it on my daughter's PC for something else. It's a snip! And there's also an option to disable the autoplay on any removable media, rather than disabling drives (so I did both for a belt & braces approach).
I just need my daughter's memory stick, with the virus back on it, to test if it works... She's gone out after school so I'll see when she gets home.
Meanwhile, I have tracked down the entry in the registry that is calling the offending (but now absent) DLL. Do I just [gulp!] delete it? Or would it be safer (from a system stability point of view) to just carry on ignoring it with the MSCONFIG option?0 -
Cleaning her memory stick, without cleaning every PC she's uses it in, will prove to be a wasted effort.“I may not agree with you, but I will defend to the death your right to make an a** of yourself.”
<><><><><><><><><<><><><><><><><><><><><><> Don't forget to like and subscribe \/ \/ \/0 -
If you're not confident that it's clean, then the low tech approach is to bin the stick and replace it. They're cheap enough.
But as Strider points out, you need to find out where she is picking the infection up from and stop her using that PC until it's cleaned.No free lunch, and no free laptop
0 -
Strider590 wrote: »Cleaning her memory stick, without cleaning every PC she's uses it in, will prove to be a wasted effort.macman wrote:If you're not confident that it's clean, then the low tech approach is to bin the stick and replace it. They're cheap enough.
But as Strider points out, you need to find out where she is picking the infection up from and stop her using that PC until it's cleaned.
I'm happy that the stick is clean once I've done my bit. I just needed to make sure our computers didn't autorun when it was plugged in, thus copying the files onto the computer. I'm happy I've done this (see my post about Tweak UI above).
If it picks up the virus again then so long as it doesn't jump onto our computers I couldn't care less to be honest. I'll clean it off each time but beyond that, it's an NMP (not my problem).
She hadn't used it at school yesterday so I can't test it at the moment.0 -
The whole point of a resident scanner is that you shouldn't need to manually scan everything, it is supposed to catch it for you before infecting, catching it afterwards is useless. Your current scanner isn't upto the job, consider changing it for avira/avast or kaspersky, after disabling autoruns. Malwarebytes isn't a virus scanner as such, although it's generic scanning technology might catch some
Autoplay is different to autorun. You need more than tweakui to disable it properly
http://www.microsoft.com/technet/security/advisory/967940.mspx/en-us0 -
The whole point of a resident scanner is that you shouldn't need to manually scan everything, it is supposed to catch it for you before infecting, catching it afterwards is useless...
Thanks, I'm going to be reviewing my security after this.
I've also discovered that TweakUI is account specific so I've had to change the limited accounts to Admin to effect the autoplay disabling, then convert them back to limited again. (MSCONFIG works the same way, frustratingly.)
Thanks again, I'll have a look at that. It certainly 'seems' to stop the autorun (nothing happens when I plug it in now) but without the virus on it I can't be certain.Autoplay is different to autorun. You need more than tweakui to disable it properly
http://www.microsoft.com/technet/security/advisory/967940.mspx/en-us
EDIT: I've been reading around various websites and I'm reasonably satisfied that the Autoplay referred to on TweakUI is in fact Autorun - so it does stop autorun. From what I've read, Autorun and Autoplay tend to be used interchangably, and before XP were the same thing. As TweakUI is pre-XP the word Autoplay wasn't replaced with Autorun on the GUI, although it is autorun it's disabling.
http://en.wikipedia.org/wiki/AutoRun#TweakUI
(I realise Wikipedia isn't perhaps the best source of this information, but various other sites/forums led me to the same conclusion.)
EDIT2: In case anyone's following this (but it's not worth bumping) I'm more satisfied that I've disabled autorun for my removable media. I created an autorun.inf file that opens Notepad if: the user selects it from the Autoplay menu; or double-clicks on the USB drive icon. (On a PC that hasn't had autoplay / autorun disabled using TweakUI).
But neither of these happen on a PC that has had these disabled. The file simply contains:
[autorun]
open=notepad.exe
action=Click OK to open Notepad
shell\open\command=notepad.exe
According to this page...
http://www.usbhacks.com/2006/10/25/how-to-quick-intro-to-hacking-autorun-for-usb-flash-drives/
the "shell\open\command=notepad.exe" command "will still work even if autoplay is disabled". I don't know why it doesn't work but I'm glad it doesn't.0 -
How I would fix the problem.
1. copy everything from the memory stick, after running a scan on it,
2. format the memory stick.
3. scan computer for any virus's etc.
4. copy the data back
5. after school plug it in, if infected, then the school computers must be infected. if they haven't connected to another computer before that.
6. phone school and tell them they have a computer virus problem as your computer keeps getting infected from it.
AVG is ok as a antivirus but there are better free ones out there, AVAST, Antivir, you can also get a free full version antivirus on a coverdisk usually for a year. Your ISP can even supply you with one, take Virgin Media for instance they have a downloadable protection on their site. You can also scan your computer with an online antivirus scanner for free.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.1K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.6K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178K Life & Family
- 260.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards