Broadband Tech > Security > Security > infected USB memory stick

infected USB memory stick

It sounds like you have a U3 type USB drive. See if this situation applies.

Note that the files on the drive are hidden:

»www.computing.net/answers/securi···560.html

Search the internet for

format usb u3

for information about formatting.

Thanks for the reply. I do have settings so that hidden files are visible but still can't see what's taking up the 400kb space. When I reformatted it I used FAT32 but it didn't get rid of whatever is there taking up space. I tried several times.

I had just finished reformatting Vista to make sure I had gotten rid of everything when I plugged the stick in and got reinfected. It was enough to make me want to say the heck with it, ditch Vista, put FreeBSD on the box and be done with it.

I've downloaded a utility from Systernals, SDelete, that I'm going to try. I did try scanning the stick using F-Prot on my FreeBSD box but that didn't work either. I have a wipe utility on it but couldn't get it to wipe the whole thing either. Try, try, again.

Thanks again for your time. I appreciate it.

BTW, I tried using Eraser to wipe the USB drive to clear it and that didn't work either.

reply to ihatecrime
Open the stick in your FreeBSD box. You will see any hidden files there. I just plugged a U3 stick in a FreeBSD box, and the U3 .exe and folders were visible.

reply to ihatecrime
I formatted my USB stick today and also see some space as used. I think this is normal - looks like FAT and other system stuff is stored there (like when formatting HDD, you always get 8MB of disk space you can't partition or format).
If you get infected every time you plug in your thumb, your system might be compromised. You might be infected with some nasty that antivirus can't detect. When you plug in USB drive virus tries to install auto-run virus on you USB drive which antivirus detects and block. Are you sure your system is clean?

reply to ihatecrime
You might be interested in this utility.
Im using it with great results.
»www.zbshareware.com/

Also you might want to take a look at this thread:
»Disabling 'Autorun' on USB and beyond. Need help.
--
The Very Latest SOHO Images
»sohowww.nascom.nasa.gov/data/rea···ges.html

reply to tomazyk
"If you get infected every time you plug in your thumb, your system might be compromised. You might be infected with some nasty that antivirus can't detect. When you plug in USB drive virus tries to install auto-run virus on you USB drive which antivirus detects and block. Are you sure your system is clean?"

Sorry for the long delay in answering.

I don't know where I picked it up but of the 197 warnings AVG8 gave, some pretty bad looking ones were included like Trojan.Bomka, Trojan.BindFil.g, Trojan.ZMark.a, Trojan.Small.anm to name a few, but also several instances of things like TitanShieldAntispyware which I never downloaded or installed knowingly. All these were identified in the registry.

I did reformat Vista and it got my XP box too, but after I installed AVG8 it seemed to take care of it so I opted not to reformat XP and just use AVG8 to clean it. The bad part was no sooner had I reformatted Vista and I was infected again. After I cleaned it with AVG to get rid of the registry entries I ran BitDefender, A-Squared, Spybot S&D, AdAware with no further signs of trouble. I may download the trial version of Trojanhunter to make sure. My heart isn't in it but if it comes down to it I will reformat Vista again just to be certain...

I have looked at the USB stick on my FreeBSD box and it shows No Items - No Files - No Folders. But I know as soon as I was to plug it in my Windows box I would be infected again. It's a mystery to me. I may just throw the darn thing away. I do want my machine to be clean though.

Thanks everybody for your time and thought in this matter.

reply to ihatecrime
That's interesting. Did you try to wipe it in FreeBSD, and then reformat? Something like this should wipe the stick:

dd if=/dev/zero of=/dev/*** bs=1024M count=1

Where *** is the device that represents your usb stick. Don't mount it, use the raw device. I haven't done this in FreeBSD before, but it does work in Linux.

reply to ihatecrime
Now tell me i am wrong that Norton has low detection rate

reply to mikenolan7
I have BCwipe on my FreeBSD box and it wouldn't wipe it for some reason, probably due to my lack of experience with that program. I'll try the command you gave me to wipe it. Thanks.

I installed the trial version of Trojanhunter and my Vista box appears to be clean. I'll check out the trial version of the USB security program too.

Yes, fully updated Norton Internet Security 2007 didn't have a clue about 197 infections on my machine. Not only the few trojans I listed but downloaders, keyloggers, and adware out the wazoo. I suspect it to have been infected for 1-2 weeks before discovering it on my own. The only thing that led me to believe something was wrong was scans began to stall around file 6000, and not always the same file. Their online scan didn't find anything either.

I see others complaining about AVG8 in other threads in the forum, and not to dispute them, but it has done well for me in this instance.

reply to ihatecrime
How do you know any of the 197 detections by AVG are in fact valid?

For example, if you have SpywareBlaster or SpyBot S&D installed, it will list every single kill-bit CLSID entry as an infection. This is complete nonsense.

Most antivirus programs will not handle Adware issues. Many are rather poor at the whole class of Autorun infections. (ESET and Kaspersky are noticable exceptions, I have found).

Go to the Security Cleanup subForum and let the folks there clean this Autorun infection properly. I have no seen AVG any great shakes when it comes to an Autorun infection.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

reply to bcastner

Re: infected USB memory stick

reply to mikenolan7

Re: infected USB memory stick

I had the same problem with AVG 8 picking up false positives from Spyware Blaster. I think you are seeing false positives more than anything.

Like I said, that was my first thought, but after cleaning I could reproduce it by inserting the USB stick in either my Vista or XP machines. Now that I've overwritten the volume it no longer happens at all.

Doesn't sound like false positive behavior to me.

EOL

reply to ihatecrime
Those are all False Positives on CLSIDs with the Kill-bit set.

AVG is wrong to remove those entries. You are less secure having those entries removed.