USB-Stick autorun virus
Finn Stampe Mikkelsen
Could anybody tell me, how i could get rid of this virus. Below there is a
directory of my USB-Stick. i have tried several solutions i found on google,
but none of them worked...
Disken i drev P er Cruzer U3
Diskens serienummer er 8AD5-0AE2
Indhold af P:\
16-11-2009 22:40 246 AUTORUN_.0NF
17-11-2009 18:19 <DIR> cold
16-11-2009 22:41 <DIR> System Volume Information
1 fil(er) 246 byte
Indhold af P:\cold
17-11-2009 18:19 <DIR> .
17-11-2009 18:19 <DIR> ..
20-11-2009 10:48 <DIR> hott
0 fil(er) 0 byte
Indhold af P:\cold\hott
20-11-2009 10:48 <DIR> .
20-11-2009 10:48 <DIR> ..
22-11-2009 03:15 63 Desktop.ini
18-11-2009 22:49 25.600 ������o-���
15-11-2009 00:51 102.441 ��������-���
3 fil(er) 128.104 byte
Antal filer i alt:
4 fil(er) 128.350 byte
7 mappe(r) 31.882.956.800 byte ledig
/Finn
--
Der er 10 slags mennesker - Dem som forst�r bin�r og dem som ikke g�r.
There are 10 kinds of people. Those who understand binary and those who
don't.
Es gibt 10 Arten von Menschen. Die, die Bin�r verstehen, bzw. die, die es
nicht tuhen.
David H. Lipman
| Hi
| Could anybody tell me, how i could get rid of this virus. Below there is a
| directory of my USB-Stick. i have tried several solutions i found on google,
| but none of them worked...
| Disken i drev P er Cruzer U3
| Diskens serienummer er 8AD5-0AE2
< snip >
| 20-11-2009 10:48 <DIR> .
| 20-11-2009 10:48 <DIR> ..
| 22-11-2009 03:15 63 Desktop.ini
| 18-11-2009 22:49 25.600 ������o-���
| 15-11-2009 00:51 102.441 ��������-���
| 3 fil(er) 128.104 byte
| Antal filer i alt:
| 4 fil(er) 128.350 byte
| 7 mappe(r) 31.882.956.800 byte ledig
| /Finn
First disable AutoPlay/AutoRun on the PC in question.
Scan the system and *all* Read/Write removable media with an anti virus such as the Sophos
and McAfee modules of my Multi AV Scanning Tool.
You can't just try to remove it from a memory card/flash drive as the PC will re-infect
the device and vice versa.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
nobody >
> From: "Finn Stampe Mikkelsen" <sta...@city.dk>
>
> | Hi
>
> | Could anybody tell me, how i could get rid of this virus. Below there is a
> | directory of my USB-Stick. i have tried several solutions i found on google,
> | but none of them worked...
>
> | Disken i drev P er Cruzer U3
> | Diskens serienummer er 8AD5-0AE2
>
> < snip >
>
> | 20-11-2009 10:48 <DIR> .
> | 20-11-2009 10:48 <DIR> ..
> | 22-11-2009 03:15 63 Desktop.ini
> | 18-11-2009 22:49 25.600 ������o-���
> | 15-11-2009 00:51 102.441 ��������-���
> | 3 fil(er) 128.104 byte
>
> | Antal filer i alt:
> | 4 fil(er) 128.350 byte
> | 7 mappe(r) 31.882.956.800 byte ledig
>
> | /Finn
>
>
>
>
> First disable AutoPlay/AutoRun on the PC in question.
>
> Scan the system and *all* Read/Write removable media with an anti virus such as the Sophos
> and McAfee modules of my Multi AV Scanning Tool.
>
> You can't just try to remove it from a memory card/flash drive as the PC will re-infect
> the device and vice versa.
>
At the prices of USB sticks today, the fastest fix would be to spank
that stick with a large hammer and replace it.
I just bought a MicroSD 4 gig teeny chip for my phone and a tiny USB
adapter for it for less than $20 USD (special need here), and a Lexar
"jacknife" USB stick for $8 usd.
Finn Stampe Mikkelsen
"nobody >" <useneth...@aol.com> skrev i meddelelsen
news:YoidnRqc_b-8sZbW...@supernews.com...
Yeah well, not a viable solution for me. Just bought the damn sucker. 32GB
stick and it cost around $100, so i'm not likely going to spank it any time
soon...
But i tried the solution sugested above and i wonder why my F-Secure, bought
and payed for, did not clean the darn thing.. MCAfee identified it promptly
and removed it.. It hat not yet returned, som i consider it gone now..
Thanks goes out to david...
/Finn
David H. Lipman
| Yeah well, not a viable solution for me. Just bought the damn sucker. 32GB
| stick and it cost around $100, so i'm not likely going to spank it any time
| soon...
| But i tried the solution sugested above and i wonder why my F-Secure, bought
| and payed for, did not clean the darn thing.. MCAfee identified it promptly
| and removed it.. It hat not yet returned, som i consider it gone now..
| Thanks goes out to david...
| /Finn
Smashing would NOT have bee a solution as it probably infected the PC and you may have
other devices infected as well.
Did you scan the PC and all removable Read/Write media ?
What did McAfee find ?
You can extract that information from...
C:\AV-CLS\mcafee\ScanReport.HTML
Finn Stampe Mikkelsen
news:hefb9...@news3.newsguy.com...
> From: "Finn Stampe Mikkelsen" <sta...@city.dk>
>
>
> | Yeah well, not a viable solution for me. Just bought the damn sucker.
> 32GB
> | stick and it cost around $100, so i'm not likely going to spank it any
> time
> | soon...
>
> | But i tried the solution sugested above and i wonder why my F-Secure,
> bought
> | and payed for, did not clean the darn thing.. MCAfee identified it
> promptly
> | and removed it.. It hat not yet returned, som i consider it gone now..
>
> | Thanks goes out to david...
>
> | /Finn
>
> Smashing would NOT have bee a solution as it probably infected the PC and
> you may have
> other devices infected as well.
>
> Did you scan the PC and all removable Read/Write media ?
>
> What did McAfee find ?
> You can extract that information from...
> C:\AV-CLS\mcafee\ScanReport.HTML
Yeah i did.. it only found something on the USB-Stick, besides som minor
things with Serv-U...
It was a worm. I deleted that folder, when i was finished using it, not
thinking about that report.. I'm not that fond of Dos, so... Sorry, can't
tell you what it was, but it's gone...
/Finn
--
Der er 10 slags mennesker - Dem som forst�r bin�r og dem som ikke g�r.
There are 10 kinds of people. Those who understand binary and those who
don't.
Es gibt 10 Arten von Menschen. Die, die Bin�r verstehen, bzw. die, die es
nicht tuhen.
>
>
FromTheRafters
news:YoidnRqc_b-8sZbW...@supernews.com...
> At the prices of USB sticks today, the fastest fix would be to spank
> that stick with a large hammer and replace it.
That would get rid of that particular symptom alright. What next, a
sledgehammer for the PC.
:o)
ArameFarpado
> Hi
>
> Could anybody tell me, how i could get rid of this virus. Below there is a
> directory of my USB-Stick. i have tried several solutions i found on
> google, but none of them worked...
>
stick that in a pc running linux, delete the files.
nobody >
That's OK, but for the PC, any/some/all of the following
http://www.ithacagun.com/defense37s.html
http://www.barrettrifles.com/home/rifle_82.aspx
http://en.wikipedia.org/wiki/M2_Browning_machine_gun
http://www.autoweapons.com/photos09/sep/2728thomp.html
I've been an idiot, the vids I SHOULD have taken during some of some of
our little "computer-from-hell" retribution events would have great
YouToobers.
For that server rack that just won't co-operate, no matter what you do:
http://www.maystrailequipment.com/pages/pionjar.html
Anonymous
"ASCII" felched:
> nobody > wrote:
>>I've been an idiot,
>
> and continue to be,
> all mail2news turd wranglers.
Hello, my name is ASCII and I'm a slug addict.
It's been 3 minutes since I had a dick in my ass.
One Step At A Time, fagboy!
nobody >
He's a pretend "expurt" too.
I've never used a mail2news gateway in my life.
LittleProgrammer
> Hi
>
> Could anybody tell me, how i could get rid of this virus. Below there is a
> directory of my USB-Stick. i have tried several solutions i found on google,
> but none of them worked...
>
> Disken i drev P er Cruzer U3
> Diskens serienummer er 8AD5-0AE2
>
> Indhold af P:\
>
> 16-11-2009 22:40 246 AUTORUN_.0NF
> 17-11-2009 18:19 <DIR> cold
> 16-11-2009 22:41 <DIR> System Volume Information
> 1 fil(er) 246 byte
>
> Indhold af P:\cold
>
> 17-11-2009 18:19 <DIR> .
> 17-11-2009 18:19 <DIR> ..
> 20-11-2009 10:48 <DIR> hott
> 0 fil(er) 0 byte
>
> Indhold af P:\cold\hott
>
> 20-11-2009 10:48 <DIR> .
> 20-11-2009 10:48 <DIR> ..
> 22-11-2009 03:15 63 Desktop.ini
> 15-11-2009 00:51 102.441 ñ¾ô§ýÿ÷¾¬-ýîý
> 3 fil(er) 128.104 byte
>
> Antal filer i alt:
> 4 fil(er) 128.350 byte
> 7 mappe(r) 31.882.956.800 byte ledig
>
> /Finn
>
> --
> There are 10 kinds of people. Those who understand binary and those who
> don't.
> nicht tuhen.
can you post the content of AUTORUN_.0NF?
btw. scan your pc using legimate AV's, and post the virus name here.
FromTheRafters
message
news:ef10855b-a0cd-46db...@e4g2000prn.googlegroups.com...
can you post the content of AUTORUN_.0NF?
btw. scan your pc using legimate AV's, and post the virus name here.
***
Chances are (if malware) you would see only a slightly ofuscated
reference to an executable file's filename. You would need the actual
executable's code to determine the actual malware name.
***
Kanishka
name raidhost.exe . use following link to see virus report and
download removal tool !.
http://it.web44.net/VirusDetails/raidhost.exe_Recover_Report.html
More info:
raidhost.exe (CRC32 : D8AB4DA6) is a backdoor virus. It supports to
create a bot net. raidhost.exe is the parent virus. when it is
executed it downloads other viruses from its master servers. In Imago
labs we detected the servers are 64.131.83.170 on port 80 and
216.17.104.155 on port 51987. It downloads a malcious file dl.exe from
above servers and executes it. Then dl.exe download another malcious
file update.exe .
"Raidhost" use autorun.inf to propagate himself. It creates a system
folder called cold. Inside cold directory it creates a system folder
hott which appears as a recycle bin.then it copies its clone (¥¶¾³¿¸¤
£ù²¯².exe and ¥¶¾³¿¸¤£ù²¯² ) into hott directory.
raidhost.exe resides in %system drive% \ Windows. dl.exe and
update.exe resides on the root of the system drive.
David H. Lipman
| I have developed a removal tool for the virus (������o-��� ) original
| name raidhost.exe . use following link to see virus report and
| download removal tool !.
| h**p://it.web44.net/VirusDetails/raidhost.exe_Recover_Report.html
| More info:
| raidhost.exe (CRC32 : D8AB4DA6) is a backdoor virus. It supports to
| create a bot net. raidhost.exe is the parent virus. when it is
| executed it downloads other viruses from its master servers. In Imago
| labs we detected the servers are 64.131.83.170 on port 80 and
| 216.17.104.155 on port 51987. It downloads a malcious file dl.exe from
| above servers and executes it. Then dl.exe download another malcious
| file update.exe .
| "Raidhost" use autorun.inf to propagate himself. It creates a system
| folder called cold. Inside cold directory it creates a system folder
| hott which appears as a recycle bin.then it copies its clone (�������
| ��.exe and ��������� ) into hott directory.
| raidhost.exe resides in %system drive% \ Windows. dl.exe and
| update.exe resides on the root of the system drive.
As already noted, the OP used the McAfee module of my Multi-AV Scanning Tool.
The advantage it is a broad-spectrum removal tol, capable of the autoRun Worm and
"others".