It's very doubtful that a thumbdrive simply being plugged in can infect
a computer. In order to force a program on a thumbdrive to run one would
have to re-write the little ROM chip on them that tells the PC what it
is, what driver to use, its name etc, unless they are getting away from
roms and using a small portion of the memory thats "hidden" to normal
programs (this would explain why you can rename it and its name carries
from machine to machine). If someone wrote a little piece of arbitrary
code saying to "use this file to see this drive properly" or something
and point to a hidden .exe on the flash then its possible simply
plugging it in can infect a PC. I haven't found an autorun for USB files
thats silent like you do for CD's that install rootkits when you pop
them in.
Another thing you may check is ask whoever plugged in the drive if a
window appeared asking to open the folder, play the audio, play the
video, you know the standard window autoplay window that pops up, they
could have possibly clicked on something in that, that triggered an
infection.
There was a virus threat to Windows in that one could be hidden and ran
from an image file using its macros, but CAD files weren't affected by
this, doubt this is the case.
Also judging by the description it didn't hit any system files, those
are all basic operations an admin can perform, what it looks like is a
custom script/vb app someone has made, you can write a program to start
pre-win logon, this will appear after you hit ctrl+alt+del or on an XP
box that doesn't logon that way on the user "welcome" screen, it sounds
like a "cutesy" virus that plays with a system, being more of an
annoyance than a harm, although losing the PST file is a bad deal.
when Trend says its not a virus, what they're really saying is that its
something that hasn't spread enough to be on their radar, remember that
a virus is any program that replicates itself and spreads, you may have
a localized instance that doesn't go any further.
Some things to check.
in HKLM there is a key you might want to check its under
Software\Microsoft\Windows NT\current\WinLogon
The key is userinit, make sure you dont have anything funky in there
other than C:\Windows\System32\Userinit.exe, in this key one can append
programs with the , this key runs every time someone logs in, its not
like the startup menu where you can turn those off, put it there and it
will run, make sure that its an .exe, if its a .bat .cmd .vbs .something
change it to .exe and nothing else is tagged on to the end that doesn't
look normal, i.e. haha.exe is probably not a good program to have there.
Another thing, check the startup menu and msconfig, this virus looks
simple enough to concoct the writer may have not known about or used the
userinit.
With the AV and systray items gone it looks like they may have just
turned off the services/apps from starting in msconfig and services.msc.
for the AV being gone, if you mean uninstalled then one possibility, in
this virus, it went through the registry and looked at a few keys,
specifically the uninstall under
Software\Microsoft\Windows\current\Uninstall\* our list of add/remove
apps, most generally commercial apps are installed with msi's or wise,
simply sending something like this to the command line (found in the
registry) will get rid of your AV : msiexec /uninstall trendmicroav.msi
/qn, and all of a sudden your AV disappears off the desktop and systray.
Try re-installing your AV, if for some reason you can't even run the
install or after the install it doesn't work, that means your bug is
still running in the background, at that point check the processes again.
Thats about all I can help with without seeing the system, the biggest
problem you may have is that second user account, if its a generic
account any number of people use, take it down to a user level and
nothing higher, and restrict that further with gpedit.msc, if your just
printing cad files, set it up to do just that.
[EMAIL PROTECTED] wrote:
VAR in Honolulu has a previously squeaky clean XP system now infected with
sonmething strange:
Symptom list:
1) All desktop icons disappeared
2) When recreated by hand, some days later they all were rendered un-runnable
because they had all been renamed with an additional .lnk suffix.
3) On every boot, after the XP splash screen, but before User Login (2 profiles), there
is a 4" x 5" screen with an Exit and an OK button. The screen shows a black
background which overlays the XP blue login screen; it looks like a VB screen. The name
in the top bar changes on every boot, such as c:\windows\system32\mup.sys, or i20mgr.sys,
etc. This full file name is preceded by usually 8 small box characters. Inside the white
body of the screen there are a few special characters: [\} and a character that looks
like an inverse equal sign, standing vertically.
4) CTRL-ALT-DEL at this point shows you flashes of blue underneath
5) The Outlook .PST file is missing
6) My antivirus and all other SYSTRAY items are gone
7) IE6 or IE7 won't connect to home page, instead Internet Properties opwns on
the General Tab
8)Trend Micro PC-Cillin 2006 sees nothing, same with their Housecall and
WinSIC, or SYSCLEAN utilities.
9) MS RootkitRevealer finds nothing.
Infection route: while it could have been web browsing, or email, I really
think it came from an odd incident when a client came in with CAD files to
print on a thumb drive. Trend says thumbdrives don't infect PCs, though I've
looked at the U3.com software available for a SanDisk Cruzer (and several other
makes)and it seems like there's a CPU in it, because you can scan a new PC for
viruses using Avast from the thumb drive.
AT one point they sent me a tool to fix the associations with applications, so that now Start Programs run most apps.
However, I've lost my email. This case has been open at Trend for more than a
month, and now they are telling me it is not a virus and don't worry.
Not only that, when I call Trend Tech support, they hang up on me repeatedly,
or put my call back in the queue, or promise to work the next day with me, and
then don't. They want me to go away, but I think this is a serious threat.
CAN a thumbdrive infect a system?
Has anyone seen anything like this, or know how to respond to it and recover my
email (besides backup)?
Thanks for any leads.
That can't be correct, is it?
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
