Probable infection

Hello everyone

I’ve noticed that every time I connect USB flash drive to my computer it creates ‘filesystem’ and ‘autorun.inf’ files. I’ve ran avz4 (ask for log if you feel you need one) and FlashDisinfector (never used this one before, so not sure about it) with no luck. I scanned with avast, also, no threats detected.

Never asked for help online before, so would anyone help me solve this problem? Ask if you need me to run any programs for analysis (combofix, hjt, avz, processexplorer, etc.) or provide you with screenshots or a more detailed description of what is happening on my pc. I will try to check on this topic as often as I can. Thank you.

[font=Segoe Ui]That is probably created due to autoplay, if you want, you may completely disable autoplay just like in Windows 7. Here’s how:

1 Press Windows Key + R
2 Type in: gpedit.msc
3 Group Policy window will appear, using the tree pane, navigate to Computer Configuration\Administrative Templates\System
4 On the right side of the screen, you will see the entry Turn off Autoplay. Double click it.
5 Set the option button to Enabled and select All drives in Turn off Autoplay on:
6 Click OK

Thanks .: L’ arc :., i did as you said, autoplay no longer runs everytime I plug in my flash drive, but i cannot format it to check if those files are created. I get ‘Windows cannot format this drive. Quit any disk utilities or other programs that are using this drive, and make sure that no window is displaying the contents of the drive. Then try formatting again’ message.

Update: I took my old 512 MB stick, i plugged it in. As soon as i could open it the previously mentioned files (filesystem and autorun.inf, see image below) were created. I checked again if autorun is disabled and it was. Again, i cannot format this drive and a scan with avast had given me no results.

http://img684.imageshack.us/i/usb2.jpg/ - my old 512MB USB flash drive

Run this program on your pc then insert your usb drive.It will remove the autorun files on the pc and flash pen .Then run your AV http://oldmcdonald.wordpress.com/

Thank you micky77, here’s how it went:

Unplugged my internet cable
Stopped Avast On-access protection
Ran oldmcdonald.exe
plugged my flash drive in (see image below for a glimpse of how it looked)
resumed avast on-access protection
scanned USB stick with no results, still can’t format it, did I do anything wrong?

http://img258.imageshack.us/img258/7707/remove.jpg - the horror

I may be completely wrong,but pagefile.exe might be a file infector ( like virut )
Try another program Dr Web Cureit, and see what that finds http://www.freedrweb.com/cureit/?lng=en

I think you should try manual delete of those files, do it in Safe Mode just to be sure. I can’t see there would be any complications outside the effect on USB drive, where unwanted files will be deleted. Then reformat the USB drive.

Old USB drives are not very strong technology, files they hold are easily corrupted, some formats are not supported, and occasionally (though seldom any more) a driver will be needed.

Get USB clean total and see if your OS is reloading the files because it does not recognise the changes you have made - if it wont recognise changes, there may be problem in running of computer.

Ok, This is a "first post, (and I hope I do this right) but I have a problem. While on FaceBook I opened and was surfing through an unrelated app when I got an alert from Avast. I stopped IE and rebooted to run a scan in safe mode. Avast found 6 “trojans” but couldn’t delete the files. Iv’e removed the hard drive and scanned it on another computer running Avast. That machine found a trojan (with a different name) and I deleted it. I re-installed my HD and started up in safe mode for another scan. This time the virus doubled and still wouldn’t delete. I stopped Avast and tried an installation of “Microsoft security essentials” which told me there were no problems. I ran anothe scan with Avast and these were the issues.

Warning #1
C:\DELL\Drivers\R118081\dmbcu.msi\Data1.cab\mobileink.exe
Win32:Malware-gen
Virus/Worm
091122-0, 11/22/2009
Warning #2
C:\DELL\Drivers\R118081\dmbcu.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen
Virus/Worm
091122-0, 11/22/2009
Warning #3
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP314\A0047713.msi\Data1.cab\mobilink.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #4
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP314\A0047713.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #5
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP314\A0047722.msi\Data1.cab\mobilink.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #6
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP314\A0047722.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #7
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP315\A0047738.msi\Data1.cab\mobilink.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #8
Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP315\A0047738.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen, Virus/Worm
Warning #9
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP318\A0047936.msi\Data1.cab\mobilink.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #10
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP318\A0047936.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #11
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP320\A0048040.msi\Data1.cab\mobilink.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #12
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP320\A0048040.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #13
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP320\A0048282.msi\Data1.cab\mobilink.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009
Warning #14
C:\System Volume Information_restore{672C921D-E639-4127-AB4D-B18DCFFDF52A}\RP320\A0048282.msi\Data1.cab\dmbcu.exe
Win32:Malware-gen, Virus/Worm, 091122-0, 11/22/2009

At the end I got the same results
“Error occurred during file deleting: The operation is not supported for this type of archive”?

I tried to deleted the files with run cmd, but that told me it could not find the path specified.
I’m not exactly an advanced user and don’t know what to do.
Anybody? ???

Hi Russkatt

You really need to post your computer issue in your own thread. You’re cramping someone else’s space right here. I suggest that you start a new thread for your problem, but firstly run a boot time scan with your system restore turned off. To turn off System restore - rightclick My Computer (Computer in Vista), and click on Properties - select System Restore (System Protection in Vista) and check the appropriate box to turn System Restore off – then schedule and run a boot time scan and see what details you can provide to the opening post (OP) of your new thread.

lwRift
There’s a bit of info about Flash Disinfector around, (and I’ve used it, without problems) and the use of the program will create “autorun.inf” entries at the root of every drive and USB device connected to the computer.
See some more references from experi3nc3, from Avast forum, myantispyware forum. (This last one also contains instructions on how to remove the .inf folder.)

I have not heard of this tool creating a “pagefile” with a recycle bin icon.
I have heard of malware cloaked as a folder pointing to the recycle bin, maybe something like that is at play?

The Flash Disinfector, if I remember correctly, was a successful and popular response to the Conficker worm.

Unfortunately, no effect. it went like this:
I unplugged my internet cable,
launched Autorun Eater (oldmcdonald.exe)
disabled avast
plugged in my USB flash drive (8GB)
Autorun Eater blocked a suspicious file (see picture #1)
Ran Dr cure it (express scan), no viruses found
then ran custom scan of removable media (G:/)
again, no results (see picture #2)

picture #1 - Autorun Eater blockage.
picture #2 - Dr. CureIt yields no results.

Not sure if i got your post correctly, mkis, but:
Already tried safe mode, the flash drive is not loading

I know, i tried my old 512 MB drive to see if it would get infected since i wasn’t sure if it was my 8 GB drive that was corrupted.

I cannot clean my USB as long as filesystem and autorun.inf files are in it.

Yes, I’ve already used it to delete filesystem and autorun.inf on my 8GB USB drive, i’ve got ‘Done’ message when it finished, but after I opened my USB drive, the malicious files were still there (and yes, autorun.inf entries were created). I will try to read around your provided sources, but i’m starting to think that a backup and autokill@disk are the best options :-\

Thank you all for your help.

Can you send pagefile.exe to virustotal and post the results.http://www.virustotal.com/

Also try this,

1 Go to Start—-Run. Type cmd and hit enter. This will bring up the command prompt.
2 Type the drive name of the USB drive eg (G:) and hit enter.
3 Type “attrib -s -h -r -a .” at the command prompt to remove the system, hidden, read-only and archive file attributes. Press the Enter key.
4 Type “del ####.+++” where “####” is the file name of the infected file and “+++” is the file extension, at the command prompt line. For example “del pagefile.exe” etc, and hit enter

See if you can remove the files this way