kmillerusaf Posted March 7, 2009 Share Posted March 7, 2009 So, I don't know if you guys know, but I do computer helpdesk work for a living. I have been doing it for almost a full year now. Yesterday, a user called up saying they couldn't access their thumb drive. This is not out of the ordinary as we have several network drives that take up drive letters, preventing thumb drives from being recognized. Usually changing the drive letter in Disk Management does the trick. However, this incident was different. When the user inserted the thumb drive into the port, autoplay would come up and she could open the folder through that method. However, if she closed the window and tried to open or explore the drive from My Computer later on, it would pull up a "Open With" window, but would never allow her to save it as "Always use the selected program" with windows explorer (what I used). So, I knew at this point, something was wrong. And my first assumption was that there was an autorun.inf file causing problems. But it was hidden as a protected operating system file. Upon unhiding and opening the autorun file, it referenced a random exe file name m9ma.exe and had all sorts of gibberish in it. I knew at this point that this was some sort of malware. I looked throughout the drive for that executable file but could not find it. So I figured Symantec might have detected and removed it. And it did, it was in Symantec's quarantine from earlier in the day when she first tried to use the thumb drive.. It recognized the virus as W32.Gammima and quarantined it appropriately. However, the autorun file itself was NOT a virus so Symantec did not quarantine it but the file was still causing havoc. To fix this, I deleted the autorun file, removed the thumb drive and inserted back; everything was back to normal. Crazy! Symantec: W32.Gammima Summary There's always an exception to the rule. I'm that exception. Desktop ----- AMD Athlon 3700+ (2.64Ghz), 2GB DDR 400, ASUS A8N-SLI Premium, 500GB HD, Windows XP Pro SP3, Avira Antivir Personal At work ----- Intel C2D T1700 (1.6Ghz), 2GB DDR2 667, Dell OUY141, 80GB HD, Windows XP Pro SP2, Symantec 10 Laptop ----- Intel C2D P8400 (2.4 Ghz), 4GB DDR3 1066, Mainboard, 160GB HD, Dualboot: Windows 7/openSUSE 11.1, Avira Antivir Personal Link to comment Share on other sites More sharing options...
YoKenny Posted March 7, 2009 Share Posted March 7, 2009 Have a look at: http://siri-urz.blogspot.com/2009_02_01_archive.html SmitFraudFix : http://siri.urz.free.fr/Fix/SmitfraudFix_En.php "Education is what remains after one has forgotten everything he learned in school." - Albert Einstein IE7Pro user Link to comment Share on other sites More sharing options...
kmillerusaf Posted March 7, 2009 Author Share Posted March 7, 2009 How is this relevant??? There's always an exception to the rule. I'm that exception. Desktop ----- AMD Athlon 3700+ (2.64Ghz), 2GB DDR 400, ASUS A8N-SLI Premium, 500GB HD, Windows XP Pro SP3, Avira Antivir Personal At work ----- Intel C2D T1700 (1.6Ghz), 2GB DDR2 667, Dell OUY141, 80GB HD, Windows XP Pro SP2, Symantec 10 Laptop ----- Intel C2D P8400 (2.4 Ghz), 4GB DDR3 1066, Mainboard, 160GB HD, Dualboot: Windows 7/openSUSE 11.1, Avira Antivir Personal Link to comment Share on other sites More sharing options...
Humpty Posted March 9, 2009 Share Posted March 9, 2009 Below is a discussion on autorun.inf and I also use Flash Disinfector on all my drives. Quietman Over At Elder Geek's Diskheal is an app that can set drives back to default settings after an infection. Both Flash Disinfector and Diskheal get hits over at Virus Total but I have been told that they are false positives. Link to comment Share on other sites More sharing options...
Rorschach112 Posted March 9, 2009 Share Posted March 9, 2009 Flash disinfecter is very good. Its what we use in the malware removal community when dealing with USB infections. By the power of truth, I, while living, have conquered the universe. ~Scratch~ Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now