USB Flash Drive virus

[Majama 0]

Dear ESET,
 

i am using ESET Nod 32 AV 8 and it keeps detecting (and deleting) "a variant of Win32/Agent.XDP trojan" on all of my USB sticks. I formatted them and even on empty USBs Nod is detecting them. I did also scan my whole computer and there are no threats detected.

Thanks,
Majama.

[Maniac 2]

Hello Majama,

It would be great if you give us more details about ths detection.

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2817

[Majama 0]

Hello,

I hope this helps: 

 

5/16/2015 10:40:14 AM Real-time file system protection file H:\ \~$vixv.pti a variant of Win32/Agent.XDP trojan cleaned by deleting - quarantined MAJAMAPC\Majama Event occurred on a new file created by the application: C:\Windows\SysWOW64\msiexec.exe.

5/16/2015 10:35:49 AM Real-time file system protection file H:\ \~$pugmzmaya.xzt a variant of Win32/Agent.XDP trojan cleaned by deleting - quarantined MAJAMAPC\Majama Event occurred on a new file created by the application: C:\Windows\SysWOW64\msiexec.exe.

5/16/2015 10:25:07 AM Real-time file system protection file H:\ \~$uifcurayhwhwdvdlyyghfp.cza a variant of Win32/Agent.XDP trojan cleaned by deleting - quarantined MAJAMAPC\Majama Event occurred on a new file created by the application: C:\Windows\SysWOW64\msiexec.exe.

5/16/2015 10:22:07 AM Real-time file system protection file H:\ \~$wbimfoh.hjm a variant of Win32/Agent.XDP trojan cleaned by deleting - quarantined MAJAMAPC\Majama Event occurred on a new file created by the application: C:\Windows\SysWOW64\msiexec.exe.

5/16/2015 10:20:03 AM Real-time file system protection file H:\ \~$kxrrxvfzvdfrciezhoyqodqewvwallxbvh.hxz a variant of Win32/Agent.XDP trojan cleaned by deleting - quarantined MAJAMAPC\Majama Event occurred on a new file created by the application: C:\Windows\SysWOW64\msiexec.exe.

5/16/2015 10:18:00 AM Real-time file system protection file H:\ \~$hdkiguhwkxvpbtej.inj a variant of Win32/Agent.XDP trojan cleaned by deleting - quarantined MAJAMAPC\Majama Event occurred on a new file created by the application: C:\Windows\SysWOW64\msiexec.exe.

5/16/2015 10:15:53 AM Real-time file system protection file H:\ \~$zkijjvyeiubjwuaqwocyrvrxzaqbycocrinww.rdc a variant of Win32/Agent.XDP trojan cleaned by deleting - quarantined MAJAMAPC\Majama Event occurred on a new file created by the application: C:\Windows\SysWOW64\msiexec.exe.

5/16/2015 10:14:53 AM Real-time file system protection file H:\ \~$azvlgqmutyfignqdcggwkxzjkzgjdijar.kkm a variant of Win32/Agent.XDP trojan cleaned by deleting - quarantined MAJAMAPC\Majama Event occurred on a new file created by the application: C:\Windows\SysWOW64\msiexec.exe.

5/16/2015 9:45:38 AM Real-time file system protection file H:\ \~$eguenvldni.ltc a variant of Win32/Agent.XDP trojan cleaned by deleting - quarantined MAJAMAPC\Majama Event occurred on a new file created by the application: C:\Windows\SysWOW64\msiexec.exe.

5/11/2015 11:42:10 AM Real-time file system protection file H:\ \~$gcpvpjz.bak Win32/Agent.XDP trojan cleaned by deleting - quarantined MAJAMAPC\Majama Event occurred on a new file created by the application: C:\Windows\SysWOW64\msiexec.exe.

5/11/2015 9:41:39 AM Startup scanner file C:\ProgramData\msdcjdmjr.exe Win32/TrojanDownloader.Wauchos.AK trojan cleaned by deleting (after the next restart) - quarantined MajamaPC\Majama


Thank you!

[Maniac 2]

Step 1

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

  Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

Step 2

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

[Majama 0]

I am running win 8.1 so Flash Disinfector isnt working :/ It wont open the programm at all. Does it matter if I use this version: hxxp://www.8appstore.net/windowssoftware/flash-disinfector/624455.html ?

[Maniac 2]

Please proceed with second step, I will take a look.

[Maniac 2]

Thanks for your log files, Majama!

Once I analyzed them found what actually happens.

Your system is infected. This malicious software attempts to infect any USB device connected to the computer with the aim to spread. This malware is unknown to NOD32, but thanks to its excellent proactive technology, managed to prevent the generated malware to infect the included USB devices. Furthermore, there are remnants of potentially unwanted applications that we are going to clean too.

When we are done here, it will be great if you send me these samples to send them to ESET Lab, which will add it to the database.

Step 1

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Step 2

Please allow NOD32 to detect potentially unwated applications:

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3204

Next, perform a scan:

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3505

When you are ready, please post your scan log file.

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2112

Step 3

Please go to www.virustotal.com . Next, click on Choose File, find the following file and double click on it:

C:\Windows\jmesoft\JME_LOAD.exe

When you are ready, click on Scan it! . If ask you, choose to reanalyse this file.

Wait until is finished and copy/paste the URL in your next reply here.

In your next reply, post the following log files:

• FRST log
• ESET NOD32 Antivirus log
• Virustotal link

fixlist.txt

[Majama 0]

I started Farbar and it did work until it came to: "Deleting temporary files .... INetCache". Now it is stuck on that point, when trying to minimize it or move the window around nothing happens (as if frozen). Should I stop it over the Task manager or give it some more time? It is stuck like that for approx. 15 minutes now (the green bar isnt moving aswell).

[Maniac 2]

If still not worked, reboot your system and try again.

[Majama 0]

Hello again,

here we go:

virustotal link https://www.virustotal.com/en/file/ba9993be11e7c01293ae4c3d3d4db60afa322af8947445031ccef66d48227d37/analysis/1431809624/

 

Fixlog and eset scan log are in attachments!

How can I send you samples for the ESET lab?

 

Thanks a lot for your help!

 

ESETscan.txt

Fixlog.txt

[Maniac 2]

Well done!

Please generate new fresh FRST logs and post them in your next reply. Next, using WinRaR please compress this folder:

C:\FRST\Quarantine

And then send it to me via PM like you did it with previous logs.

Thanks!

[Majama 0]

Here is the FRST log and the dropbox link to the quarantine folder (its too big for an attachment).

 

https://www.dropbox.com/sh/j800iol146f9glq/AADyRcHNKIRxhtuXj_Dnf226a?dl=0

 

What about the Flash_disinfector step? Did I actually remove the virus now or are these still the preparation steps?

Thanks for your help

FRST1.txt

[Maniac 2]

Here is the FRST log and the dropbox link to the quarantine folder (its too big for an attachment).

 

https://www.dropbox.com/sh/j800iol146f9glq/AADyRcHNKIRxhtuXj_Dnf226a?dl=0

Thank you very much! I already send a sample to ESET lab.

 

What about the Flash_disinfector step? Did I actually remove the virus now or are these still the preparation steps?

You don't need it, because as I explained in my previous reply: NOD32 prevented the infection of your USB flash drives.

It is time to test the same things. Manually check for updates from NOD32 and then put your USB sticks into your PC and check for a notification from NOD32.

Edited May 17, 2015 by Maniac

[Majama 0]

Everything is clean  

BIG thanks to you

[Maniac 2]

Glad I could help!

You are welcome!

[Maniac 2]

Hello Majama,

I would like to tell you that there are already results from the samples we took from your system. It is already in latest updates from ESET - Win32/TrojanDownloader.Wauchos.AK .

I recommend you to perform a full system scan to make sure that your system is already clean.

A little later Symantec added it too: 2 / 57

Edited May 19, 2015 by Maniac

[bulkflashdrive 0]

Try to format using HP disk storage format tool after restarting the pc..(you have to restart to the changes takes place)...

 

bulk flash drives