Vintage Virus attacks from CD? Norton, SpyBot, Panda, Malwarebytes...

[ahhaa]

Hi, I'm posting an unusual problem... I think. Advice welcomed. 8) My immediate Qs are at the bottom of the post- here is the background.

I've just replaced NIS '08 with Norton 360 2.0 '09 on my XPsp3 computers. (My usual SOP keeps everything updated & scanned.) The new 360 tends to run quick scans and find nothing.

Over the years I have downloaded quite a few programs, mostly just utilities & trials from here, sourceforge or cnet- nothing from the 'underworld'.

I got a big 500G USB hard drive for Christmas, and finally started on something I've long wanted to do- transfer all those old backup CDs and organize them down into a single set of 'keepers'.

When I thought to run a full scan on the USB drive, Norton 360 found two .zip files that were 'hiding' Trojan.Killfiles & had quarantined them.

To be totally clear: Both the infected .zip files had the same name; back in 2000 and then again in 2001 the original file had been manually stuck in a backup folder.

Those folders sat inside other folders as backups- never opened or extracted- and eventually were copied off the hard drive onto a CD (as I recall, using the native Windows burner).
While they were on that machine, I had either McAfee or Norton running and nothing was detected.

When I copied off that CD onto the big USB drive, with 360 running, nothing was detected.
When I ran 360 specifically on that drive, it found these 2 problem files which it quarantined.
I went to Norton Support online chat, where I was '87 in que' and after a couple hours got somebody in India who was (lets say) unable to help, or even understand. I was referred to 'paid support'!?!

OK, again to clarify: on the G: USB drive there is a nest of folders... say BACKUPS>OLD BACKUPS>UTILITIES which contains 2 folders BACKUPS 2000 & BACKUPS 2001, each of which contains a folder containing the identical allegedly infected .zip file {oe.exe}.

I've found lots of information & misinformation about the variously named Trojan.Killfiles, which apparently goes back to at least 2003 according to sites like Trend, McAfee, & Norton.

I've disconnected the USB drive, and scanned the computer itself with Trend Housecall, again 360, and then the mental quagmire that is Malwarebytes- nothing is finding overall evidence of infection.

My Qs include:
* 360 quarantined the files, but apparently has no way to delete them. If I overwrite them with a scrubber program, will that make things better or more difficult to track?

* I use flashdrives to move things between computers. How can I be sure they are clean? Can they infect a computer just be being plugged in? Do different brand have different vulnerabilities?

* Are data files on a CD or DVD scannable while still on the disc? Does ' Close sessions' lock files?

* Is there a possibility I don't have a real problem? rolleyes.gif

This trojan isn't marked with a .u or anything, unlike modern versions, so I think it is a vintage 'Mark 1' and not something that got in over the net.
No programs seem to find anything to report in RAM or Registry. (However... 360 both 'optimizes' files & 'cleans' the registry, new features over NIS)

* What should I do next?

The Malwarebytes approach involves running Spybot, which found 2 different probs: Microsoft.WindowsSecurityCenter.AntiVirusOverride
Microsoft.WindowsSecurityCenter_Disabled
Spybot says these might have be done by either a security prog or a malware...

The Malwarebytes approach also asks for a Panda scan, which on my machine found none of the above, but ID'd a 'dangerous' javascript and Dmailer from a Lexar flashdrive. It then more or less demanded I buy the program...

like I said, any advice- wotta tarpit!

Thanks guys!

[Snakebyte1]

Anti-Virus applications are far from perfect and often can come up with False Positive findings. If your preferred AV app detects a threat then scan those files with other AV software (as you have done). If you run a handful of different AV & malware apps and only one detects a problem, its likely a false alarm. If most or all of them detect a problem you might have something! I won't get into suggesting which AV programs to use as that is like discussing politics or religion -no one can ever agree - but you can decide on which ones and how many you want to run.

If you are still uncertain about the file then delete it from your archive.

I had a somewhat similar case. I kept a serious of "Application CDs" that I would re-organize and consolidate from time to time. Each time I would run an AV scan just to be sure. Then, one year, a scan detects a problem with an EXE on one of the CDs that had been scanned several times over the years. Almost certainly a false positive, but since the questionable application was quite old I decided not to bother keeping it on the new CD I was building.

[ahhaa]

thanks SB! is delete sufficient? or must I try to overwrite?

the biggest hassle is now not trusting the flashdrives to be properly scanned...

[Snakebyte1]

This is just my opinion, others may disagree, but I don't believe you have too much to worry about in this case. Deleting the files will at least put your mind to rest.

However, you can do more if it makes you feel better. You have your system up to date with patches and your AV apps updated, and this threat is very low in this case, so I don't see that plugging in a USB drive would be too dangerous. Disable any auto-run features if you have them enabled. Delete the files, then if you want to take it a few steps farther format the USB drive. I don't think you need to over-write data but then again, if it makes you feel more comfortable then go ahead.

If you are hyper-sensitive to this, then plug the USB drive into another PC - maybe you have a old PC buried in your basement or something like that - and do the formatting on that machine.