Jump to content
Sign in to follow this  
atosniper

Am I infected?

Recommended Posts

Yesterday, I noticed there was an extra folder on my C drive called 'backup'. In it were several folders and files of stuff from what looked to be stuff from someone at work - excel files, photos, etc. The night before I had put in my USB Flash Drive to copy some mp3s I'd made at work to my iPod. So I figured there must have been a virus on the USB stick that infected my PC and downloaded those folders/files.

 

I ran Norton (paid version), then AdAware, then Spybot - Search & Destroy, then Spyware Blaster, lastly Malware Malbytes (I forget exact name off the top of my head). Not one of them found anything, except for AdAware which found a couple of low threat cookies which I dont think were related to the virus.

 

I promptly deleted the 'backup' folder.

 

Was I infected? Am I still infected?

 

I did a Ctrl+Alt+Del and checked all the running processes and there was nothing there that shouldnt have been. I then ran the regedit and modified the NoDriveTypeAutoRun to 95 (hexadecimal one).

 

Do I need to do anything else to protect myself from USB sticks in the future?

Edited by atosniper

Share this post


Link to post
Share on other sites

If you ran all of that and it found nothing, I'd say you are pretty safe.

 

Could it have been someone else?

Share this post


Link to post
Share on other sites

To protect yourself from USB sticks, just make sure Autorun is disabled.

 

It seems far more likely that you copied the files over without realising...is that a possibility?

Share this post


Link to post
Share on other sites

I dont think it could have been anyone else, as I'm the only one with access to my home machine.

 

I guess I could have copied it over by accident, but the only files I remember copying are a few mp3s, certainly not a whole folder. Plus the folder 'backup' wasnt even my own, it was something by someone else, completely unrelated to myself although working for the same city. I also just checked the USB at work here, and that backup folder doesnt exist on it anywhere I can find.

 

Weird...

Share this post


Link to post
Share on other sites

It's not one of those sticks with the software that backs stuff up automatically is it....?

 

Did you look at the directory it created to see if any of the files were really yours?

Share this post


Link to post
Share on other sites

From a command prompt(click start, then run, then type cmd and press enter), switch to the drive letter of your usb device. If your usb drive is assigned letter F, type "F:" and press enter, without the quotes.

 

Then type "attrib" and look for any files with the S or H attributes.

 

If autorun.inf is present, type "notepad autorun.inf" and paste the contents in your reply on the forum.

 

You may also want to check the owner/creation time of the backup folder, and see if it corresponds to when you were using the usb key.

Share this post


Link to post
Share on other sites

It's not one of those sticks with the software that backs stuff up automatically is it....?

 

Did you look at the directory it created to see if any of the files were really yours?

Hmm, I dont believe so. Yeah, out of curiousity I checked through all the folders and files and not a single one was mine. I work for a city as a teacher, and all the files/folders seemed to belong to one guy who does the gardening. There were lots of weather report pics, gardening pics, and also Lineage II pics (guess he must have liked gaming from work), lots of Excel files on the various places around the city that were receiving various types of maintenance. I didnt actually open any of the files, just looked at the names. The city is big, so I dont actually know the guy. It's in Japan too, hence Lineage.

 

I was connecting to the city's server, so it's quite possible the data came from that, I guess.

 

 

From a command prompt(click start, then run, then type cmd and press enter), switch to the drive letter of your usb device. If your usb drive is assigned letter F, type "F:" and press enter, without the quotes.

 

Then type "attrib" and look for any files with the S or H attributes.

 

If autorun.inf is present, type "notepad autorun.inf" and paste the contents in your reply on the forum.

 

You may also want to check the owner/creation time of the backup folder, and see if it corresponds to when you were using the usb key.

Hmm the Japanese computer is playing silly buggers and doesnt seem to want to let me access the drive, it's I. I'll continue trying to play around with it.

 

As for the owner/creation time: The stuff was made by some person who I dont know, and the dates were all around August 2007!?

Share this post


Link to post
Share on other sites

Okay, got into the I drive. All the files are marked with A for the attrib, and there is no autorun.inf.

Share this post


Link to post
Share on other sites

Think of any programs you use that manage files, even stuff like FTP and iTunes. One of them might bet set to 'automatically backup files' without you being aware. Has any program prompted or asked you for permission to delete stuff? If so that's probably your suspect.

Share this post


Link to post
Share on other sites

Hmm the Japanese computer is playing silly buggers and doesnt seem to want to let me access the drive, it's I. I'll continue trying to play around with it.

 

As for the owner/creation time: The stuff was made by some person who I dont know, and the dates were all around August 2007!?

If there are no obviously dodgy files, it is extremely unlikely that you have contracted a virus. It is extraordinarily unlikely that if you had contracted a virus that managed to hide outside of the filesystem, that it would simply copy a pre-existing folder with a co-workers data.

 

Somehow you or someone else must have been responsible for copying that data. If the dates are from 2007, is it possible you have turned on hidden files or something like that? If the creation date was 2007, when was the modification date?

Share this post


Link to post
Share on other sites

Think of any programs you use that manage files, even stuff like FTP and iTunes. One of them might bet set to 'automatically backup files' without you being aware. Has any program prompted or asked you for permission to delete stuff? If so that's probably your suspect.

I use iTunes on my home computer, but that isnt linked to work at all. So the only way the work files could have gotten on the PC is through the USB stick. Would iTunes automatically backup stuff from the stick; and only select that folder of stuff, yet ignore other stuff?

 

Hmm the Japanese computer is playing silly buggers and doesnt seem to want to let me access the drive, it's I. I'll continue trying to play around with it.

 

As for the owner/creation time: The stuff was made by some person who I dont know, and the dates were all around August 2007!?

If there are no obviously dodgy files, it is extremely unlikely that you have contracted a virus. It is extraordinarily unlikely that if you had contracted a virus that managed to hide outside of the filesystem, that it would simply copy a pre-existing folder with a co-workers data.

 

Somehow you or someone else must have been responsible for copying that data. If the dates are from 2007, is it possible you have turned on hidden files or something like that? If the creation date was 2007, when was the modification date?

 

Fair enough. What are your thoughts on how that data got copied there? I've already fully deleted the data, last night at home, sorry, but I do remember that there were no modification dates, it only showed the dates they were made, and then the date they were accessed - the exact time I clicked on them to see their name & property. In addition, my home computer was made (was a custom job) in late October 2007 O_o

 

How about this: The files were copied onto my C drive by the person because they accessed my drive through my wireless network? Now let's assume for a moment that I hadnt secured my router at all, that is the username and password were the default ones. Could an outside person have gotten access to my C drive? I live in an apartment block. Now I actually have my router locked down pretty tight, with changed names, passwords, stealthed APs, and only specific MAC addresses allowed permission to use the wireless router. With that in mind, could an outside person have gotten access to my C drive?

 

I know for sure that I didnt copy that folder onto my C drive.

 

The only other thing I can think of, is that someone broke into my apartment and downloaded their backup files onto my C drive LOL

Share this post


Link to post
Share on other sites

Fair enough. What are your thoughts on how that data got copied there? I've already fully deleted the data, last night at home, sorry, but I do remember that there were no modification dates, it only showed the dates they were made, and then the date they were accessed - the exact time I clicked on them to see their name & property. In addition, my home computer was made (was a custom job) in late October 2007 O_o

All files have a creation, modification and access time. It would be very strange if there were no modification date.

 

How about this: The files were copied onto my C drive by the person because they accessed my drive through my wireless network? Now let's assume for a moment that I hadnt secured my router at all, that is the username and password were the default ones. Could an outside person have gotten access to my C drive? I live in an apartment block. Now I actually have my router locked down pretty tight, with changed names, passwords, stealthed APs, and only specific MAC addresses allowed permission to use the wireless router. With that in mind, could an outside person have gotten access to my C drive?

 

I know for sure that I didnt copy that folder onto my C drive.

 

The only other thing I can think of, is that someone broke into my apartment and downloaded their backup files onto my C drive LOL

Which version of Windows are you running? Do you have a firewall running? Do you have file sharing turned on? Are there any connection attempts in your AP logs?

 

In the security for your router, you have not mentioned WPA or WPA2, is this enabled, or are you just relying on disabling SSID broadcast and MAC address filtering?

 

I think it unlikely that someone would connect to your computer through your wifi, and copy across a backup folder. I would be positive the files had to come from you somehow, even if you are not aware of how. Did you extract any archives to C:\ lately? Any similar activities?

Share this post


Link to post
Share on other sites

Fair enough. What are your thoughts on how that data got copied there? I've already fully deleted the data, last night at home, sorry, but I do remember that there were no modification dates, it only showed the dates they were made, and then the date they were accessed - the exact time I clicked on them to see their name & property. In addition, my home computer was made (was a custom job) in late October 2007 O_o

All files have a creation, modification and access time. It would be very strange if there were no modification date.

 

How about this: The files were copied onto my C drive by the person because they accessed my drive through my wireless network? Now let's assume for a moment that I hadnt secured my router at all, that is the username and password were the default ones. Could an outside person have gotten access to my C drive? I live in an apartment block. Now I actually have my router locked down pretty tight, with changed names, passwords, stealthed APs, and only specific MAC addresses allowed permission to use the wireless router. With that in mind, could an outside person have gotten access to my C drive?

 

I know for sure that I didnt copy that folder onto my C drive.

 

The only other thing I can think of, is that someone broke into my apartment and downloaded their backup files onto my C drive LOL

Which version of Windows are you running? Do you have a firewall running? Do you have file sharing turned on? Are there any connection attempts in your AP logs?

 

In the security for your router, you have not mentioned WPA or WPA2, is this enabled, or are you just relying on disabling SSID broadcast and MAC address filtering?

 

I think it unlikely that someone would connect to your computer through your wifi, and copy across a backup folder. I would be positive the files had to come from you somehow, even if you are not aware of how. Did you extract any archives to C:\ lately? Any similar activities?

 

Fair enough, I must have missed the third date then, as I only remember seeing two dates.

 

Windows XP SP2. I believe the firewall is up, I'll have to double check when I go home and re-post. Hmm how do I know if file sharing is turned on? I'll have a look at the AP logs when I go home to see and re-post.

 

Yeah, iirc I'm using WPA2 (also PSK or something?), it was on by default, but I'll double check when I go home.

 

You're right, it would be weird for someone to connect and just put their backup folder there, wouldnt it? I bought an iPod Touch over the weekend, and have installed a couple of PC side programs since then to support it, but aside from that I havent done much recently except gaming.

Share this post


Link to post
Share on other sites

Okay, home now and checked.

 

Windows XP SP2; firewall up and running, but file sharing is enabled; no connection attempts in logs, only wireless devices showing are my iPod and Wii; using WPA/WPA2-PSK.

Share this post


Link to post
Share on other sites

Think of any programs you use that manage files, even stuff like FTP and iTunes. One of them might bet set to 'automatically backup files' without you being aware. Has any program prompted or asked you for permission to delete stuff? If so that's probably your suspect.

I use iTunes on my home computer, but that isnt linked to work at all. So the only way the work files could have gotten on the PC is through the USB stick. Would iTunes automatically backup stuff from the stick; and only select that folder of stuff, yet ignore other stuff?

iTunes may automatically sync files between new media and your PC if that's what the settings have been set to do. Windows Media Player does this too.

 

Still, that may not be the case considering they moved it to a folder called 'backup'.

Share this post


Link to post
Share on other sites

Think of any programs you use that manage files, even stuff like FTP and iTunes. One of them might bet set to 'automatically backup files' without you being aware. Has any program prompted or asked you for permission to delete stuff? If so that's probably your suspect.

I use iTunes on my home computer, but that isnt linked to work at all. So the only way the work files could have gotten on the PC is through the USB stick. Would iTunes automatically backup stuff from the stick; and only select that folder of stuff, yet ignore other stuff?

iTunes may automatically sync files between new media and your PC if that's what the settings have been set to do. Windows Media Player does this too.

 

Still, that may not be the case considering they moved it to a folder called 'backup'.

 

Yeah, fair enough. I actually setup iTunes to not do any auto syncing too, as it pisses me off not having control. I'm one of those weirdos who likes to manually manage all his files.

Share this post


Link to post
Share on other sites

You don't have your home computer connected to your work server in any way at all (vpn?), is your c drive shared at all?. (Check the properties of it to see if it is)

Share this post


Link to post
Share on other sites

You don't have your home computer connected to your work server in any way at all (vpn?), is your c drive shared at all?. (Check the properties of it to see if it is)

It's definitely not connected to the work server. I checked the properties of the C drive under the Shared heading and it gives a somewhat ambiguous message: it says that sharing this drive/folder is not recommended, but if you accept this then click here (and clicking there takes you to another screen). Does that mean it is or isnt shared?

Share this post


Link to post
Share on other sites

Does the creation date of the 'backup' directory and any subdirectories provide any hints about when the files appeared?

Share this post


Link to post
Share on other sites

Does the creation date of the 'backup' directory and any subdirectories provide any hints about when the files appeared?

Not really. They were all made around August 2007. Nothing related to me at all then, plus this computer wasnt even made till October 2007.

Share this post


Link to post
Share on other sites

That would mean the files were either moved there, which would be unlikely probably be unlikely if someone was breaking in to back up stuff, or that the folder was part of an archive. Perhaps go through your recent documents, and look at that files were open close to the time you noticed the folder.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×