Whenever I open up my USB Stick (virus/trojan related)

Phyre · 19 Nov 2007 at 13:39

When I use Windows explorer to look at my USB stick NOD32 gives me a virus message saying

"Event occurred on a new file created by the application: D:\WINDOWS\msmsgs.exe. The file was moved to quarantine. You may close this window. "

The threat is "a version of Win32/PcClient.LH" apparently.. Anyone know what this means? It obviously keeps quarantining it but I'd like to get it sorted out, thanks.

--Mike-- · 19 Nov 2007 at 17:01

Could you be getting the virus from another pc you're using the memory stick in? Perhaps you need to do a full scan on both pcs if that's possible.

Phyre · 19 Nov 2007 at 18:33

Hmm that'd make sense. My flatmate had the virus a week ago or so and I guess he must've borrowed my USB stick and then put it back into my computer... I do remember him saying, though, that he did a full system scan using NOD32 and it found nothing :/

mejinks · 19 Nov 2007 at 18:48

go to housecall.trendmicro.com and run the online virus scanner there. Is your OS installed on the C drive or the D drive?

Phyre · 19 Nov 2007 at 19:08

D drive

edit: that online scanner found nothing, and neither did my NOD32 scanner.

GSDog · 19 Nov 2007 at 20:42

So it is msmsgs.exe that NOD32 is saying is infected?

Try uploading that file here: http://www.virustotal.com/ and it will scan that file using many different antivirus engines to see if it is still infected.

Is NOD32 saying the USB stick is clean too?

Phyre · 19 Nov 2007 at 21:03

Zildjian said:
So it is msmsgs.exe that NOD32 is saying is infected?

Try uploading that file here: http://www.virustotal.com/ and it will scan that file using many different antivirus engines to see if it is still infected.

Is NOD32 saying the USB stick is clean too?

Yes it was saying it was clean.

I just went into my Windows folder and deleted "msmsgs.exe". Had to close the process first, but it seemed to work... It tried to do it again too before I emptied the recycle bin

edit: It seems I spoke too soon... Just as I finished typing this message I entered my external HDD (USB too) and it came up with the same trojan error.. however this time it said the file creating it was in "I:\RECYCLER\RECYCLER\autorun.exe"... and this time it wasn't msmsgs.exe. Thing is, as I opened my HDD up I had a runtime error from "autorun.exe" and until I ended the process neither my HDD or my USB stick would open.

GSDog · 20 Nov 2007 at 14:59

It does sound like a virus/worm that is making copies of itself on your removable devices.
What does NOD32 do with the infection? Can you repair or quarantine it?

I don't think you should have deleted the msmsgs.exe until you were sure it was infected. I think it is just an Windows Messenger file. Do you have Windows Messenger installed and if so, is it still working?

Now try uploading the I:\RECYCLER\RECYCLER\autorun.exe file to VirusTotal and see if it finds anything.

EDIT: About that msmsgs.exe file, according to this site: http://www.neuber.com/taskmanager/process/msmsgs.exe.html
Note: The msmsgs.exe file is located in the folder C:\Program Files\Messenger. In other cases, msmsgs.exe is a virus, spyware, trojan or worm!
Seeing that msmsgs.exe was in your Windows folder, it probably was a virus of somekind.

I suggest you stop using your removable decides until the worm has been deleted, otherwise it could keep copying itself.
Download HiJackThis from http://www.tomcoyote.org/hjt/ . Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file, and copy and paste it here.

Do you have any anti spyware scanners? If not, you might want to download A-Squared free from here: http://www.emsisoft.com/en/software/free/ . Make sure it is updated and do a full scan.