I have not been able to remove two files from USB, that are tetected as trojans by Comodo AV. Files are:
autorun.inf
mvxm.cmd
They are marked as TrojWare.Win32.PSW.OnLineGames.MUU@…
OS is Win7 32bit. Files are marked as read-only. If I try to remove read-only attribute from these two files, I get message
You will need to provide administrator permission to change this attributes.
Click Continue to complete this operation.
When I click Continue, I get Access denied message.
I am able to chage read only attribute on any other file on USB, but not on these two files. When I run Comodo AV to scan USB, it reports these two files as threats, and when I click to Remove them, it deletes them from the list, but they still remain on the USB.
I have submitted these two files to Comodo.
Note: I am able to format the drive, and the threats are gone, but I get this virus pretty often, so I dont want to reformat it every time, since I need to backup many, many files from USB, and that takes like half an hour.
Having such files on the usb drive usually means it’s infected with an autorun worm.
Autorun.inf points to an exe file, most often located in Recycler folder. When you plug in the usb drive, the autorun feature automatically executes the malware, which copies itself to every drive, again with autorun.inf pointing to it. It very likely your computer is also infected and the files are recreated after deleting them.
Disable the autorun feature for all drives. Open registry editor and navigate to HK_current_user\software\microsoft\windows\currentversion\policies\explorer. In the right panel change the value of the key NoDriveTypeAutorun to FF .
After disabling autorun use command prompt window or a third-party explorer like Total Commander to delete autorun.inf, mvxm.cmd and the contents of the recycler folder from all drives. Also delete any suspicious .exe file if it appears on the root of all drives.
If you still get the message about admin privileges try to login to admin account or disable UAC.
If your computer is infected ( you have those files on fixed hard drives ), please be aware that any removable storage you connected since might also have been infected.
There was no exe file (I have total commander showing all files all the time), probably Comodo AV deleted it, if it did exist. No recycle folder also, nor any other suspicious file on usb disk, except my files (no executable file).
I already have autorun disabled. Computer was (is) not infected. I didnt disable UAC, altough I have started total commander as admin user, but still no success. Also, Comodo AV surely doesnt run under restricted priviledges, and it also could not delete them, although it has detected them as threats.
I still don’t understand why this happened. If Comodo AV detected them as threats, then it should not allow them to run. If worm wasn’t loaded in memory, then I should have been able to delete them without problem.
When I plugged USB to XP system, it has autorun enabled, but this didn’t prevent Comodo AV from deleting them. So, what the hell is going on here?
Try to login with default windows Administrator user in safe mode.
In safe mode CIS doesn’t start so you’ll also eliminate the possibility that Comodo AV/def+ is blocking the files.
Open a command prompt window, navigate to the specified drive and type in attrib filename.extension -s -r -h to remove system, hidden and read-only attributes, then try to delete them
Unlocker should also show you what application is using/protecting those files.
If this also fails you can try an anti-rootkit software like Gmer ( http://www.gmer.net/ ) or Radix ( http://www.usec.at/rootkit.html ). The removal tools included in these are specifically designed to remove locked/protected files.
