Hi!

I recently put my USB memory stick (1GB) into a computer in my university (which has an updated McAfee virus scanner) and it detected a virus called antihost.exe on it and deleted it. Before this happened whenever I'd put my USB stick into any other computer (most of which didn't have an updated virus scanner), I wouldn't be able to 'safely remove' it (as if something is using the USB stick). Anyways, after the virus was deleted, I can't access my USB stick from "My computer" from any computer because everytime I try double clicking on the stick's icon, windows gives me an error message saying something like: "Windows cannot find antihost.exe....etc..." (that's not the exact message, but somthing like that...). I'm assuming that the virus did something so that antihost.exe is supposed to run automatically when I try to access my USB stick. Does anyone know how I can fix this problem. I mean, what can I do so that I can access my USB stick without it automatically trying to run antihost.exe (which doesn't exist now because it was deleted)?

Also, if anyone is familiar with this specific virus, could you give me any tips on what it does and how I can remove it from my computer if it actually got transfered from my USB stick to my laptop (it probably did).

I would appreciate any info.

Thanks!

First of all, any computer you stuck that drive in needs to be scanned with an updated anti-virus program. Second, don't type any sensitive information on those computers (ie. passwords, credit card numbers, etc) as this infection installs a key logger.

Here is information I found on Sophos:

Name W32/AntiHost-A
Type Spyware Worm

How it spreads
- Removable storage devices

Affected operating systems
- Windows

Side effects
- Records keystrokes
- Installs itself in the Registry

Aliases
- Worm.Win32.Delf.ca
- W32/Worm.DSO
- W32/Autorun.worm.f

In addition to running an updated virus scan, here is some information from Sophos:

------------------------------------------------------------
When first run W32/AntiHost-A copies itself to <System>\ahr.exe.

The following registry entry is created to run ahr.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
antihost
<System>\ahr.exe

W32/AntiHost-A spreads by copying itself with the hidden filename antihost.exe to any mounted removable media. The hidden file autorun.inf is also created so that W32/AntiHost-A is automatically executed. This file can be safely deleted.
------------------------------------------------------------

My suggestion would be to turn on hidden files in Windows explorer. In My Computer click Tools > Folder Options > View > Put a tick next to "Show Hidden Files and Folders"
Find and delete the registry entry and the hidden files ahr.exe and antihost.exe on your computer.

From Sophos it appears there is an autorun.inf file still on your flash drive that is attempting to launch the worm. Hold the shift key when you insert the drive, this temporarily disables the autorun feature for removable media (CDs, DVDs, flash drives, etc). There is also a way to disable it in the registry, google and you will find it.

With autorun disabled, you probably will be able to browse the root directory of your flash drive and delete any hidden files (eg. autorun.inf) that are present.

Also, report back on what you find