This innocent looking USB drive could lead to infection – but only if you second-guess Avast warnings!

Would you rather trust the virus experts or your instincts?

Every day 140,000 people connect their USB flash drive or mobile phone to a computer, and get a warning from Avast about an infection called LNK:Jenxcus.

Which kind of person are you?

Many of them act on that information from their trusted Avast Antivirus security software and as a result, they scan their USB device for malware and they wipe it away. Crisis over.

But there is another group of people who keep this infection alive and active, because they refuse to believe it is a real or dangerous threat. In other words, because something has always been one way, they assume it can’t change, therefore Avast must be wrong.

As a result, they decide to turn off their antivirus shield and by doing so, they create an obstacle-free way for malware to enslave their computer and steal data or valuable computing time.

A perfectly good reason. Or is it?

One of the most frequent reasons people use for disabling shields and allowing malware to spread in their computer is

“I use this file all the time and it is safe.”

Another variation is,

“I created this file, it’s only a picture.”

Do you find this situation familiar? Are you guilty of over-riding the security software you installed to protect yourself?

If your answer is yes, then test your virus detection knowledge with the image below. There are two screenshots of a directory from a USB stick; one is infected and the other is clean. Can you tell the difference?

It’s difficult to tell, isn’t it?

The one on the left is infected. The most visible differences are on the icons, but there is another clue in the file types. Some files and directories on the left side changed their type into a shortcut. This happened because a malicious script installed itself onto a USB drive and replaced legitimate files with links. If the owner of the USB opens the directory Firm Accounting, for example,  he executes malware that in the end opens the real Firm Accounting directory, so it looks like everything is normal. But it is not, because in the background all the computer’s drives are getting infected over and over again.

Avast detects LNK:Jenxcus and warns you.

The trick is; you have to heed the warning.

Source of infection

Except from other infected drives, this malware is downloaded onto your computer from hacked websites. The screenshot below shows an example of a hacked website waiting for random users with a vulnerable internet browser. Can you tell the difference this time?

If you answered no, you are absolutely right, because for the normal user there is no visible change. That is probably the reason for another frequent excuse before disabling the shields,

“I visit this page every day. It doesn’t have malware.”

That’s just not good enough, because the fact that the page is clean most of the time, does not mean it is not vulnerable to attacks. In fact most small and medium-sized business (SMB) pages have some exploitable vulnerability and when they get targeted by exploit kit authors, your best chance to stay safe are updated applications and active antivirus. With the shields ON!

Extermination

If you are comfortable with computers, then you may want to clean this infection manually. Start with your computer and look for links (.lnk) and visual basic script (.vbs .vba .vbe) or batch files (.bat). Links usually point to this hidden script files so it is not hard to find them. If you wonder where the original files are, you can find this information in links too. They were not moved in most cases, just marked as hidden so they are not visible on computers with standard configuration. When you are sure all hard drives are clean, it is time to go through all your removable ones and go through the same procedure.

An easier way to clean an infection is by using a good cleaning tool. If you need help searching for such tool, visit our Avast forum and read what others do in your situation, or ask nicely for help from Evangelists, who dedicate their free time to helping users and researching security problems.

Suspect a false positive?

If you think it’s a false positive, do a little checking first. The Avast forum is a good place to start. You can read about LNK:Jenxcus, or you can start a new thread with your own question.  If you are still convinced that you have a false positive, then please report it so the Avast Virus Lab can determine how/why it’s detected,. This video tells you how,