USB Virus Problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DMB1124, Aug 11, 2008.

  1. DMB1124

    DMB1124 Private E-2

    Hello, Im new here and I need help with what I think is a USB Virus problem.

    A few weeks ago my desktop was infected with a virus. Afterwards, without dealing with the virus I moved some files from my desktop to my laptop using a usb flash drive. (yes very dumb of me :cry)

    After the file transter, the same error messages were showing on both computers (from Symantec Anti Virus); both machines showed the same warnings at startup, and hidden files could not be accessed on both machines even if I turn on the "show hidden files and folders" under the view tab.

    I tried a number of things, kavo virus remover, deleting kavo.exe, kxvo.exe under system32 using command prompt, adding autorun.inf folders to all my drives., starting up under safe mode and scan, none of them worked!

    So then I followed the procedures in the "RUN ME FIRST" post on both computers with my usb flash drive attached to my laptop.

    Everything was FINE after. Just great! Fixed!

    Last week I used my usb flash drive again transfering files from my laptop to my desktop and suddenly im infected again!

    This time I do not get any error messages from Symantec, but I can't see hidden files on both computers. My desktop computer keeps reading my E: drive (CD Drive) at startup and it won't start windows unless I eject my E::(

    I have not ran the procedures in the "RUN ME FIRST" section again because I think the virus is in my usb flash drive.

    how do I get rid of the virus on my flash drive and on my computers? I mean even if I get rid of the virus on my flash drive with my laptop, when I use it on my desktop its infected again? Frustrating~~~~

    Please Help!!

    Attached are my laptop logs from the frist time I ran the scans from the "RUN ME FIRST" post.

    Thank you
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I need to the requested log from running MGtools.exe. This is the C:\MGlogs.zip file.
     
  3. DMB1124

    DMB1124 Private E-2

    The MGlogs.zip file, I wanted to attach this but I couldnt find my own thread after I posted it. Anyhow, here it is and thank you!
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Every computer that you have inserted this flash drive into is more than likely infected. Thus they will all have to be cleaned one at a time and each in their own separate thread.

    For this current PC that you have post logs for, please insert your USB drive. Yes we know it is infected but the only way to try and clean it is by having it inserted and since this PC is already infected, it does not matter. So insert the USB drive and then use Windows Explorer to look (on the USB drive) for any files or folders named like below
    Now also write down what drive letter your USB drive is and tell me in your response what drive it is. Keep this USB drive inserted. Now continue on with the below.


    Uninstall the below old versions of software:
    Java(TM) SE Runtime Environment 6 Update 1

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. DMB1124

    DMB1124 Private E-2

    Thank you for your reply, your help is very very much appreciated

    The drive letter for my USB drive is F:

    I could not find "Java(TM) SE Runtime Environment 6 Update 1" on my computer, It's not in program files, its not in "add or remove" programs and when i used "find" to search for it, there are no files with this name. So I skipped this step.:confused (hopefully that's ok)

    Dragging CFscript into Combo fix worked fine, however, after reboot the CFscript text icon beacme an Internet Explorer Icon?

    I installed the version of Java from the specified link.

    The registry update was successful.

    When I ran the MGtools getlog.bat file everything was fine but towards the end an error message poped up.

    The Error msg appeared as:

    ProcessDll.exe - Application Error
    The application failed to initialize properly (0xc0000135). Click OK to terminate the application

    I clicked OK and I still managed to get the MGlog.zip file.

    My laptop seems to be working just fine. I can see hidden files now.

    BUT now under my C: Drive I have some hidden files which I think are kinda virus looking.

    All the hidden files and folders that showed up in my C: after the procedure are listed below:

    Hidden Folders which are now showing:

    _Restore
    RECYCLER
    System Volume Information

    Hidden Files which are now showing:

    92j11sm.com
    AUTOEXEC.BAT
    autorun.inf
    boot.ini
    BOOTLOG.PRV
    BOOTLOG.TXT
    BOOTSECT.DOS
    COMMAND.COM
    CONFIG.SYS
    IO.SYS
    jg6w3yx.com
    MSDOS.SYS
    NTDETECT.COM
    ntldr
    nw0t1l0d.exe
    pagefile.sys
    vmyphd.bat
    VSNAP.IDX

    Should I delete any of the above files?

    Lastly,

    I deleted all files in my USB drive and then formatted it before running your procedure.

    Afterwards, I opened my usb drive and there are now 3 HIDDEN files (which are now viewable) in it:

    autorun.inf
    92j11sm.com
    jg6w3yx.com

    Should I delete these files?

    I SO want to delete the @#$#@Q% outta em but I think I better wait for your advice

    Thank you very much again for your help

    P.S I've heard that by creating an "autorun.inf" folder in your usb drive will prevent virus' from other computers getting in there. Is this true? and should I do this? just so I dont have to come back and bug you guys everytime.
     

    Attached Files:

  6. DMB1124

    DMB1124 Private E-2

    I also realized that under my D: Drive

    There are also now hidden folders and files which look suspicious

    Hidden Folders now showing:

    ntdelect.com
    ntdelete.com
    System Volume Information

    Hidden Files now showing:

    92j11sm.com
    autorun.inf
    jg6w3yx.com
    nw0t1l0d.exe
    t82e2v.cmd
    vmyphd.bat

    Should I delete any of the above folders or files?
    and should I create an "autorun.inf" folder in my C: and D: drives as well to prevent future USB virus' that uses the autorun function to get in?

    Thank you
     
  7. DMB1124

    DMB1124 Private E-2

    today when i turned on my laptop, all the hidden files are gone, i can't see them anymore and im right back at square one!!! This is just crazy, hows the virus doing this.....I need some serious help, should I run your fix again?!
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    With your USB drive inserted, run the below fix.





    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:


    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now doubleclick on the fixME.reg patch on your Desktop Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).





    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!


    Do not power down or reboot your PC after attaching logs and do unplug the USB drive.
     
    Last edited: Aug 14, 2008
  9. DMB1124

    DMB1124 Private E-2

    I assume you mean do not power down my PC after reboot and KEEP MY USB PLUGGED IN AT ALL TIMES.
     
  10. DMB1124

    DMB1124 Private E-2

    Thank you very much for the help,

    here are the logs.:)
     

    Attached Files:

  11. DMB1124

    DMB1124 Private E-2

    I read your instructions again and now i have unplugged my usb drive. Before unplugging I checked and there are no files in F:

    There are still some questionable hidden files in C:

    but at least i can see the all hidden files now.

    I will have to shut down my computer in 6 hours or so, hopefully that would not be a problem
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you mean no files at all or do you mean none of the ones we have been deleting?

    Is drive D free from these file?

    Like what. None of the files you previously listed were problems except the ones I had you delete.


    What is the below new folder? Please do not install anything unless we request it while performing cleaning.
    Code:
    2008-08-14 18:46 . 2008-08-15 09:01 <DIR> d-------- C:\WuLin 
    Your logs are currently clean! If you have plugged the USB drive into any other computers while the USB drive was infected, those computers may well be infected.



    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  13. DMB1124

    DMB1124 Private E-2

    Regarding my F: Drive, I had no files in it before this whole thing, after the first fix, there were 3 hidden files, but now those hidden files are gone

    The only hidden folder remain in D: right now is named
    System Volume Information

    In C: the remaining hidden files and folders are as follows:

    Hidden folders

    _Restore
    RECYCLER
    System Volume Information

    Hidden Files

    AUTOEXEC.BAT
    boot.ini
    BOOTLOG.PRV
    BOOTLOG.TXT
    BOOTSECT.DOS
    COMMAND.COM
    CONFIG.SYS
    MSDOS.SYS
    NTDETECT.COM -----> this looks suspicious
    ntldr
    pagefile.sys
    VSNAP.IDX

    The WuLin folder is something I had to put it
    I knew I shouldn't of and Im sorry for not telling you earlier

    should I delete the NTDETECT.COM?

    and for the future should I make a folder in my USB and my C and D named "autorun.inf" to prevent viruses?

    Thank you
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    All of these are normal and required.

    It will not prevent them. Also autorun.inf files are not always bad. It is a matter of what is in them that can determine if they are bad or good. With the problems that you had, it is known that this malware makes use of the autorun.inf file so it was better to delete it.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds