I've been using my flash drives to help me fix customers computers for the last 1 year+. Just about a week ago I started seeing a "m.exe" with a skype corperation tag on it appear on my flash drive. When I plug it into a windows machine (xp) From what I've figured out installs itself via an AUTORUN.INF program.
What i've done is scan the crap out of my flash drive and the infected computers with every known virus/spyware/malware program out there. They always find 17 programs which they remove. As soon as I connect the computer to the internet they are back. I can remove them. Wait a couple days, reboot, use the computer, but as soon as I hit the internet-firefox, IE, and chrome all do it-they are back. They then redirect me to a blank web page. The address seems random.
I run autoruns, and hijackthis but they don't show up there. Combofix will find ntos.exe and remove it, but it will be back as soon as I hit the internet button.
So far the only way I've been able to stop it from spreading to everything i plug my flash drive into is delete the hidden autorun.inf and creating my own. Or edit the existing autorun.inf and delete its point-to. leaving it blank.
If I delete the M.exe when I plug my flash drive into an infected computer it will say "can not find the file m.exe." (in more words) then not let me even right click explore the drive. Tells me that "the administrator has set polices to prevent this action" The way I can get around that is take the hard drive out and scan it through another computer with malwarebytes. Which will delete the userinit.exe which i then have to replace from the windowsxp home/mce/pro cd. If I don't replace it I can not log in. It will say "loading desktop" flash then say "saving settings" and throw me back to the login screen.
In other words this virus is making blood shoot out my eyes. I've got it isolated on one of my flash drives if you want it i'll email it to you. It seems to copy the name of a random file on my flash drive such as userinit.exe, Rundell32.exe, I've even had it pick the name of [email protected]. Then creates the autorun.inf file and points it back to that.
If anyone has any ideas on how to get rid of this thing, let me know. It basically keeps the infected computer from using the internet.
What i've done is scan the crap out of my flash drive and the infected computers with every known virus/spyware/malware program out there. They always find 17 programs which they remove. As soon as I connect the computer to the internet they are back. I can remove them. Wait a couple days, reboot, use the computer, but as soon as I hit the internet-firefox, IE, and chrome all do it-they are back. They then redirect me to a blank web page. The address seems random.
I run autoruns, and hijackthis but they don't show up there. Combofix will find ntos.exe and remove it, but it will be back as soon as I hit the internet button.
So far the only way I've been able to stop it from spreading to everything i plug my flash drive into is delete the hidden autorun.inf and creating my own. Or edit the existing autorun.inf and delete its point-to. leaving it blank.
If I delete the M.exe when I plug my flash drive into an infected computer it will say "can not find the file m.exe." (in more words) then not let me even right click explore the drive. Tells me that "the administrator has set polices to prevent this action" The way I can get around that is take the hard drive out and scan it through another computer with malwarebytes. Which will delete the userinit.exe which i then have to replace from the windowsxp home/mce/pro cd. If I don't replace it I can not log in. It will say "loading desktop" flash then say "saving settings" and throw me back to the login screen.
In other words this virus is making blood shoot out my eyes. I've got it isolated on one of my flash drives if you want it i'll email it to you. It seems to copy the name of a random file on my flash drive such as userinit.exe, Rundell32.exe, I've even had it pick the name of [email protected]. Then creates the autorun.inf file and points it back to that.
If anyone has any ideas on how to get rid of this thing, let me know. It basically keeps the infected computer from using the internet.