• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Who do I have to sleep with/bribe/kill to get rid of this virus?

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
Methal

Methal

Member
Joined
Aug 5, 2008
Location
DC
I've been using my flash drives to help me fix customers computers for the last 1 year+. Just about a week ago I started seeing a "m.exe" with a skype corperation tag on it appear on my flash drive. When I plug it into a windows machine (xp) From what I've figured out installs itself via an AUTORUN.INF program.

What i've done is scan the crap out of my flash drive and the infected computers with every known virus/spyware/malware program out there. They always find 17 programs which they remove. As soon as I connect the computer to the internet they are back. I can remove them. Wait a couple days, reboot, use the computer, but as soon as I hit the internet-firefox, IE, and chrome all do it-they are back. They then redirect me to a blank web page. The address seems random.

I run autoruns, and hijackthis but they don't show up there. Combofix will find ntos.exe and remove it, but it will be back as soon as I hit the internet button.

So far the only way I've been able to stop it from spreading to everything i plug my flash drive into is delete the hidden autorun.inf and creating my own. Or edit the existing autorun.inf and delete its point-to. leaving it blank.

If I delete the M.exe when I plug my flash drive into an infected computer it will say "can not find the file m.exe." (in more words) then not let me even right click explore the drive. Tells me that "the administrator has set polices to prevent this action" The way I can get around that is take the hard drive out and scan it through another computer with malwarebytes. Which will delete the userinit.exe which i then have to replace from the windowsxp home/mce/pro cd. If I don't replace it I can not log in. It will say "loading desktop" flash then say "saving settings" and throw me back to the login screen.

In other words this virus is making blood shoot out my eyes. I've got it isolated on one of my flash drives if you want it i'll email it to you. It seems to copy the name of a random file on my flash drive such as userinit.exe, Rundell32.exe, I've even had it pick the name of [email protected]. Then creates the autorun.inf file and points it back to that.

If anyone has any ideas on how to get rid of this thing, let me know. It basically keeps the infected computer from using the internet.
 
I've re-formated them a couple times, but soon as I plug them into an infected computer it gets reinstalled onto my flash drive.
 
Methal said:
I've re-formated them a couple times, but soon as I plug them into an infected computer it gets reinstalled onto my flash drive.
Click to expand...

Stop plugging it into an infected computer?

Mean time make a backup of the usb drive.
 
Write protecting it would only effect the computer with the changed registry key. I would have to edit the registry on every computer I plugged it into. Like 50+ a week.
 
Use a CD instead of a flash drive until you get the computers cleaned.
 
Pen drives are cheap, get a new one.

Have you tried using it on a system running BartPE or ERD Commander from a CD and cleaning it?

If you use ERD Commander you can select to not connect to a registry. Then plug in the pen drive try cleaning it. Once you have it clean then go in to the registry of an infected computer and see where m.exe is hidding, normally a reproducing virus has to have an activation and that would be any web browser.

This is acting more like a trojan than spyware in my opinon.

If you can't clean the virus from the pen drive then you could copy your files with ERD or BartPE as long as you don't use a browser while in those OS's the virus shouldn't activate.

MHO...
 
It sounds like conficker, no? Maybe look up cleaning tips related to that.
 
SKYPE ,, that is your answer to the virus
the virus thinks it has written auto connect code to a wireless internet stick
instead it keeps writing to a usb stick/pen drive
use another clean pen drive and find out which computer is infecting the stick
you have isolated the viral computer

my advice is to wipe the infected computer using LINUX
or use linux to wipe the pen drive clean
( windoze is pathetic erasing pen drives/ usb sticks )

ask the viral computer owner if any of his neighbours has used his compooter recently
( probably trying to scam himself/herself free internet access )
 
Sounds like you've got a nasty one.

Boot into safe mode and remove everything that is not absolutely necessary from startup in msconfig.
Check internet options and such in IE/FF/Chrome. Make sure the home pages are set to their defaults. Also, get a copy of something like FileMon. Use it and see if you can find a process thats copying the file to the pen drive. If you can find that, then maybe that file can be removed/replaced.
 
Start a LiveCD linux distro, copy importent files to a clean HDD. then wipe the flash with the dd command (guide HERE) or you can use DBAN (but after you have moved important files elsewhere and removed that disk/drive from the computer).
Use linux to copy all your important files to the clean drive, then wipe them all completely. Wipe then so hard that you have to reset the directory structure when you plug them back in. That's a nasty virus.
 
What I"ve ended up doing was 1st wipe all my flash drives with dd like suggested on my home computer with linux.

Then replaced my files from my windows vista hard drive through linux onto my flash drive. I put them all in folders. I took the autorun.inf that the virus had created and deleted its instructions with n++, I saved it and left it in root on my flash drive. The virus never recreated the autorun.inf file. That has kept the thing from spreading via my flash drive.

What I ended up doing with the computers that were infected was removed the hard drives, plugged them into my linux computer. Created the file C:\backup\ put everything in there just like i did with my flash drive leaving nothing in "root" on the hard drive. I then installed a fresh load of windows. After installation was half way through, I took the hard drive and booted back into linux with the live cd, and deleted c:\backup\windows and c:\program files\. I then finished the installation of windows. Installed Mcafee, Ran take own on c:\backup went back into live cd and removed explorer.exe from c:\windows\system32 Then booted up into windows and let Mcafee scan the backup file and delete all the .exe files. (not sure why mcafee does this, I just know it does. kinda like running it in safe mode. Mcafee thinks every .exe is a self installing virus and blows it away.) Once that was done I replaced the explorer.exe and booted back into windows.

Ran Malwarebytes, and mcafee again just to see if the virus could reinstall itself. Found zero infections in c:\ and only a couple minor threats in c:\backup (the old installation)

connected to the internet, activated windows, and then spent a couple hours playing around on the internet. Last thing I did was rescan the computer, and search for m.exe or ebay.exe. it was completely clean.

Repeated roughly the same thing on about 4 computers today.

I booted to the live CD so many times because I've noticed that all I had to do was open the folder containing the active virus and it would move itself to the new windows dir. I learned this after doing 2 back up and reloads. As soon as I would go back to c:\backup\windows\system32 to delete it it would move to c:\windows\system32. Extremely cleaver little bugger.

I probably could have done all of that with bartpe, or the ultimate boot cd, but truth be told, I don't know windows as well as I know linux. and I don't trust it nearly as much.

Funny thing is cleaning the virus out of vista is much easier. I don't think its quite compatible with vista hehe at least it doesn't spread like the plague.
 
Last edited:
I would recommend buying a flash drive with a physical write-protect switch.
images
 
Last edited:
You must log in or register to reply here.

Similar threads

A
Really need help - cannot boot from USB to reinstall windows + more
Replies
9
Views
412
magellan
magellan
S
Windows 11 KB5030219
Replies
2
Views
421
Sologuy
S
N
CPU unstable no matter what I do, and it's getting worse
2
Replies
25
Views
1K
mackerel
mackerel
xarzu
How do I ensure I properly get text alerts on my Android phone?
Replies
3
Views
188
Zuzzz
Zuzzz
M
How difficult is it to run 24 GB of fast RAM on X58? (X58 / Socket 1366 / Westmere)
Replies
9
Views
186
freeagent
freeagent
Back