Jump to content

Instant USB device infection!


BTU
Go to solution Solved by AdvancedSetup,

Recommended Posts

Howdy.  

My Windows 11 machine instantly infects any USB device which I attach to it with movies.exe.  The USB devices with which I've tested were formatted right before testing, so they were clean.

Movies.exe shows up as a folder in the USB device.  Neither Norton 360 nor Malwarebytes detect any problems in either the Windows computer or the USB device.  Since the computer is already infected, I didn't have anything to lose by clicking on movies.exe in the USB device.  When I did, Norton instantly identified and quarantined Heur.AdvML.B.

Any ideas on how to find and get rid of whatever is lurking in my machine?

Thanks for your help.

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

Hello @BTU and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.  WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted.

Thank you.

Link to post
Share on other sites

  • Root Admin

Hello @BTU

Please run the following and keep the USB attached and have the scanner select that drive as well and scan it too.

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

Thank you. The log says it found nothing.

Let me have you run the following

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

Link to post
Share on other sites

Thanks for the heads-up on how long the process would take. 

I've attached the MSRT file.

Maybe I shouldn't have done it, but I did.  I left the USB device inserted, as we did on the Kaspersky scan.  Movies.exe is still on the device.  If you like, I can detach the USB device and run the Microsoft scan again.  Just let me know.

There are two attachments.

Thanks for your help.

 

 

 

MSERT Results.docx msert.log

Link to post
Share on other sites

  • Root Admin

Yes, still something left over there. @BTU

Windows Safety Scanner removed a couple item.s

 

Let's go ahead and run a couple of scans and get some updated logs from your system.


Please make the following changes.

 

  • Temporarily disable your antivirus real-time protection or other security software first if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

 


Next, run these steps and post back the logs as an attachment when ready.


[ 1 ]

Malwarebytes for Windows

  • If you already have Malwarebytes installed then open Malwarebytes and click on the small gear icon, then click on the "Check for updates" button on the General tab.
  • After any updates, click the middle Scan button from the main page. It will automatically run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed, make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let us know in your next reply that the scanner would not run.

[ 2 ]

Malwarebytes AdwCleaner

  • Please download Malwarebytes AdwCleaner and save the file to your Desktop or Downloads folder.
  • Double-click to run the program - Malwarebytes AdwCleaner guide
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine to finish the cleaning process.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach that log to your next reply.
     
  • If No Detections are found, Click Skip Basic Repair

    WARNING: Do Not click the Run Basic Repair button unless instructed to by a Malwarebytes support agent or authorized helper


 

RESTART THE COMPUTER Before running Step 3

[ 3 ]

Gather MBST Logs

Please do the following so that we may take a closer look at your system for any possible infections.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

    WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper

 

Thank you

 

Link to post
Share on other sites

 

Finally, here are the requested attachments.  Sorry it has taken so long.  We've had some Internet slowdowns here.  It's pretty normal.

Note: I ran all of today's scans without the USB device attached.  I'll throw that thing away.  After we think the computer is clear, I'll test with a fresh one.

I'll look forward to hearing what's next.

Thanks, as always, for your help.

Malwarebytes Scan.txt mbst-grab-results.zip AdwCleaner[C02].txt

Link to post
Share on other sites

  • Root Admin

The logs don't seem to indicate there is an infection.

Please update your Norton antivirus and do a full scan with it and let me know if it finds anything.

 

Then run the following. If Norton tries to block, please tell it to allow. @BTU

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

Hi Again,

Here are the details of what I've done this time.  The logs are attached in the order that the programs were run.

01 Original Threat Detected by Norton Filename.pdf.  Note that the threat went from the computer to a USB drive.  That's where I noticed it as movies.exe.  Upon realizing that my computer was already infected, I tested by putting the USB drive back into the computer and clicked on movies.exe.  Norton detected and quarantined Heur.AdvML.B.  Norton did not remove Movies.exe from the USB drive.  I tested again with a new/clean USB drive and the same cycle happened with Norton.  As far as I can tell, Norton never picked up any problems on the computer itself.

03 Malwarebytes scan all drives.txt

05 Norton Scan Results Screenshot 2023-08-20 133208.png

07 SecurityCheck.txt

09 Safezone.cc warning.png.  When trying to download SecurityCheck from your link, there were many, many failures.  I went to the website and the attached warning is what I received from Norton.  Eventually, your link worked.

11 msert.log

12 Malwarebytes re-scan

After all of that, I inserted a new USB memory stick.  Movies.exe didn't show up when I inserted it, so maybe we're making progress.

Thanks for your help.

 

01 Original Threat Detected by Norton Filename.pdf 03 Malwarebytes scan all drives.txt 05 Norton Scan Results Screenshot 2023.pdf 07 SecurityCheck.txt 09 Safezone.cc warning.pdf 11 msert.log 12 Malwarebytes re-scan.txt

Link to post
Share on other sites

  • Root Admin

I think we should be done here, but go ahead and restart the computer one more time. @BTU

Then run a new scan from Microsoft and post back the new log

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

Link to post
Share on other sites

 

Hi There,

When you say exit out of all programs, are you asking me to exit out of Norton as well?  Are there any other programs running in the background that I should exit out of that I don't even know about.  How about a VPN?

I'll get back to you in a few days.  I'm on the road now.

Thanks for your help, as always.

Link to post
Share on other sites

 

Hi There,

I apologize for not answering.  The country I'm in at the moment has no power.  I hope it'll clear up in a few days.  I'll get back with you as soon as I get enough hours of consistent electricity to run a complete scan.

Thanks for all of your help.

BTU

Link to post
Share on other sites

By the way, before the last MSERT.exe run, I couldn't deactivate Norton, even when trying to Run As Administrator.  So I reset the computer and kept all my files at the same time.  With no more Norton, I ran MSERT.exe.

Now that you mention possible problems on other devices, I haven't noticed anything amiss on anything we own, not so far, anyway.

The only thing I can think of to do is to run meet.exe on my wife's Windows laptop and see what happens.

How would I check on a Mac, iPad, iPhone, or Android?

The only way these other devices could be infected is through the router.  It's up to date and it automatically updates.  Could the other devices become infected through our router?

Thanks for your help.

Link to post
Share on other sites

  • Root Admin

Please do not do that. Please upload meet.exe to https://virustotal.com and have them scan it if you still have the file.

It was just a generic ask about other devices. An iPhone is very difficult to infect as Apple does not allow it to run anything except items it approves.

The Mac would not be susceptible to a Windows meet.exe type file in most cases unless it was specifically created to run on multiple platforms.

 

My question is simply asking if you're still seeing an issue with your USB drives or not. At this time it seems as though the computer should be clean now. But, since you did a RESET then it really should be clean for sure.

DO NOT run or download any programs that are not well known. When possible scan all downloads at https://virustotal.com

 

 

Link to post
Share on other sites

Great suggestions.

One question still stands, though.  Can viruses creep from computer to computer through an updated router?

Using virustotal.com is a topnotch suggestion.  Very good.

Unfortunately, I don't have the offending virus, movies.exe, any longer.  I didn't know about Virustotal at the time I got rid of it.

I just inserted a fresh/clean memory stick into the USB port.  No files showed up this time.  

Thanks.

Link to post
Share on other sites

  • Root Admin

It's possible for malware to transfer via the network, yes. A router itself only has a firewall to block certain ports but does not have antivirus to block threats. Some of the newer routers run a paid service that uses Cloud type security and antivirus. I'm not a big fan of that though as that company then has a record of every single site you visit and every file you download.

At this time the logs indicate the computer is clean.

 

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • Root Admin

That log looks good.

Item 5 has other suggestions

The most important part of all of them is making sure you have good, solid backups of at least all your personal data if not the entire computer.

I'll go ahead and close your topic now and wish you well.

Take care and stay safe out there.

Thank you again for using Malwarebytes

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.