Jump to content

Flash Drive Virus - Help!!!

andyrt

By andyrt
in Resolved Malware Removal Logs

 Share

Recommended Posts

andyrt

andyrt

Posted
Posted

I purchased a used ipod from a pawn shop and thought I was getting a great deal. Not so great now that ALL of my flash drives have been infected.

Right now, each of my flashdrives has .scr shortcut files.

I've shown all hidden files and all of my files, folders are still there but hidden.

For each folder, there is a different .scr file that this virus created. It has also created exe hidden files called:

siofii.exe, siofii.dll, x.exe, x.dll, autorun.inf

I can delete everything -- but I cannot delete autorun.inf. I keep getting a sharing violation.

Please help!!!

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Download this file

http://download.bleepingcomputer.com/sUBs/...Disinfector.exe

For all of your USB or external drives:

Open the drive.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Look for the file autorun.inf and delete it if found.

Also look for a Folder that's named resycled, make sure of the spelling and delete the folder if found. DO NOT delete the Recycler folder.

Now run the Flash_Disinfector.exe.

Be sure to insert any flash drives or USB devices that you use.

Do this for every USB / external drives:

Link to post
Share on other sites
andyrt

andyrt

Posted
  • Author
Posted
Look for the file autorun.inf and delete it if found.

Cannot delete autorun: There has been a sharing violation

The source or destination file may be in use.

I just noticed my C: drive has also been infected :D

Download this file

http://download.bleepingcomputer.com/sUBs/...Disinfector.exe

For all of your USB or external drives:

Open the drive.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Look for the file autorun.inf and delete it if found.

Also look for a Folder that's named resycled, make sure of the spelling and delete the folder if found. DO NOT delete the Recycler folder.

Now run the Flash_Disinfector.exe.

Be sure to insert any flash drives or USB devices that you use.

Do this for every USB / external drives:

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

You have two choices with those flashdrives.

Format them or throw them away.

As for your iPod, I don't know what to tell you there but if it caused the infection, it's worthless as well.

Do you have MalwareBytes installed? If so run the scan and post the results.

Link to post
Share on other sites
andyrt

andyrt

Posted
  • Author
Posted

There's no way to disable windows from running that autorun.inf file?!

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5489

Windows 5.0.2195 Service Pack 4

Internet Explorer 6.0.2800.1106

1/9/2011 3:59:41 PM

mbam-log-2011-01-09 (15-59-37).txt

Scan type: Quick scan

Objects scanned: 106384

Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\$sys$crater (Trojan.Agent) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINNT\system32\$sys$filesystem\crater.sys (Trojan.Agent) -> No action taken.

c:\RECYCLER\s-1-5-21-448539723-1715567821-725345543-1000\Dc11.dll (Trojan.Agent) -> No action taken.

You have two choices with those flashdrives.

Format them or throw them away.

As for your iPod, I don't know what to tell you there but if it caused the infection, it's worthless as well.

Do you have MalwareBytes installed? If so run the scan and post the results.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Please do not attach the scan results from Combofx. Use copy/paste.

DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites
andyrt

andyrt

Posted
  • Author
Posted

I was able to disable autorun in Windows, found the offending process ( xuahot.exe ) and wiped it out. Deleted the xuahot.exe and another suspicious file that was in my "Documents and Settings\-\ " folder. Once I did that, I reboot, deleted the autorun.inf from all flash drives as well as a bunch of hidden scripts and executables and everything seems to be OK now with the flash drives and Ipod.

I will run the other suggested applications and make sure my computer is clean. Thanks a bunch!

You have two choices with those flashdrives.

Format them or throw them away.

As for your iPod, I don't know what to tell you there but if it caused the infection, it's worthless as well.

<snip>

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.