TheTechGuide Forum

General Category => Tech Clinic => Topic started by: scyap on January 26, 2008, 09:48:42 AM

Title: infected by weird uSB virus
Post by: scyap on January 26, 2008, 09:48:42 AM

Hello everyone, i totally need help  cuz my pc is in trouble... i am infected with

some unknown virus...

How it happened?
I put my portable hard disc into a friend's pc, uploaded data, and when i connect my
portable HD to my own PC, its infected, im sure its infects via USB

How it executes?
well before that i didnt know its infected, so i just double clicked my portable HD

(from
my pc) and nothing happened, after a few tries, i right click and saw "auto-play", i was
shocked and then i use OPEN, and i saw some autorun.inf and windows.scr, autorun.inf is
commanded(i know, wrong word) to execute windows.scr as auto play. BOTH FILES ARE
SYSTEM+HIDDEN, i did turn on ability to view HIDDEN and SYSTEM long ago (yeah i know the
risks but i wont simply accidentally delete a file)

.Scr format?
Its windows screen saver format but its an infected one, it says right here (link

below)
and it claims to be a extension used to transmit TROJAN
http://filext.com/file-extension/scr (http://\"http://filext.com/file-extension/scr\")

Couldn't you just delete Windows.Scr and Autorun.inf ?
Yes i did try but it didnt work, my computer is ALREADY infected cuz the first time

i
double clicked it (and it autorun)

What u mean INFECTED?
i have no problems deleting windows.scr and autorun.inf BUT when i insert the USB

(or any USB memory sticks, tested), it will re-create those two files (Yes, it will re-

create it instantly once u insert it in, checked using the Created on : <date>)

Does this work in safe mode?
YES, WHAT A VIRUS !!!
It works and STILL SPREADS via usb in safe mode

Do u have a screen shot of your running Processes in safe mode?
Yes i do, here is link below
http://img184.imageshack.us/img184/900/wthhhhri1.jpg (http://\"http://img184.imageshack.us/img184/900/wthhhhri1.jpg\")


Install this anti virus, and that, and the other one, and that too !!!
I use AVG 7.5 AntiVirus Professional (registered)
I use AVG AntiSpyware (registered)
I use Ad-Aware 07

U didnt update eh?
ALL UPDATED

U use those anti virus and UPDATED IT but did u scan?
Yes, full system scan with NOTHING (sigh)

scan removeable?
yes i did scan my usb...

No norton from symantec ?
Yeah i have 2003 but since its so old, i downloaded 2008, but blue screen when

Norton 2008 starts on startup, so i went to safe mode, use NortonRemovalTool and blasted it

out of my pc, i guess its the clash with AVG, it did warn me during installation but i am

not dumping AVG, i paid !

What other tricks u did??
I tried renaming and changing its extension, but failed, it re-creates the same copy

again

Is Harddisk affected by this autorun?
NO, only Removeable Discs

Got HijackThis?
Yes, is it needed?

Any more?
Yea, i was once affected by this virus long time ago, it will create a Copy of the

autorun etc in EVERY DRIVE (including HDD) and put an autorun, and when u run the autorun,

it will check if the process to spread is ON or not, if not, it will on it, and then it

will copy itself to ANY DISKS . This is very obvious cuz its in HDD as autorun too and its

in Processes, which i obviously know where its from, so i terminated, and cleared all the

files, which made this virus permanently disappear but this is something new...

AND as far as im concerned, there MUST be a process to check if i have inserted a
RemoveableDrive or not, right? Like a looping check everyone 1 second?
Well this is what i think, it may not be true... cuz i cant find this process
i always check at processlibrary.com

...hmmm , everything in my processes look clean, my only suspect is why so many svchost,

last time i didnt have that many




I have two screen shots :
-Safe Mode all processes
http://img184.imageshack.us/img184/900/wthhhhri1.jpg (http://\"http://img184.imageshack.us/img184/900/wthhhhri1.jpg\")

-Normal Windows All processes
http://img168.imageshack.us/my.php?image=tasknq3.jpg (http://\"http://img168.imageshack.us/my.php?image=tasknq3.jpg\")


Help pls...

Title: infected by weird uSB virus
Post by: guestolo on January 29, 2008, 01:19:36 AM

I need to see a Hijackthis log

Download Hijackthis Installer from [color=\"#FF0000\"]HERE[/color] (http://\"http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download\")
For an alternate download location, you can try HERE  (http://\"http://fileforum.betanews.com/detail/HijackThis/1071179190/1\")
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum