MisVh55_Fichiers.exe has infected my flash drive and phone

Viruses and worms
1

Hi this is my 1st post, not quite sure how things work around here.
I have searched the forums for similar problems but I can’t find any.

I recently observed a virus that was not picked up by avast.
It appears to by some type of spyware. When I try opening my flash drive
It will not open by double clicking I must right-click and open. When it is opened there is an exe that looks like a folder called “MisVh55_Fichiers.exe” which I did not create.

If I open the folder I end up in my documents. I have tried deleting the file,
but it is recreated every time I open my flash drive. I am not sure what other areas of my computer it has infected,
but it appears to also have affected my phone. Yesterday I downloaded some photos from it
And now it will not start up, I fear the problem of not being able to open my flash normally has moved over to not being able to start my phone. If I can at least sort out my flash and computer then I’ll move on to my phone.
I am not sure where it came from as I use my flash with my university’s network.

i really hope Someone can help me ::slight_smile:

2

Right now, if you can, send the file to virus (at) avast (dot) com for analysis.
After that, maybe you should install and run SuperAntispyware and/or SpywareTerminator.
Can you post back the results?
I wish avast has a better detection in this case…

3

It’s an autorun virus. Do the following. Please attach the logs as they will be long.

How many would that be and what type of drives are they? What drive letters are they recognized as?

Let’s start with disabling auotruns.

Download and Install Microsoft’s TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

Obtain and install TweakUI (right hand panel, 147kb in size), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay – except your CD/DVD drive letters

This will prevent autoruns from running on your computer. Make sure you uncheck all drive letters in the list, except your cd/dvd.

Then Plug in all of your usb devices including your phone.

Download “Clean Autoruns”:From HERE

http://forums.techguy.org/attachments/103397d1176780296/clean-autoruns.zip

Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.

Please post those.

Please download
OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it. Make sure the usb drives are plugged in.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Autorun.inf
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf
G:\Autorun.inf
H:\Autorun.inf

Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste. this fix will not work if the wrong box is used

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

Now to protect those drives, I will need you to down load and run this program, with your usb devices attached.

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well. Just skip that part.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

This utility will do a couple of things. First it will remove any autorun.inf it finds. It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart.

Please attach the results to your next reply. Use the additional option button on the reply page.

That will be a start. Do not plug into any other computer

4

ok i only had a little time now and started, but for some reason i can’t run tweek ui, it says "Tweek UI has been disabled by your administrator, which is strange since I am the admin.

I have to go out now but I am looking forward to going through the process later, your reply’s look very helpful.

5

Ok I’ve done a bit more work, since I was having trouble running tweak UI, I tried finding another way of disabling auto runs. I found a useful site (http://features.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/)
That said:

[i]Disabling Auto-Run is something we think everyone should do, not only for security from viruses and spyware, but so you’ll never need to deal being unable able to listen to your music on your devices. Here’s how to do it in Windows XP.
In Windows Click Start, then Click Run

Type regedit
Click OK

Click >
HKEY_LOCAL_MACHINE>
SYSTEM>
CurrentControlSet>
Services>
Cdrom>

Double click “Autorun” the value is set to 1 by default, change it to zero.

Click OK
Now restart, that’s it![/i]

so i tried to do this, but I could not find the run command on my start menu, I looked for it in task manager and I could not use the new task function there as it was greyed out.

so now I went off to solve this problem and I found this site which gives me the idea that my trouble in disabling auto runs is due to the virus itself.

http://ask-leo.com/why_cant_i_enable_the_run_command.html

ok I then followed the advice given on this site and tried opening regedt32.exe from the system32 folder and I then got the same message that I got when I tried to run Tweak UI. It seams that to do either of the two things I am trying to do (disable auto runs, enabling the run command in the start menu) I need to get into regedt32.exe, Which I can’t do >:(

It appears that this virus is trying to protect itself :cry:

oh on another note, I am going to a phone service centre tomorrow and they can hopefully reformat my phone so I can get it working, At the moment I can’t start it and when it is plugged in to my computer I don’t even see it as a drive.

Thanks for the Help so far, I believe we are making progress as we are at least beginning to understand the problem

6

ok I’ve tried to move on with the steps in the hope that removing the auto runs and then ‘Quickly’ (before anything gets a chance to auto run) disabling autoruns. (I’m doing this because the virus appears to be doing everything it can to prevent me disabling autoruns)

ok so I downloaded “Clean Autoruns” and ran the .bat file, it produced the two .txt files. however during the running of “Clean Autoruns” I revived two windows messages saying “Registry editing has been disabled by your administrator”, I am beginning to read the message as: “Leave me alone I’m quite happy here infecting your computer"

7

This is rather strange. A and B are usually floppy drives, yet that’s the only autorun found. Plus no mountpoints.

You guessed right, this bug is thumbing it’s nose at you. :wink:

Let’s see if we can find out what he’s up to.

Note: since different malware can use the same or similar file name, you may or may not have a password/info stealer. However, I would suggest that you change all your passwords on any type of account/forum you access through the internet. Do this from a known clean machine.

Since you didn’t mention your OS, if you are running Vista, you will have to right click and run as administrator. If XP, just double click. :slight_smile:

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

8

Hi jamesieza,

After passing the DSS scan results to oldman, and following all his instructions carefully, you could also do the following:
Download Flash_Disinfector.exe by sUBs from http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives including your 
   mobile phone. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection,

polonus

9

Hi jamesieza. I got a bit of a handle, I think, on this fella. The DSS results will help. Leave the flash and phone unplugged. I think getting your computer cleaned up first is our best plan of attack.

“Leave me alone I’m quite happy here infecting your computer"

Nice to see you have a sence of humor about this. It will help, believe me. ;D

10

Ok I got to the point where I must run DSS.
I tried this once or twice and encountered system errors. In the mean time avast downloaded an update automatically.

Then I tried DSS again I was interrupted by an avast virus warning (a virus that has "some filename"Fichers.exe
Avast identified it as:

Win32:AutoRun-YV [Wrm]

I have attached the lines from the Avast log.

Avast then recommended a full boot scan. So I am going to do that now.
And then move on with the rest of the procedure.

11

Ah yes I forgot to say my operating system, how silly.

I’m a little confused as to what I would me double clicking on to run as admin. Also In control panel accounts tab my account is called:
James
Computer administrator
Password protected

Surely I should already have all admin rights?

12

The run as administrator only applies to vista. If you have vista, right click the DSS.exe on your desktop and select run as administrator.

If you have xp just double click.

13

ha I even forgot after I had realised I had forgot.

Windows XP Home Sp 2

sorry

14

still struggling to run DSS. but I can get hijackthis to run, here is the log file it generated:

15

ok i’m moving on trying to stick to your guidelines. I have not been able to compleat all the steps for various reasons mentioned in my other posts

so I’ve just run OTMoveIt2.exe
results:

[Custom Input]
< C:\Autorun.inf >
File/Folder C:\Autorun.inf not found.
< D:\Autorun.inf >
File/Folder D:\Autorun.inf not found.
< E:\Autorun.inf >
File/Folder E:\Autorun.inf not found.
< F:\Autorun.inf >
File/Folder F:\Autorun.inf not found.
< G:\Autorun.inf >
File/Folder G:\Autorun.inf not found.
< H:\Autorun.inf >
File/Folder H:\Autorun.inf not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03262008_160320

Note I am doing this with all my drives removed from the computer and I have not yet been able to disable autoruns from regedt, because I can’t get into it.

16

Hi jamesieza,

You have a nasty infection of amvo.exe
I suggest you to remove amvo.exe from your computer as soon as possible.
Amvo.exe is Trojan/Backdoor.
Kill the process amvo.exe and remove amvo.exe from Windows startup.

How to get rid off it?

Step 1
The usual way is to Format the system, but it is not a permanent solution. To get rid run regedit, find all keys related to amvo.exe or the name of the virus.
Run msconfig in the Start Up Tab you can find the amvo.exe or its variants.
Remove all occurrence of the name from regedit.
Reboot the System.

Step 2
Reboot and do the following changes to the Registry using regedit

HKEY_CURRENT_USER\Software\Microsoft
Windows\CurrentVersion\Explorer searchidden en 1

HKEY_CURRENT_USER\Software\Microsoft
Windows\CurrentVersion\Explorer searchsystemdirs en 1

HKEY_CURRENT_USER\Software\Microsoft
Windows\CurrentVersion\Explorer\Advanced hidden en 1

HKEY_CURRENT_USER\Software\Microsoft
Windows\CurrentVersion\Explorer\Advanced showsuperhiden en 1

HKEY_CURRENT_USER\Software\Microsoft
Windows\CurrentVersion\Explorer\Advanced superhiden en 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN CheckedValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN DefaultValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL DefaultValue 1

HKEY_CURRENT_USER\Software\Microsoft
Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun 0x00000091 (145)

– OR –

Reboot into a different OS and do the following

Step 3
From all the drives delete the autorun.inf using command line (if on windows) or from a linux OS. Do not open the drive from the explorer as it would spread the virus again to this OS. If you have linux installed and can access all partitions on the disk, go delete the files and clear the trash on all drives.

Step 4
Reboot the system.
Do necessary changes as in Step 2, if you have not done those.

I hope that will do it
Install a good antivirus update it.
Prevent Autorun from USBs.

To disable Autoplay of all drives
Start > Run > gpedit.msc

Enable : Computer Configuration > Administrative Templates > System > Turn Off AutoplayPopularity: 20%

polonus

17

okay different tool.

Plug your drives in before running this one.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

DSS should have downloaded hijackthis for you.

18

Hi polonus

I am unable to access the run command or msconfig. oldman and I think that the virus has interfered here.

I am going to try this combo-fix tool.

other wise I may install Linux on one of my hard drives and try follow your advice. I’m not very clued up on Linux though so it may be tricky for me.

19

YAY finally i’ve managed to run one of the tools you’ve suggested.

Ok I ran Combo-fix, without any errors ;D

here are the logfiles from combofix and a new hijackthis scan:

20

Although not directly related to you immediate problem, something for the future.

You don’t actually have to install it on your system, there are what are know as Live CD versions which will run from a bootable CD like Knopix, there are others. You ensure your BIOS is set to first boot from the CD drive, you put the live CD in and reboot, this is handy because you don’t have to install and allows you to rummage round in your windows partitions, etc.

You could do a google search, http://www.google.com/search?q=Knopix+live+CD or try Linux Live CD and that would give other Linux versions http://www.google.com/search?q=Linux+live+CD. There are plenty to choose from in both those searches.