Author Topic: MisVh55_Fichiers.exe has infected my flash drive and phone  (Read 22158 times)

0 Members and 1 Guest are viewing this topic.

jamesieza

  • Guest
Hi this is my 1st post, not quite sure how things work around here.
I have searched the forums for similar problems but I can't find any.

I recently observed a virus that was not picked up by avast.
It appears to by some type of spyware. When I try opening my flash drive
It will not open by double clicking I must right-click and open. When it is opened there is an exe that looks like a folder called "MisVh55_Fichiers.exe" which I did not create.

If I open the folder I end up in my documents. I have tried deleting the file,
but it is recreated every time I open my flash drive. I am not sure what other areas of my computer it has infected,
but it appears to also have affected my phone. Yesterday I downloaded some photos from it
And now it will not start up, I fear the problem of not being able to open my flash normally has moved over to not being able to start my phone. If I can at least sort out my flash and computer then I’ll move on to my phone.
I am not sure where it came from as I use my flash with my university’s network.

i really hope Someone can help me  ::)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #1 on: March 25, 2008, 12:38:29 PM »
Right now, if you can, send the file to virus (at) avast (dot) com for analysis.
After that, maybe you should install and run SuperAntispyware and/or SpywareTerminator.
Can you post back the results?
I wish avast has a better detection in this case...
The best things in life are free.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #2 on: March 25, 2008, 02:07:33 PM »
It's an autorun virus. Do the following. Please attach the logs as they will be long.

How many would that be and what type of drives are they? What drive letters are they recognized as?

Let's start with disabling auotruns.

Download and Install Microsoft's TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

Obtain and install TweakUI (right hand panel, 147kb in size), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters

This will prevent autoruns from running on your computer. Make sure you uncheck all drive letters in the list, except your cd/dvd.

Then Plug in all of your usb devices including your phone.

Download "Clean Autoruns":From HERE

http://forums.techguy.org/attachments/103397d1176780296/clean-autoruns.zip

Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.

Please post those.


Please download
 OTMoveIt2 by OldTimer.


Save it to your desktop.

Please double-click OTMoveIt2.exe to run it. Make sure the usb drives are plugged in.


Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Autorun.inf
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf
G:\Autorun.inf
H:\Autorun.inf
 


Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste. this fix will not work if the wrong box is used


Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
 C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")


Now to protect those drives, I will need you to down load and run this program, with your usb devices attached.

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe


Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well. Just skip that part.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

This utility will do a couple of things. First it will remove any autorun.inf it finds. It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart.

Please attach the results to your next reply. Use the additional option button on the reply page.




That will be a start. Do not plug into any other computer







jamesieza

  • Guest
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #3 on: March 25, 2008, 06:02:45 PM »
ok i only had a little time now and started, but for some reason i can't run tweek ui, it says "Tweek UI has been disabled by your administrator, which is strange since I am the admin.

I have to go out now but I am looking forward to going through the process later, your reply's look very helpful.


jamesieza

  • Guest
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #4 on: March 25, 2008, 10:31:10 PM »
Ok I’ve done a bit more work, since I was having trouble running tweak UI, I tried finding another way of disabling auto runs. I found a useful site (http://features.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/)
That said:

Disabling Auto-Run is something we think everyone should do, not only for security from viruses and spyware, but so you'll never need to deal being unable able to listen to your music on your devices. Here's how to do it in Windows XP.
In Windows Click Start, then Click Run
 
Type regedit
Click OK
 
Click >
HKEY_LOCAL_MACHINE>
SYSTEM>
CurrentControlSet>
Services>
Cdrom>
 
Double click "Autorun" the value is set to 1 by default, change it to zero.
 
Click OK
Now restart, that's it!


so i tried to do this, but I could not find the run command on my start menu, I looked for it in task manager and I could not use the new task function there as it was greyed out.

so now I went off to solve this problem and I found this site which gives me the idea that my trouble in disabling auto runs is due to the virus itself.

http://ask-leo.com/why_cant_i_enable_the_run_command.html

ok I then followed the advice given on this site and tried opening regedt32.exe from the system32 folder and I then got the same message that I got when I tried to run Tweak UI. It seams that to do either of the two things I am trying to do (disable auto runs, enabling the run command in the start menu) I need to get into regedt32.exe, Which I can't do >:(

It appears that this virus is trying to protect itself  :'(

oh on another note, I am going to a phone service centre tomorrow and they can hopefully reformat my phone so I can get it working, At the moment I can't start it and when it is plugged in to my computer I don't even see it as a drive.

Thanks for the Help so far, I believe we are making progress as we are at least beginning to understand the problem

jamesieza

  • Guest
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #5 on: March 25, 2008, 10:44:30 PM »
ok I’ve tried to move on with the steps in the hope that removing the auto runs and then 'Quickly' (before anything gets a chance to auto run) disabling autoruns. (I’m doing this because the virus appears to be doing everything it can to prevent me disabling autoruns)

ok so I downloaded "Clean Autoruns" and ran the .bat file, it produced the two .txt files. however during the running of "Clean Autoruns" I revived two windows messages saying "Registry editing has been disabled by your administrator", I am beginning to read the message as: “Leave me alone I’m quite happy here infecting your computer"

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #6 on: March 26, 2008, 12:48:26 AM »
This is rather strange. A and B are usually floppy drives, yet that's the only autorun found. Plus no mountpoints.

You guessed right, this bug is thumbing it's nose at you.  ;)

Let's see if we can find out what he's up to.

Note: since different malware can use the same or similar file name, you may or may not have a password/info stealer. However, I would suggest that you change all your passwords on any type of  account/forum you access through the internet. Do this from a known clean machine.

Since you didn't mention your OS, if you are running Vista, you will have to right click and run as administrator. If XP, just double click.  :)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
« Last Edit: March 26, 2008, 07:11:56 AM by oldman »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33972
  • malware fighter
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #7 on: March 26, 2008, 12:58:06 AM »
Hi jamesieza,

After passing the DSS scan results to oldman, and following all his instructions carefully, you could also do the following:
Download Flash_Disinfector.exe by sUBs from http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
and save it to your desktop.

    * Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    * The utility may ask you to insert your flash drive and/or other removable drives including your
       mobile phone. Please do so and allow the utility to clean up those drives as well.
    * Wait until it has finished scanning and then exit the program.
    * Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #8 on: March 26, 2008, 01:41:59 AM »
Hi jamesieza. I got a bit of a handle, I think, on this fella. The DSS results will help. Leave the flash and phone unplugged. I think getting your computer cleaned up first is our best plan of attack.

Quote
“Leave me alone I’m quite happy here infecting your computer"

Nice to see you have a sence of humor about this. It will help, believe me.  ;D

jamesieza

  • Guest
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #9 on: March 26, 2008, 11:13:36 AM »
Ok I got to the point where I must run DSS.
I tried this once or twice and encountered system errors. In the mean time avast downloaded an update automatically.
 
Then I tried DSS again I was interrupted by an avast virus warning (a virus that has "some filename"Fichers.exe
Avast identified it as:

Win32:AutoRun-YV [Wrm]

I have attached the lines from the Avast log.

Avast then recommended a full boot scan. So I am going to do that now.
And then move on with the rest of the procedure.

jamesieza

  • Guest
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #10 on: March 26, 2008, 11:19:49 AM »
Since you didn't mention your OS, if you are running Vista, you will have to right click and run as administrator. If XP, just double click.  :)

Ah yes I forgot to say my operating system, how silly.

I’m a little confused as to what I would me double clicking on to run as admin. Also In control panel accounts tab my account is called:
James
Computer administrator
Password protected

Surely I should already have all admin rights?

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #11 on: March 26, 2008, 02:01:10 PM »
The run as administrator only applies to vista. If you have vista, right click the DSS.exe on your desktop and select run as administrator.

If you have xp just double click.


jamesieza

  • Guest
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #12 on: March 26, 2008, 02:10:07 PM »
ha I even forgot after I had realised I had forgot.

Windows XP Home Sp 2

sorry

jamesieza

  • Guest
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #13 on: March 26, 2008, 02:56:43 PM »
still struggling to run DSS. but I can get hijackthis to run, here is the log file it generated:

jamesieza

  • Guest
Re: MisVh55_Fichiers.exe has infected my flash drive and phone
« Reply #14 on: March 26, 2008, 03:06:48 PM »
ok i'm moving on trying to stick to your guidelines. I have not been able to compleat all the steps for various reasons mentioned in my other posts

so I've just run OTMoveIt2.exe
results:

[Custom Input]
< C:\Autorun.inf >
File/Folder C:\Autorun.inf not found.
< D:\Autorun.inf >
File/Folder D:\Autorun.inf not found.
< E:\Autorun.inf >
File/Folder E:\Autorun.inf not found.
< F:\Autorun.inf >
File/Folder F:\Autorun.inf not found.
< G:\Autorun.inf >
File/Folder G:\Autorun.inf not found.
< H:\Autorun.inf >
File/Folder H:\Autorun.inf not found.
 
OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03262008_160320



Note I am doing this with all my drives removed from the computer and I have not yet been able to disable autoruns from regedt, because I can't get into it.