Possible chinese spyware that is embedded into flash drive's & HD's?

[Kabigon]

It all started when I was purchased 2 flash drives. A Kingston 2GB & a Cruzer 4GB. I think how it TRULY started was when I *already* had some chinese spyware on my computer; I kind of ignored it for awhile (a few months). Then when I plugged my Kingston 2GB drive into my main computer, I noticed I couldn't open it regularly. When I clicked on it, the mouse icon just disappeared. Then I tried right clicking on it, and I noticed the "Open/Explore" diagrams were missing. I ignored this too. Then I began transfering stuff to several computers and within a few weeks, I noticed that ALL the computers that I used the 2GB drive became the same way. The main/secondary/third HD's on two computers could not be opened regularly. When I right clicked, there was some chinese text that I think meant "Open/Search or Explore" but clicking them results in opening up a niu.exe file.

I think this is probably the main virus. I have 3 systems that use Windows XP and 1 system that uses Vista. When I plug in the drive to my Vista, it gives me an option of "autoplaying" niu.exe. This is when I discovered why my system with my Vista was unaffected. I have two drives now that I use: the 2GB & 4GB that seem to be both affected. Perhaps there is this niu.exe file in BOTH and my main hard drives on my 3 systems now? I don't know what's the best way to try to get rid of the drives without affecting any other systems again.

I've tried using nod32, kaspersky, superantispyware, rogueremover, etc. with no luck. I've tried reinstalling a fresh Windows XP on one of my system to only find that this problem is back. I had 2 hard drives. I formatted the 1st HD, but I knew the 2nd HD still had the problem. When I reinstalled WinXP on the 1st HD, as soon as I opened up 'My Computer', my 2nd HD still had the problem, and soon it jumped back to my main HD.

I tried manually searching niu.exe and I found it to be in my windows\system32 folder. I deleted the file but when none of my drives still are able to left-click open, and right-click still yields some chinese options. It seems to have been stuck somewhere deep in my flash drive + hard drive. I don't know what's the best way to get rid of this. Only Windows XP is affected because it autoplays the mysterious file while Vista gives you an option. I'm afraid wherever I take the drive with me, it will get affected again.

So in the end, it all started with possibly *existing* spyware on my MAIN computer. Then using the drives and transferring data to several other computers (also using WinXP), and maybe somehow the spyware or trojan jumped around and stuck itself deep into the flash drives; then once flash drive is inserted, maybe the spyware embedded into ANY drive it sees on other computers and is stuck there forever, unless you format it. The virus file is maybe niu.exe (could be more). Deleting niu.exe from msconfig/startup & the actual file still yields the problem.

Here's a screenshot of what I'm talking about:

http://img337.imageshack.us/img337/4148/desktopdt5.jpg

This is when I right-click any of the drives that are affected.

Any suggestions on what I should try? This is a very frustrating problem. Thanks!

[QuestionX]

Kabigon, i would try going into my computer and using tools on your main drive, have it check for errors and let it try to auto fix..this takes a while but it's automatic..just a thought..

[Wake2]

Hi Kabigon,

You may want to check your computers for
infection from - Worm_SillyCQ heres a link
to Trend Micro which has a description.

http://www.trendmicro.com/vinfo/viru...Y%2ECQ&VSect=T

Good Luck,

Wake

[Kabigon]

Ah! This seems like possibly the suspect. This is exactly the unicode text that it integrates into. The virus itself is pretty nasty and it seems like the description is right.

"[AutoRun]
open=niu.exe
shell\open=´ò¿ª(&O)
shell\open\Command=niu.exe
shell\open\Default=1
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command=niu.EXE

Propagation via Physical/Removable Drives

This worm drops copies of itself in all physical, removable, and mapped drives as NIU.EXE. It sets its attributes to Hidden, System, and Read-only to avoid easy detection.

It also drops the AUTORUN.INF file mentioned earlier in the said drives."

Now my goal is to terminate both on the hard drive's and mapped drives as well. What would be the best way to terminate this? I know there are is a manual-instruction on the description link you gave me. But I was wondering how to terminate both the affected computers & drives at the same time, so I don't get recurrent problem again. Must I download the Trend Micro scanner? It's amazing that Trend Micro found this and not my NOD32 or Kaspersky even... thanks again!

[Wake2]

Dont think you can eliminate everything on all drives
at one time but heres a start:

Use task manager to terminate crss.exe

Set Nod32 to scan according to Blackspears settings here:

http://www.wilderssecurity.com/showthread.php?t=131758

Kaspersky does detect this so does Nod32 see here:

http://www.trendmicro.com/vinfo/viru...Y%2ECQ&VSect=P

Aliases: Trojan-Downloader.Win32.Delf.bny(Kaspersky), W32/Autorun.worm.b(McAfee), W32.SillyDC(Symantec), \
TR/Delphi.Downloader.Gen(Avira), Infection: Possibly a new variant of W32/NewMalware-LSU-based!Maximus(F-Prot),
Mal/DelpDldr-B(Sophos), Trojan:Win32/SystemHijack.gen(Microsoft)

If you look here:

http://www.trendmicro.com/vinfo/viru...%2ECQ&VSect=Sn

Shows special tools needed:
AUTOMATIC REMOVAL INSTRUCTIONS

Far as infection you have on your flash drives and BEFORE any scans
disable auto play hold down shift key at boot or use tweakui power toys
set to disable auto play download here:

http://www.microsoft.com/windowsxp/d...powertoys.mspx

Than use Nod32 or whatever to scan your computers and your flash drives:

Or go here:

http://portableapps.com/

and update clam win and use it to scan your flash drives
again with auto play disabled.

Best of luck to you,

Wake

[Kabigon]

Well, I didn't see NOD32 (ESET) anywhere on the list... coincidentally, I only have NOD32 running and not Kaspersky (maybe another reason to use Kaspersky instead of NOD32); so maybe that's why it's undetectable. Also I disabled AUTOPLAY and tried using ClamWin on the drives; it found nothing. It said it scanned niu.exe, but no viruses found. Strange.

I tried using Kaspersky and it seem to did the trick. It deleted all the niu.exe files embedded onto my drives on several computer. However, the right-click unicode/chinese text GUI still appears there. I tried to follow the instructions on the Trend Micro website by deleting autorun.inf; however, the text still appears when I right click. Now, it seems the virus itself is neutralized, but the GUI text still appears there. Any other suggestions? Thanks once again!

[Wake2]

Glad to hear your making progress,
the Chinese Navigation is also known
as Baidu Search Toolbar, check for
it in Add Remove programs in control
panel, uninstall it, see if that works.

Regards,

Wake

P.S. Reset IE back to default after you remove Baidu
1. Close all Internet Explorer windows.
2. Open Control Panel. Click Start>Settings>Control Panel.
3. Double-click the Internet Options icon.
4. In the Internet Properties window, click the Programs tab.
(Note: If you are running Internet Explorer 7 (IE7), click Advanced Tab)
5. Click the Reset Web Settings... button.
(Note: On IE7, click the Reset button.
6. Select Also reset my home page. Click Yes.
7. Click OK.

[Kabigon]

Okay, I resetted my IE settings, but my IE doesn't appear to be affected. Like I said, only my drives' right-click GUI (when I right click any drive, the unicode text still appears, but it's not a threat anymore; but it's still there). I tried deleting autorun.inf which appears to be the source of the right-click GUI, but the text still appears there.

[Wake2]

Did you find Baidu listed in Add Remove in Control Panel ?
Or did you see an entry similar to this ? °Ù¶È³¬¼¶ËÑ°Ô

You may want to go to a forum that allows hijack this posts
to help you with the rest of the clean up, Castlecops, Bfc
Computer Help, Gladiator Security etc..

Regards,

Wake

[Kabigon]

Baidu isn't shown in the Add/Remove programs neither is that other one. I had the problem right after a fresh new installation of Windows and the hard drive still had it. I will double check my HijackThis log to see if anything is weird, but I have a feeling it's somewhere embedded deep inside my computer. Thanks again.

[Wake2]

Go back and reread Trend Micros report for Descriptions and Solutions
under the manually editing registry part for AutoRun.INF

http://www.trendmicro.com/vinfo/viru...%2ECQ&VSect=Sn

Only other thing I came up with in doing search for Baidu is this:

http://www.greatis.com/security/Remo...du_rootkit.htm

Good Luck,

Wake

[Kabigon]

I tried manually searching niu.exe in the registry and I found where it showed the unicode text, however when I try to delete it in the registry, it just comes back. It's located in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 under shell\explore & open & run, etc. I think this is the key that shows where right-click GUI is shown. However, I still cannot get rid of it... when I right click any drive, the text and functions are still there. However, it seems no threat, but still it's there.

[Wake2]

When you ran Kaspersky scan what was the infection it detected ?

Regards,

Wake

[Kabigon]

Win32.Autorun.fr was the virus detected on all the drives by Kaspersky. It deleted the virus, but no cleanup. However, I think what I need to do is find an autorun.inf reset or some sort of Registry reset so it resets those settings because they were *affected* by the virus/trojan. Cause normally when you double-click into a drive, they will automatically open. However, in this case, it won't open now... it just pops up a screen of what I want to open. Also when right click, the "Open/Explore" options are gone and replaced with the unicode text still embedded.

[Wake2]

Much as I see for Win32.Autorun.fr refers to Win32.Autorun.ah

http://www.viruslist.com/en/viruses/...virusid=160221

Which does have some instructions there
do you have any of those files listed ?

Far as that MountPoint2 you commented on
earlier what happens if you delete the whole
entire MountPoint2 key in registry under
HKCU and reboot your computer and than
try to reopen your drives.

Remember to make a registry back up first.

Regards,

Wake

[aigle]

Quote:

Originally Posted by Kabigon

Win32.Autorun.fr was the virus detected on all the drives by Kaspersky. It deleted the virus, but no cleanup. However, I think what I need to do is find an autorun.inf reset or some sort of Registry reset so it resets those settings because they were *affected* by the virus/trojan. Cause normally when you double-click into a drive, they will automatically open. However, in this case, it won't open now... it just pops up a screen of what I want to open. Also when right click, the "Open/Explore" options are gone and replaced with the unicode text still embedded.

Hi, I have sent u a PM.

[Kabigon]

Quote:

Originally Posted by Wake2

Much as I see for Win32.Autorun.fr refers to Win32.Autorun.ah

http://www.viruslist.com/en/viruses/...virusid=160221

Which does have some instructions there
do you have any of those files listed ?

Far as that MountPoint2 you commented on
earlier what happens if you delete the whole
entire MountPoint2 key in registry under
HKCU and reboot your computer and than
try to reopen your drives.

Remember to make a registry back up first.

Regards,

Wake

My system indeed has "csrss.exe," but I do believe it's legitate as it is located in the System32\csrss.exe. The other files shown in the viruslist are not found. I tried deleting the registry edits int he MountPoint2, but it doesn't delete. It just comes back. Strange...

& aigle,

I don't have the original niu.exe anymore. It all got deleted when running Kaspersky.

[aigle]

OK, no problem.

Thanks

[Wake2]

What do you mean MountPoint2 doesnt delete ?

Are you removing the entire key and all subfolders ?

Path is:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

If that entire key is removed, and than you reboot, and than
open your hard drive windows should rebuild that key, and you
should than be able to reopen your hard drives.

If you did delete that entire key, and all its subfolders
and you are still experiencing the exact same problem,
than I am thinking Kaspersky was able to remove some but
not all of the infection, check date modifed of csrss,
and do some more scans, and try posting over at Kaspersky
forum for more help.

Regards,

Wake

[Kabigon]

I can't even delete MousePoint2 key. It deletes then comes back even before OR after reboot. Hmm.. I will look further into this. Thanks, though.

[Wake2]

hi Kabigon,

Go Back and reread the removal instructions posted
at Trend Micro website heres the link:

http://www.trendmicro.com/vinfo/viru...LY.CQ&VSect=Sn

Heres a another link about this same worm:

http://www.k7computing.com/virusdeta...?virusid=46354

Good Luck,

Wake

[JerryM]

I have a couple of Cruzer thumb drives. They came with Avast U3 AV, and scan at startup. Of course the AV is just a 30 day trial I think.

I am wondering if your Cruzer drive had Avast on it, and it was not expired for updates?

I would have thought Avast would have stopped the worm.

Regards,
Jerry