Possible chinese spyware that is embedded into flash drive's & HD's?

Discussion in 'malware problems & news' started by Kabigon, Aug 22, 2007.

Thread Status:
Not open for further replies.
  1. Kabigon

    Kabigon Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    11
    It all started when I was purchased 2 flash drives. A Kingston 2GB & a Cruzer 4GB. I think how it TRULY started was when I *already* had some chinese spyware on my computer; I kind of ignored it for awhile (a few months). Then when I plugged my Kingston 2GB drive into my main computer, I noticed I couldn't open it regularly. When I clicked on it, the mouse icon just disappeared. Then I tried right clicking on it, and I noticed the "Open/Explore" diagrams were missing. I ignored this too. Then I began transfering stuff to several computers and within a few weeks, I noticed that ALL the computers that I used the 2GB drive became the same way. The main/secondary/third HD's on two computers could not be opened regularly. When I right clicked, there was some chinese text that I think meant "Open/Search or Explore" but clicking them results in opening up a niu.exe file.

    I think this is probably the main virus. I have 3 systems that use Windows XP and 1 system that uses Vista. When I plug in the drive to my Vista, it gives me an option of "autoplaying" niu.exe. This is when I discovered why my system with my Vista was unaffected. I have two drives now that I use: the 2GB & 4GB that seem to be both affected. Perhaps there is this niu.exe file in BOTH and my main hard drives on my 3 systems now? I don't know what's the best way to try to get rid of the drives without affecting any other systems again.

    I've tried using nod32, kaspersky, superantispyware, rogueremover, etc. with no luck. I've tried reinstalling a fresh Windows XP on one of my system to only find that this problem is back. I had 2 hard drives. I formatted the 1st HD, but I knew the 2nd HD still had the problem. When I reinstalled WinXP on the 1st HD, as soon as I opened up 'My Computer', my 2nd HD still had the problem, and soon it jumped back to my main HD.

    I tried manually searching niu.exe and I found it to be in my windows\system32 folder. I deleted the file but when none of my drives still are able to left-click open, and right-click still yields some chinese options. It seems to have been stuck somewhere deep in my flash drive + hard drive. I don't know what's the best way to get rid of this. Only Windows XP is affected because it autoplays the mysterious file while Vista gives you an option. I'm afraid wherever I take the drive with me, it will get affected again.

    So in the end, it all started with possibly *existing* spyware on my MAIN computer. Then using the drives and transferring data to several other computers (also using WinXP), and maybe somehow the spyware or trojan jumped around and stuck itself deep into the flash drives; then once flash drive is inserted, maybe the spyware embedded into ANY drive it sees on other computers and is stuck there forever, unless you format it. The virus file is maybe niu.exe (could be more). Deleting niu.exe from msconfig/startup & the actual file still yields the problem.

    Here's a screenshot of what I'm talking about:

    http://img337.imageshack.us/img337/4148/desktopdt5.jpg

    This is when I right-click any of the drives that are affected.

    Any suggestions on what I should try? This is a very frustrating problem. Thanks!
     
  2. QuestionX

    QuestionX Registered Member

    Joined:
    Aug 16, 2007
    Posts:
    28
    Kabigon, i would try going into my computer and using tools on your main drive, have it check for errors and let it try to auto fix..this takes a while but it's automatic..just a thought..
     
  3. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
  4. Kabigon

    Kabigon Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    11
    Ah! This seems like possibly the suspect. This is exactly the unicode text that it integrates into. The virus itself is pretty nasty and it seems like the description is right.

    "[AutoRun]
    open=niu.exe
    shell\open=´ò¿ª(&O)
    shell\open\Command=niu.exe
    shell\open\Default=1
    shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
    shell\explore\Command=niu.EXE

    Propagation via Physical/Removable Drives

    This worm drops copies of itself in all physical, removable, and mapped drives as NIU.EXE. It sets its attributes to Hidden, System, and Read-only to avoid easy detection.

    It also drops the AUTORUN.INF file mentioned earlier in the said drives."


    Now my goal is to terminate both on the hard drive's and mapped drives as well. What would be the best way to terminate this? I know there are is a manual-instruction on the description link you gave me. But I was wondering how to terminate both the affected computers & drives at the same time, so I don't get recurrent problem again. Must I download the Trend Micro scanner? It's amazing that Trend Micro found this and not my NOD32 or Kaspersky even... thanks again!
     
  5. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    Dont think you can eliminate everything on all drives
    at one time but heres a start:

    Use task manager to terminate crss.exe

    Set Nod32 to scan according to Blackspears settings here:

    https://www.wilderssecurity.com/showthread.php?t=131758

    Kaspersky does detect this so does Nod32 see here:

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SILLY.CQ&VSect=P

    Aliases: Trojan-Downloader.Win32.Delf.bny(Kaspersky), W32/Autorun.worm.b(McAfee), W32.SillyDC(Symantec), \
    TR/Delphi.Downloader.Gen(Avira), Infection: Possibly a new variant of W32/NewMalware-LSU-based!Maximus(F-Prot),
    Mal/DelpDldr-B(Sophos), Trojan:Win32/SystemHijack.gen(Microsoft)

    If you look here:

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SILLY.CQ&VSect=Sn

    Shows special tools needed:
    AUTOMATIC REMOVAL INSTRUCTIONS

    Far as infection you have on your flash drives and BEFORE any scans
    disable auto play hold down shift key at boot or use tweakui power toys
    set to disable auto play download here:

    http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

    Than use Nod32 or whatever to scan your computers and your flash drives:

    Or go here:

    http://portableapps.com/

    and update clam win and use it to scan your flash drives
    again with auto play disabled.

    Best of luck to you,

    Wake
     
  6. Kabigon

    Kabigon Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    11
    Well, I didn't see NOD32 (ESET) anywhere on the list... coincidentally, I only have NOD32 running and not Kaspersky (maybe another reason to use Kaspersky instead of NOD32); so maybe that's why it's undetectable. Also I disabled AUTOPLAY and tried using ClamWin on the drives; it found nothing. It said it scanned niu.exe, but no viruses found. Strange.

    I tried using Kaspersky and it seem to did the trick. It deleted all the niu.exe files embedded onto my drives on several computer. However, the right-click unicode/chinese text GUI still appears there. I tried to follow the instructions on the Trend Micro website by deleting autorun.inf; however, the text still appears when I right click. Now, it seems the virus itself is neutralized, but the GUI text still appears there. Any other suggestions? Thanks once again!
     
    Last edited: Aug 23, 2007
  7. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    Glad to hear your making progress,
    the Chinese Navigation is also known
    as Baidu Search Toolbar, check for
    it in Add Remove programs in control
    panel, uninstall it, see if that works.

    Regards,

    Wake

    P.S. Reset IE back to default after you remove Baidu
    1. Close all Internet Explorer windows.
    2. Open Control Panel. Click Start>Settings>Control Panel.
    3. Double-click the Internet Options icon.
    4. In the Internet Properties window, click the Programs tab.
    (Note: If you are running Internet Explorer 7 (IE7), click Advanced Tab)
    5. Click the Reset Web Settings... button.
    (Note: On IE7, click the Reset button.
    6. Select Also reset my home page. Click Yes.
    7. Click OK.
     
    Last edited: Aug 23, 2007
  8. Kabigon

    Kabigon Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    11
    Okay, I resetted my IE settings, but my IE doesn't appear to be affected. Like I said, only my drives' right-click GUI (when I right click any drive, the unicode text still appears, but it's not a threat anymore; but it's still there). I tried deleting autorun.inf which appears to be the source of the right-click GUI, but the text still appears there.
     
  9. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    Did you find Baidu listed in Add Remove in Control Panel ?
    Or did you see an entry similar to this ? °Ù¶È³¬¼¶ËÑ°Ô

    You may want to go to a forum that allows hijack this posts
    to help you with the rest of the clean up, Castlecops, Bfc
    Computer Help, Gladiator Security etc..

    Regards,

    Wake
     
  10. Kabigon

    Kabigon Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    11
    Baidu isn't shown in the Add/Remove programs neither is that other one. I had the problem right after a fresh new installation of Windows and the hard drive still had it. I will double check my HijackThis log to see if anything is weird, but I have a feeling it's somewhere embedded deep inside my computer. Thanks again.
     
  11. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
  12. Kabigon

    Kabigon Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    11
    I tried manually searching niu.exe in the registry and I found where it showed the unicode text, however when I try to delete it in the registry, it just comes back. It's located in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 under shell\explore & open & run, etc. I think this is the key that shows where right-click GUI is shown. However, I still cannot get rid of it... when I right click any drive, the text and functions are still there. However, it seems no threat, but still it's there.
     
  13. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    When you ran Kaspersky scan what was the infection it detected ?

    Regards,

    Wake
     
  14. Kabigon

    Kabigon Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    11
    Win32.Autorun.fr was the virus detected on all the drives by Kaspersky. It deleted the virus, but no cleanup. However, I think what I need to do is find an autorun.inf reset or some sort of Registry reset so it resets those settings because they were *affected* by the virus/trojan. Cause normally when you double-click into a drive, they will automatically open. However, in this case, it won't open now... it just pops up a screen of what I want to open. Also when right click, the "Open/Explore" options are gone and replaced with the unicode text still embedded.
     
  15. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    Much as I see for Win32.Autorun.fr refers to Win32.Autorun.ah

    http://www.viruslist.com/en/viruses/encyclopedia?virusid=160221

    Which does have some instructions there
    do you have any of those files listed ?

    Far as that MountPoint2 you commented on
    earlier what happens if you delete the whole
    entire MountPoint2 key in registry under
    HKCU and reboot your computer and than
    try to reopen your drives.

    Remember to make a registry back up first.

    Regards,

    Wake
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, I have sent u a PM.
     
  17. Kabigon

    Kabigon Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    11

    My system indeed has "csrss.exe," but I do believe it's legitate as it is located in the System32\csrss.exe. The other files shown in the viruslist are not found. I tried deleting the registry edits int he MountPoint2, but it doesn't delete. It just comes back. Strange...

    & aigle,

    I don't have the original niu.exe anymore. It all got deleted when running Kaspersky.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    OK, no problem.

    Thanks
     
  19. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    What do you mean MountPoint2 doesnt delete ?

    Are you removing the entire key and all subfolders ?

    Path is:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

    If that entire key is removed, and than you reboot, and than
    open your hard drive windows should rebuild that key, and you
    should than be able to reopen your hard drives.

    If you did delete that entire key, and all its subfolders
    and you are still experiencing the exact same problem,
    than I am thinking Kaspersky was able to remove some but
    not all of the infection, check date modifed of csrss,
    and do some more scans, and try posting over at Kaspersky
    forum for more help.

    Regards,

    Wake
     
  20. Kabigon

    Kabigon Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    11
    I can't even delete MousePoint2 key. It deletes then comes back even before OR after reboot. Hmm.. I will look further into this. Thanks, though.
     
  21. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
  22. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    I have a couple of Cruzer thumb drives. They came with Avast U3 AV, and scan at startup. Of course the AV is just a 30 day trial I think.

    I am wondering if your Cruzer drive had Avast on it, and it was not expired for updates?

    I would have thought Avast would have stopped the worm.

    Regards,
    Jerry
     
Loading...
Thread Status:
Not open for further replies.