difficult to remove viruses in flash drive and system

gaiso.exe, gaisox.exe, duuib.exe, duuibx.exe, duuibxx.exe, bxpoar.exe, bxpoarx.exe and bxpoarxx.exe…I encountered these viruses which seemingly have similar properties early this week in a laptop belonging to our faculty in UST. They’ve been a pain in the @$$ especially since it keeps on “eating” up everything inside the USB except for .pps or powerpoint shows. While it can be conventionally removed via USB Disk Security, and then a complete format, it has been rather troublesome and completely made my USB’s unusable for a time, rendering me almost incapable of proceeding with the lessons.

So far, from what I’ve observed, it “eats” up all of the files in the USB including folders, documents, text files, folders, zips and executables among others, replaces them with shortcuts which links to [virus name] [file name] (e.g. target: gaiso.exe evolution.doc). It also makes use of the dreaded autorun.inf. After launching, it copies itself to the folder “C:/Documents and Settings/User” under two or three names (simply by adding an x or xx to at the end of its name). Subsequently, it does the same thing to the folder it is found in. It cannot be terminated via the Task Manager, it cannot be deleted (if it can be, it recycles itself unless every instance is detected and deleted at the same time), it hides as a system file, and as of now, i have not found a way to prevent it from installing itself in the USB. Not Panda USB Vaccine, not USB Defender, not even USB WriteProtect. So far, the most effective method is by using USB Flash Security, but it still infects the unprotected area and prevents me from accessing the protected area. The shortcuts also seem to work only once since after accessing one, the rest of the shortcuts are only good for launching the virus again and nothing more.

Why not simply install USB Disk Security, or any other security software for that matter?

Like I said, it’s in UST. It’s not mine. I’m not allowed to make changes to it. Norton 2008 is installed in it (our university’s very tightfisted when it comes to the betterment of the education system, but that’s another story XD) and so is the useless Autorun Eater.

Format your USB

Then what was the point in my making a presentation and bringing it all the way to UST?

[i]Try this instead: http://www.whoismadhur.com/2008/01/26/how-to-remove-virus-from-usb-drives/[/i]

Deletion of the virus’s main executable leads to the secure deletion of the files. They will be absolutely unrecoverable (I know because I tried using Recuva).

Try this and that. They’re portable.

And how am I to bring them? USB? Remember they also eat .exe’s.

Hm… It just came to me that instead of giving me methods of removal, I’d be more grateful if you’d tell me how I can prevent them. :smiley:

Try How to disable the Autorun functionality in Windows from the Microsoft Knowledge Base.

Tried. Didn’t work. The viruses seem to be running in the background. They infect the minute the usb is plugged.

Hi spainach_12

Actually it should work. That’s a bit surprising

Anyway, please read this thread in Emsisoft forum and run the script.

There are explanations & you can check the settings that are already in place if you are interested and curious

That should disable Atoruns globally.
After applying the said script there is no way anything will run automatically when any CDs/DVDs/any USB devices are connected

You are the boss now and only you can run any executable from those devices
Sure, you can scan with any & multiple scanners prior to running anything.
Definitely there is a chance something “new” can be missed, but still … no auto-execution will take place


DriveSentry GoAnywhere could prevent the USB virus from being able to write to your USB. Then Deny and Terminate on any file that tries to write to your USB then manually delete the files. ;D

You’re not getting the point. It’s not my pc. The system is infected and even though the autorun for the system and the usb has been turned off, it could still infect. How it is able to do it, I really don’t know yet. It’s in the startup so I suppose that’s how. I’ve gotten a sample. The makers of it seem to be clever too. They keep on changing the name to make it difficult to detect. It seems to be an upgraded version of the Recycler. But the methods I used before to pacify the recycler doesn’t seem to work on this one.

I could remove it from the system if only I could access the admin account. But, of course, I’m not allowed to do that. I’ve been monitoring its behavior for three days now. I’ve devised a plan to stop the file and clean it in the system. I have yet to know if it will work or not. It should work, but as to the effects of removing it – whether or not it will be the same as to when it is removed in the usb (which utterly leads to the destruction of your files and apps) – I have yet to find out.

If only I had the money… :stuck_out_tongue:

Hi again spainach_12

Well, it seems that the initial message was not clear
Therefore EricJH “got the same point” :slight_smile: , so I did the similar mainly replying to his correct advice

If the system is already infected that is completely different story

Even if Autoruns are already disabled properly (stressing) that -the autotuns issue - does not matter anymore
You have to be aware of write protecting your USB device that you are connecting as it was pointed by elliotcroft.

Usually any USB devices currently coming either with hardware or Software write-protection
In addition you can find existing free ones
Just search for “how to write protect USB dvices”
You will find a lot, or you can use known Registry hack in order to disable writing into any USB device ( again - it’s a matter of quick googling)

Other that that – it’s not about Autoruns but – you have to submit required reports to the professional malware removal sites.
There are very good ones and they will most likely help you to clean that infested computer

My regards

I suppose that the post was too long few bothered to read it and just skimmed through. 88) Well, I gave the write-protect thing a try two days ago as part of the experiment. It failed miserably. The only option really is to have a usb with a built-in write-protect module in it. But no time nor resources to buy one so I’m gonna have to use another tactic.

I took a sample by adding a .quarantine to its last name and zipped the files. This prevents them from ever being accessed. I was supposed to send the archive to be analyzed at VirusTotal. I heard they send the samples they get to the participating companies. But out of sheer stupidity, I accidentally deleted it. Unbelievable. I’ll get samples of it again by wednesday. As for the laptops I’d be cleaning, I devised a plan to clean the compromised system. So far, this is what I have in mind…

I observed that the virus doesn’t touch particular files with certain extensions. Possibly those that it doesn’t recognize. What I’m gonna do then, is to bring with me three portable task managers, the usb write-protector, ccleaner and disk ejector, and then, affix the extension .palbie or any other name for that matter to prevent it from getting consumed.

After which, I copy the necessary files to the system, suspend the processes, quarantine them, and, if possible, find and delete them. Afterwards, use ccleaner to remove restore points and temporary files if applicable and wipe the usb with ccleaner. Then eject with disk ejector.

Well, this is yet to be tested. It should work. What do you guys think?

Well, it worked. But again, this will not prevent it from infecting the usb. Still no solution. If it wasn’t for the installed Norton’s tamper protection, this particular virus could have made an incredibly huge damage on the laptops in question. When I get the opportunity, I will provide comodo with the samples.

The virus seems to be getting updated a lot. Is it possible that this particular virus is under testing by someone? Wonder… It spreads rather fast and so far, the only way I could clean my usb is via USB Guardian (USB Disk Security utterly failed to delete the main executable and the autorun stating it is currently in use and therefore, cannot be deleted), but only to a certain degree.

What to do, what to do…