Instant USB Infection!

My Windows 11 machine instantly infects any USB device which I attach to it with movies.exe.  The USB devices which I've used for testing were either brand new or were formatted on another clean computer right before testing.

Immediately before attaching a USB device, I scanned all drives in the problem computer with both Norton 360 and Malwarebytes.  No problems were detected.

Instantly, each time I attached a test USB device to the problem computer, Movies.exe showed up as a folder in the USB device.  Leaving the USB device attached, I then scanned all drives (including the USB device) again.  Neither Norton 360 nor Malwarebytes detected any problems in either the Windows computer or the USB device.  

Power Eraser did not detect any problems in either the USB device or the computer.

Since the computer is already infected, I didn't have anything to lose by clicking on movies.exe in the USB device.  When I did, Norton instantly identified and quarantined Heur.AdvML.B.  

Once quarantined, I scanned again with both Norton 360 and Malwarebytes.  No detections.  But movies.exe is still resident in the attached USB device.

Any ideas on how to find and get rid of whatever is lurking in my machine?

Thanks for your help.

You can install new free AVs to check over your system. But if your system is deeply infected I hope you have backups of your data. So you may consider formatting your PC and do a clean installation. This is the only way to get 100% sure if your system has no malwares. Also I hope you have 2fa setup for Norton and other accounts of yours. Kindly do not open any account over the infected system.

Hello bjm and Aimee_007.

I'm not sure I'm out of the woods, yet.

I just posted all logs and etcetera on https://forums.malwarebytes.com/topic/301123-instant-usb-device-infection.  I'm hesitant to sign into my bad computer with with Norton forums.

I didn't find anything on VirusTotal.  I looked for both Movies.exe and Heur.AdvML.B.

Thanks for your help.

I believe that the threat is removed by Norton already.

Please tell us what Norton is telling you regarding this event.
For information regarding this event > from Norton pop-up > View Details > Copy to Clipboard &or from Norton history > More Options > Copy to Clipboard > paste here.

For second opinion choose File &/or Search hash at VirusTotal 

A bit of a recap about my quarantine situation.

I'm not sure how the virus arrived on my computer in the first place.  It could very well have come in through a USB memory stick.

I discovered it by putting a clean memory stick into my computer and, all of a sudden, movies.exe showed up on the memory stick.  

I ran Norton and Malwarebytes with with no detections on either the computer or on the memory stick. 

I knew my machine was infected.  I didn't have anything to lose, so I put in a fresh memory stick and movies.exe showed up again.  I scanned the memory stick with Norton and Malwarebytes with no detections.  Then I clicked on movies.exe and Norton immediately quarantined Heur.AdvML.B.  

The More Details button under Quarantine indicates that:

- Heur.AdvML.B came from the source movies.exe.  

- it was released less than one week ago.

- fewer than 5 users in the Norton Community have used the file

- Threat type: Heuristic Virus.  Detection of a threat based on malware heuristics.

- This threat has been removed.  No further action is needed.  (Doesn't seem right to me)

After seeing the quarantine, I ran Norton and Malwarebytes several times with no detections.  

Since then, Malwarebytes has talked me through several other scans, at least one of which detected and removed a few things.  I have no idea whether or not those few are related to the infection we're talking about above.  

I'm still at it with Malwarebytes.

So the virus is still in Norton Quarantine.  How do I move it from Quarantine on to Norton so it can be checked in Virustotal?  Within Quarantine, I don't see a way.

Thanks for your help.

 

 

 

SA.  You're right in what you're saying.  I'll throw away all of my USB memory sticks, just in case any are already infected.  I won't put any new ones in until I'm sure the virus is gone, gone, gone.

 

All: The "source" of the infection appears to have been inside the OS from what I have followed here. A NEW and perfectly clean USB drive from a retailer, shouldn't have any infected files. I WOULD NOT reuse any of the USB devices formerly used for any reasons. Norton didn't detect it in the first place. Conversely. To upload to VT you will have to reattach it to the computer again. Please do yourself a favor and don't. Reinfection can occur.

SA

There is one thing I would like you to try. It may work. Go into the Quarantine settings of Norton and try to manually add that file from usb into qurantine. Norton has that option and it might work.

Try uploading that exe file over virustotal website to check if this file exists on virustotal. If it seems possible which is unlikely try to copy that file over your system and create a rar file and make it password protected with the password “infected” and submit the same along with the detailed description over submit.norton.com . So that that particular file gets analysed and threat resolved by Norton after updates. Also do share your submission id here so that Norton employees can look into it and provide you an answer for the same.

Hi There,

I've been in the process of doing many, many scans with Malwarebytes.  Some bad actors have been removed.  The most recent scans were completed without the USB device attached.  

If the Malwarebyte scans are successful, the only place I'll have Movies.exe is on the USB device.  I'll be quite hesitant to re-insert it.

How can I send you the file without reinfecting my machine?  Please be very specific.

Thanks

Try uploading that exe file over virustotal website to check if this file exists on virustotal. If it seems possible which is unlikely try to copy that file over your system and create a rar file and make it password protected with the password “infected” and submit the same along with the detailed description over submit.norton.com . So that that particular file gets analysed and threat resolved by Norton after updates. Also do share your submission id here so that Norton employees can look into it and provide you an answer for the same.

https://forums.malwarebytes.com/topic/301123-instant-usb-device-infection/?do=findComment&comment=1583178

Hello Everyone,

I do appreciate SA's suggestion.  Keep the advice coming.  It's most welcome.

Thanks,

BTU

@bjm_ I am aware that the OP is working with Bleeping Computer. Conversely, I don't believe offering an alternative suggestion is out of order. 

@BTU The download I presented is Microsoft's Malicious Software Removal Tool. Its safe, I've used it many times over the years. Please by all means continue working with BC with this issue. I am just offering another alternative possible solution.

SA

Oh, yes,

Before I mess something up, I'm not running an insider build.  My machine is straight off the shelf Windows 11.

In light of that, should I still run the download from SA's link?

Thanks

 

Yes, I've brought up movies.exe on both Malwarebytes and Norton forums, since neither program has pinned down what's going on.

Everyone has different approaches.  

I sure appreciate SA posting the link.  I'll try it and see what happens.

Thanks,

BTU

BTU is working with Malwarebytes Help. 

Instant USB device infection!
https://forums.malwarebytes.com/topic/301123-instant-usb-device-infection/

Hello BTU. Are you running an insider build on Windows 11? On the affected computer, download this tool. Then install, run. Don't connect any USB or external devices while the scan is running. Lets see if this nails the trojan that is resident. 

https://www.microsoft.com/en-US/download/details.aspx?id=9905

SA

Instant USB device infection!
https://forums.malwarebytes.com/topic/301123-instant-usb-device-infection/