WinXP: Fix Mixa trojan/virus

3 comments

I have no idea how people do it, but yet another relative has managed to break their computer by doing something stupid and has brought the computer over, asking me to spend a day fixing their computer. "Sure, I'd love to waste a nice sunny day off to do that!"

Anyway, before I become bitter and hateful, I quickly discovered that one of their many problems was that they were infected with a trojan called "Trojan.Mixa.A" or "W32/Autorun-DH".

It probably goes by a few other names, but the following information should be enough to identify it.

It's located at:

  • %WINDOWS%\Mixa.exe
  • C:\Mixa_i.exe (And the root path of any other writable drives or USB devices)
  • %WINDOWS%\System32\mixa.exe
  • %WINDOWS%\System32\systemio.exe

File information:

  • Mixa_i.exe
  • Filesize: 988kb
  • Version: v1.0.0.2
  • Company: Puppy
  • Product Name: Milk DHA
  • image

It is fairly difficult to remove using normal means, as you can't delete the files as they're in use. Trying to kill the task using the task manager will not work because it will log you out whenever it detects the Task Manager.

It also slips itself in as a fake system shell application, which makes Windows load it everytime you log in. To remove it, you will have to do it before Windows loads.

Using the Windows XP setup disc

Use this method if you have access to the Administrator account. If not, use the other method.

Load up the computer with the setup disc and select "Recovery Console" by pressing R once its ready.

Navigate around the console and delete the files if they exist in the given locations. Use the "delete" command to delete files.

  • delete %WINDOWS%\Mixa.exe
  • delete C:\Mixa_i.exe
  • delete %WINDOWS%\System32\mixa.exe
  • delete %WINDOWS%\System32\systemio.exe
  • See link below for the next step.

    Set up a BartPE startup disc

    This will give you access to the harddrive so you can remove the files. See this guide to create the BartPE disc.

    Once you've loaded up the computer with BartPE:

    • Click "Go"
    • Command Prompt (CMD)
    • Use the Recovery Console steps above

    OR

    • Click "Go"
    • Programs
    • A43 File Management Utility
    • Use the program to delete the files

    See next step below.

    Fix login screen

    Since we've deleted the files, this ensures that the malware can't reinstall itself after we log in.

    At this point, I thought it was all fixed and rebooted the machine. However, you should not reboot it yet! The system is still in a broken state!

    Windows still expects the missing files to be there and you will not be able to log in properly. To fix the login screen, stay in the command prompt and type "regedit". This will being up the Registry Editor.

    I've written the tutorial in another post as it is a common problem when fixing virus/trojan related issues.

    Once you've reverted the "Userinit" filename you can reboot and log in as usual.

    [ Source, Microsoft KB 892893 More information about the trojan ]

    3 comments:

    1. Was looking for a top-hat to throw in this here farthing.

      Been studying at a technicon with a couple of (read - at least 85%) computer illiterate co-students for a while now. Each with a usb flash drive. Our intranet was saturated with every virus imaginable.

      Que: Related XKCD Comic! /o/

      http://xkcd.com/350/

      (I gave up trying to make a nice linked image, like twig's pretty gif thingys. Reverse engineering source code will only get you so far.)

      The viruses didn't really bother me. What did bother me greatly however, was the collective electro bio-hazard blob which infected every dongle within direct sight of a usb port. Which once found its way to my isolated home pc through my aids-ridden dongle.

      I had to purge both with hellfire after that little episode.

      I had to figure out how to stop the infections. I fell apon a little useful piece of advice from a IT friend of mine that has saved many a dongle from the incinerator.

      Just create a autorun.inf folder in the root folder of the dongle.

      But wait, you ask, how does it stop viruses from infecting my dongle with a virus?

      Well, it doesn't. Your flash disk will still get those nasty hidden *.exe files that kill any shell that touches it, so avoid them.

      What it does do is disable the autorun function for that particular dongle.

      This is great, for the virus will not spread from your dongle to any other machine you plug it into. Like my poor purged home pc. ;__;

      What's so special about this autorun.inf file in the first place?

      Well, whenever one puts a software CD into a disc drive, the computer will first check what is inside the autorun.inf file, and execute that file. Then you get the flashy install dialog without having to browse for the setup.exe on the CD.

      Same applies for dongles. Except that they can be replaced, and pointed into the direction of a lethal payload.

      So what's with the folder?

      Since the days of MS-DOS, somebody decided that no same-named file shall exist in the same directory as first-named file. Period. It's one of the most concrete law of DOS (and Windows) I've seen in my relatively short lifespan. Must have been written by the hand of Gates Himself.

      This privilege happens to extend to folders as well.

      Most virusses attemps to replace the current autorun.inf file, not delete the autorun.inf *folder* that happens to be sitting there. It doesn't hurt to have a couple of read-only text files inside said folder as well, for additional security.

      Sadly, this does not solve the virusses that is currently on the flashdrive. I'll leave that to the experts to explain. Good luck to the poor sod that'll write that particular thesis.

      So there. A pebkac's* guide to creating condoms for flash drives. :P

       ~ DustFox

      * - 'problem exists between keyboard and chair'

      ReplyDelete
      Replies
      1. HAHHA love the comic!

        Why not just disable the autorun feature? Most of the time I find it annoying anyway.

        Delete
      2. Some of them viruses forces them open in the registry, if I remember it correctly.

        That, and I have trouble findin' it. Creating folder simpler. ^^;;

        ~DF

        Delete

    Leave your thoughts ...
    ---
    If you are having trouble with copy/pasting in comments, you need to sign in or click 'Preview'. For more information about this Firefox bug, see here.

     
    Copyright © Twig's Tech Tips
    Theme by BloggerThemes & TopWPThemes Sponsored by iBlogtoBlog