W32.AutoRun.acs
mohamed elewa 29.11.2007 13:48 hello
every time i scan my computer i found W32.AutoRun.acs . kaspersky catch and delete it . when i
scan again my computer i found it again. i try to use rescue disk and scan on it .
after all of that i fell W32.AutoRun.acs still on my computer
what can i do ?
Lucian Bara 29.11.2007 13:53 hello
autorun is a malware which spreads through removable storage. this means, when you insert an infected usb stick the worm will run, copy itself into certain places on your pc (depends on the variant), and will make it so that it runs when you double click a drive in my computer. more so, when you insert a clean stick it will copy itself on it so that the cycle will start again.
do a full scan of the pc and if you need to insert a stick hold the shift key when inserting, and afterwards use right click and explore or open (i would say explore). As a tip, disable autorun on all your drives, you can use tweakui for that, the option is in the mycomputer>autoplay>Drives section, uncheck all drives there: http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
tell me where the fullscan detects that malware.
afterwards post a combofix log: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
after you execute vcombofix, it will produce a log, c:\combofix.txt), attach it here. mohamed elewa 29.11.2007 15:50 thank you alot
this is alog file
ComboFix 07-11-19.4C - NELC3 2007-11-29 4:07:41.1 - NTFSx86
Running from: D:\NELC3\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.
2007-11-29 00:48 <DIR> dr-hs---- C:\Mslicenf.com
2007-11-28 00:33 <DIR> d-------- C:\Program Files\Viewpoint
2007-11-28 00:33 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\Viewpoint
2007-11-28 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-26 03:26 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-11-26 03:18 <DIR> d-------- C:\Program Files\BitDefender
2007-11-26 03:15 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-11-21 02:52 53,248 --a------ C:\WINDOWS\loginTool.exe
2007-11-20 05:41 <DIR> d-------- C:\Program Files\uTorrent
2007-11-20 05:41 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\uTorrent
2007-11-20 04:31 <DIR> d-------- C:\Images
2007-11-20 01:48 <DIR> d-------- C:\Program Files\Wattle Software
2007-11-19 06:30 <DIR> d-------- C:\Program Files\Rapidshare Unlimited2
2007-11-19 06:30 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\RapidGet
2007-11-18 23:42 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-18 03:01 <DIR> d-------- C:\Program Files\Magic Swf2Gif
2007-11-15 05:53 <DIR> d-------- C:\Program Files\Electric Rain
2007-11-12 04:18 <DIR> d-------- C:\Program Files\INSYDE
2007-11-10 05:44 <DIR> d-------- C:\Program Files\PF3DEN
2007-11-10 01:59 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\sldIM
2007-11-10 01:42 <DIR> d-------- C:\Program Files\Rapidshare Unlimited
2007-11-10 01:11 13,821,992 --a------ C:\moodle-latest-19.zip
2007-11-08 04:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2007-11-08 04:36 <DIR> d-------- C:\Program Files\GlobalSCAPE
2007-11-08 04:36 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\GlobalSCAPE
2007-11-08 04:21 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\SmartFTP
2007-11-08 04:20 <DIR> d-------- C:\Program Files\SmartFTP Client
2007-11-08 03:52 <DIR> d-------- C:\moodledata
2007-11-08 03:38 <DIR> d-------- C:\MOODLE
2007-11-08 02:18 169,184 --a------ C:\WINDOWS\setupconfig.dat
2007-11-08 02:17 188,416 -rahs---- C:\WINDOWS\afire.dll
2007-11-07 05:43 286,720 --------- C:\WINDOWS\Setup1.exe
2007-11-07 05:43 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-11-05 06:19 <DIR> d-------- C:\Program Files\ReloadTools
2007-11-04 05:53 2,667,290 --a------ C:\WINDOWS\system32\SNAGIT7
2007-11-04 05:06 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\Acoustica
2007-11-04 01:14 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\Droppix
2007-11-04 01:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2007-11-04 01:13 <DIR> d-------- C:\Program Files\Droppix
2007-11-04 01:13 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-11-04 01:13 <DIR> d-------- C:\Program Files\Common Files\Droppix
2007-11-04 01:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Droppix
2007-11-04 01:13 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-04 01:13 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-03 02:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 02:26 <DIR> d-------- C:\Program Files\PHP Code Library
2007-11-03 02:26 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\OverZone Software
2007-11-01 01:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-01 00:40 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-31 06:05 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-31 05:57 <DIR> d-------- C:\Program Files\Centra
2007-10-31 05:57 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\Centra
2007-10-31 04:21 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-31 04:21 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-10-31 04:21 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-10-31 04:21 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-31 04:21 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-10-31 04:21 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-10-31 04:20 31,744 --a--c--- C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-10-31 04:19 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2007-10-31 04:18 793,598 --a--c--- C:\WINDOWS\system32\dllcache\usr1806.sys
2007-10-31 04:16 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2007-10-31 04:16 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2007-10-31 04:16 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-10-31 04:16 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2007-10-31 04:16 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2007-10-31 04:16 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-10-31 04:16 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-10-31 04:16 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-10-31 04:16 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2007-10-31 04:16 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2007-10-31 04:15 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2007-10-31 04:15 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-10-31 04:15 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-10-31 04:15 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-10-31 04:15 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-10-31 04:15 82,432 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-10-31 04:15 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2007-10-31 04:15 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2007-10-31 04:15 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2007-10-31 04:15 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-10-31 04:15 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2007-10-31 04:14 16,256 --a--c--- C:\WINDOWS\system32\dllcache\symc810.sys
2007-10-31 04:12 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2007-10-31 04:12 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
2007-10-31 04:12 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2007-10-31 04:12 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
2007-10-31 04:12 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-10-31 04:12 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2007-10-31 04:12 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-10-31 04:12 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2007-10-31 04:12 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2007-10-31 04:12 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-10-31 04:11 6,016 --a--c--- C:\WINDOWS\system32\dllcache\smbali.sys
2007-10-31 04:09 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2007-10-31 04:09 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2007-10-31 04:09 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2007-10-31 04:09 101,760 --a--c--- C:\WINDOWS\system32\dllcache\sis300ip.sys
2007-10-31 04:09 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2007-10-31 04:09 68,608 --a--c--- C:\WINDOWS\system32\dllcache\sis6306p.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-10-06 13:24 --------- d-----w C:\Program Files\Rapidown
2007-11-29 12:21 946,976 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-29 12:21 19,092,000 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-29 12:20 91,916 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-29 12:20 262,988 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-29 12:07 --------- d-----w C:\Program Files\Kaspersky Lab
2007-11-25 11:56 --------- d--h--w C:\Program Files\Zero G Registry
2007-11-15 13:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-10 13:51 --------- d-----w C:\Program Files\Google
2007-11-01 08:39 --------- d-----w C:\Program Files\Common Files\Real
2007-10-31 13:27 --------- d-----w C:\Program Files\SourceTec
2007-10-31 13:27 --------- d-----w C:\Program Files\Common Files\SourceTec
2007-10-22 08:26 --------- d-----w C:\Program Files\Citrix
2007-10-22 08:13 --------- d-----w C:\Program Files\Wondershare
2007-10-21 07:29 --------- d-----w C:\Program Files\EXE2SWF
2007-10-21 06:12 --------- d-----w C:\Program Files\Mamdouh Moussa
2007-10-16 12:44 --------- d-----w C:\Program Files\BAT 2 EXE 1
2007-10-16 12:37 73,216 ----a-w C:\WINDOWS\cadkasdeinst01.exe
2007-10-03 19:45 --------- d-----w C:\Program Files\Namo
2006-09-17 00:20 3,808 ----a-w C:\Program Files\SETUP.LST
2006-09-17 00:20 1,880,140 ----a-w C:\Program Files\Anti NetCut.CAB
1998-06-18 08:00 140,800 ----a-w C:\Program Files\setup.exe
2007-07-16 21:29 56 --sh--r C:\WINDOWS\system32\D7DA87915D.sys
2007-08-20 20:47 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-07-31 14:54]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="Rundll32.exe" [2004-08-04 04:00 C:\WINDOWS\system32\rundll32.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 15:08 C:\WINDOWS\soundman.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-02-15 16:51 C:\WINDOWS\AGRSMMSG.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-11-08 17:28]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2007-02-28 21:12:52]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]
C:\WINDOWS\system32\klogon.dll 2006-11-01 16:42 94314 C:\WINDOWS\system32\klogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NELC3^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\NELC3\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NELC3^Start Menu^Programs^Startup^Rapidown.lnk]
path=C:\Documents and Settings\NELC3\Start Menu\Programs\Startup\Rapidown.lnk
backup=C:\WINDOWS\pss\Rapidown.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antinetcut2]
C:\Program Files\Anti Netcut\Anti NetCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-06-01 12:32 94208 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Centra Launcher]
C:\Program Files\Centra\Client\bin\centraSystray.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-11-06 00:27 200704 --a------ C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\WINDOWS\system32\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 02:01 32768 --a------ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services]
C:\WINDOWS\services.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]
C:\WINDOWS\Temp\startdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-09-13 13:50 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet
R2 Apache2.2;Apache2.2;"C:\AppServ\Apache2.2\bin\httpd.exe" -k runservice
S3 Droppix Service;Droppix Service;"C:\Program Files\Common Files\Droppix\DxService.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2139b242-2337-11dc-850e-000ffe46e22b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
\Shell\FlashDisk\command - G:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d346c53-9510-11dc-bd48-000ffe46e22b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
\Shell\FlashDisk\command - G:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ce27936-33c4-11dc-851d-000ffe46e22b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
\Shell\FlashDisk\command - setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98f19ecb-3ad6-11dc-8527-000ffe46e22b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
\Shell\FlashDisk\command - setup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2007-11-29 12:21:27 C:\WINDOWS\Tasks\XoftSpySE 2.job"
"2007-11-24 11:01:08 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 04:22:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-29 4:25:26 - machine was rebooted
.
--- E O F ---
dawgg 29.11.2007 16:13 Please send the folowing to Kaspersky's Viruslabs:
C:\Mslicenf.com
C:\WINDOWS\setupconfig.dat
C:\WINDOWS\afire.dll
Information as to how to send files to the VirusLabs is shown here: http://forum.kaspersky.com/index.php?showtopic=13881
Also click start>run>regedit
Navigate to HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\ and delete all subfolders in that tree which have a long number in it like {2139b242-2337-11dc-850e-000ffe46e22b}
Also, in a removable media device you've recently used on your computer (like a USB stick), there may be a setup.exe and autorun.inf file in them... delete them.
Hold the Shift key on your keyboard when plugging in the usb (to prevent re-infection) and then delete the files.
Edit: added to prevent re-infection mohamed elewa 29.11.2007 16:50 thank you
every time i scan my computer i found W32.AutoRun.acs . kaspersky catch and delete it . when i
scan again my computer i found it again. i try to use rescue disk and scan on it .
after all of that i fell W32.AutoRun.acs still on my computer
what can i do ?
Lucian Bara 29.11.2007 13:53 helloautorun is a malware which spreads through removable storage. this means, when you insert an infected usb stick the worm will run, copy itself into certain places on your pc (depends on the variant), and will make it so that it runs when you double click a drive in my computer. more so, when you insert a clean stick it will copy itself on it so that the cycle will start again.
do a full scan of the pc and if you need to insert a stick hold the shift key when inserting, and afterwards use right click and explore or open (i would say explore). As a tip, disable autorun on all your drives, you can use tweakui for that, the option is in the mycomputer>autoplay>Drives section, uncheck all drives there: http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
tell me where the fullscan detects that malware.
afterwards post a combofix log: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
after you execute vcombofix, it will produce a log, c:\combofix.txt), attach it here. mohamed elewa 29.11.2007 15:50 thank you alot
this is alog file
ComboFix 07-11-19.4C - NELC3 2007-11-29 4:07:41.1 - NTFSx86
Running from: D:\NELC3\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.
2007-11-29 00:48 <DIR> dr-hs---- C:\Mslicenf.com
2007-11-28 00:33 <DIR> d-------- C:\Program Files\Viewpoint
2007-11-28 00:33 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\Viewpoint
2007-11-28 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-26 03:26 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-11-26 03:18 <DIR> d-------- C:\Program Files\BitDefender
2007-11-26 03:15 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2007-11-21 02:52 53,248 --a------ C:\WINDOWS\loginTool.exe
2007-11-20 05:41 <DIR> d-------- C:\Program Files\uTorrent
2007-11-20 05:41 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\uTorrent
2007-11-20 04:31 <DIR> d-------- C:\Images
2007-11-20 01:48 <DIR> d-------- C:\Program Files\Wattle Software
2007-11-19 06:30 <DIR> d-------- C:\Program Files\Rapidshare Unlimited2
2007-11-19 06:30 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\RapidGet
2007-11-18 23:42 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-18 03:01 <DIR> d-------- C:\Program Files\Magic Swf2Gif
2007-11-15 05:53 <DIR> d-------- C:\Program Files\Electric Rain
2007-11-12 04:18 <DIR> d-------- C:\Program Files\INSYDE
2007-11-10 05:44 <DIR> d-------- C:\Program Files\PF3DEN
2007-11-10 01:59 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\sldIM
2007-11-10 01:42 <DIR> d-------- C:\Program Files\Rapidshare Unlimited
2007-11-10 01:11 13,821,992 --a------ C:\moodle-latest-19.zip
2007-11-08 04:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2007-11-08 04:36 <DIR> d-------- C:\Program Files\GlobalSCAPE
2007-11-08 04:36 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\GlobalSCAPE
2007-11-08 04:21 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\SmartFTP
2007-11-08 04:20 <DIR> d-------- C:\Program Files\SmartFTP Client
2007-11-08 03:52 <DIR> d-------- C:\moodledata
2007-11-08 03:38 <DIR> d-------- C:\MOODLE
2007-11-08 02:18 169,184 --a------ C:\WINDOWS\setupconfig.dat
2007-11-08 02:17 188,416 -rahs---- C:\WINDOWS\afire.dll
2007-11-07 05:43 286,720 --------- C:\WINDOWS\Setup1.exe
2007-11-07 05:43 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-11-05 06:19 <DIR> d-------- C:\Program Files\ReloadTools
2007-11-04 05:53 2,667,290 --a------ C:\WINDOWS\system32\SNAGIT7
2007-11-04 05:06 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\Acoustica
2007-11-04 01:14 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\Droppix
2007-11-04 01:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2007-11-04 01:13 <DIR> d-------- C:\Program Files\Droppix
2007-11-04 01:13 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-11-04 01:13 <DIR> d-------- C:\Program Files\Common Files\Droppix
2007-11-04 01:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Droppix
2007-11-04 01:13 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-04 01:13 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-03 02:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 02:26 <DIR> d-------- C:\Program Files\PHP Code Library
2007-11-03 02:26 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\OverZone Software
2007-11-01 01:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-01 00:40 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-31 06:05 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-31 05:57 <DIR> d-------- C:\Program Files\Centra
2007-10-31 05:57 <DIR> d-------- C:\Documents and Settings\NELC3\Application Data\Centra
2007-10-31 04:21 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-31 04:21 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-10-31 04:21 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-10-31 04:21 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-31 04:21 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-10-31 04:21 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-10-31 04:20 31,744 --a--c--- C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-10-31 04:19 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2007-10-31 04:18 793,598 --a--c--- C:\WINDOWS\system32\dllcache\usr1806.sys
2007-10-31 04:16 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2007-10-31 04:16 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2007-10-31 04:16 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-10-31 04:16 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2007-10-31 04:16 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2007-10-31 04:16 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-10-31 04:16 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-10-31 04:16 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-10-31 04:16 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2007-10-31 04:16 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2007-10-31 04:15 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2007-10-31 04:15 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-10-31 04:15 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-10-31 04:15 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-10-31 04:15 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-10-31 04:15 82,432 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-10-31 04:15 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2007-10-31 04:15 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2007-10-31 04:15 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2007-10-31 04:15 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-10-31 04:15 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2007-10-31 04:14 16,256 --a--c--- C:\WINDOWS\system32\dllcache\symc810.sys
2007-10-31 04:12 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2007-10-31 04:12 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
2007-10-31 04:12 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2007-10-31 04:12 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
2007-10-31 04:12 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-10-31 04:12 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2007-10-31 04:12 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-10-31 04:12 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2007-10-31 04:12 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2007-10-31 04:12 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-10-31 04:11 6,016 --a--c--- C:\WINDOWS\system32\dllcache\smbali.sys
2007-10-31 04:09 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2007-10-31 04:09 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2007-10-31 04:09 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2007-10-31 04:09 101,760 --a--c--- C:\WINDOWS\system32\dllcache\sis300ip.sys
2007-10-31 04:09 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2007-10-31 04:09 68,608 --a--c--- C:\WINDOWS\system32\dllcache\sis6306p.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-10-06 13:24 --------- d-----w C:\Program Files\Rapidown
2007-11-29 12:21 946,976 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-29 12:21 19,092,000 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-29 12:20 91,916 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-29 12:20 262,988 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-29 12:07 --------- d-----w C:\Program Files\Kaspersky Lab
2007-11-25 11:56 --------- d--h--w C:\Program Files\Zero G Registry
2007-11-15 13:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-10 13:51 --------- d-----w C:\Program Files\Google
2007-11-01 08:39 --------- d-----w C:\Program Files\Common Files\Real
2007-10-31 13:27 --------- d-----w C:\Program Files\SourceTec
2007-10-31 13:27 --------- d-----w C:\Program Files\Common Files\SourceTec
2007-10-22 08:26 --------- d-----w C:\Program Files\Citrix
2007-10-22 08:13 --------- d-----w C:\Program Files\Wondershare
2007-10-21 07:29 --------- d-----w C:\Program Files\EXE2SWF
2007-10-21 06:12 --------- d-----w C:\Program Files\Mamdouh Moussa
2007-10-16 12:44 --------- d-----w C:\Program Files\BAT 2 EXE 1
2007-10-16 12:37 73,216 ----a-w C:\WINDOWS\cadkasdeinst01.exe
2007-10-03 19:45 --------- d-----w C:\Program Files\Namo
2006-09-17 00:20 3,808 ----a-w C:\Program Files\SETUP.LST
2006-09-17 00:20 1,880,140 ----a-w C:\Program Files\Anti NetCut.CAB
1998-06-18 08:00 140,800 ----a-w C:\Program Files\setup.exe
2007-07-16 21:29 56 --sh--r C:\WINDOWS\system32\D7DA87915D.sys
2007-08-20 20:47 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-07-31 14:54]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="Rundll32.exe" [2004-08-04 04:00 C:\WINDOWS\system32\rundll32.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 15:08 C:\WINDOWS\soundman.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-02-15 16:51 C:\WINDOWS\AGRSMMSG.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-11-08 17:28]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2007-02-28 21:12:52]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]
C:\WINDOWS\system32\klogon.dll 2006-11-01 16:42 94314 C:\WINDOWS\system32\klogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NELC3^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\NELC3\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NELC3^Start Menu^Programs^Startup^Rapidown.lnk]
path=C:\Documents and Settings\NELC3\Start Menu\Programs\Startup\Rapidown.lnk
backup=C:\WINDOWS\pss\Rapidown.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antinetcut2]
C:\Program Files\Anti Netcut\Anti NetCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-06-01 12:32 94208 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Centra Launcher]
C:\Program Files\Centra\Client\bin\centraSystray.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-11-06 00:27 200704 --a------ C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\WINDOWS\system32\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 02:01 32768 --a------ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services]
C:\WINDOWS\services.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]
C:\WINDOWS\Temp\startdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-09-13 13:50 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet
R2 Apache2.2;Apache2.2;"C:\AppServ\Apache2.2\bin\httpd.exe" -k runservice
S3 Droppix Service;Droppix Service;"C:\Program Files\Common Files\Droppix\DxService.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2139b242-2337-11dc-850e-000ffe46e22b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
\Shell\FlashDisk\command - G:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d346c53-9510-11dc-bd48-000ffe46e22b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
\Shell\FlashDisk\command - G:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ce27936-33c4-11dc-851d-000ffe46e22b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
\Shell\FlashDisk\command - setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98f19ecb-3ad6-11dc-8527-000ffe46e22b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
\Shell\FlashDisk\command - setup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2007-11-29 12:21:27 C:\WINDOWS\Tasks\XoftSpySE 2.job"
"2007-11-24 11:01:08 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 04:22:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-29 4:25:26 - machine was rebooted
.
--- E O F ---
dawgg 29.11.2007 16:13 Please send the folowing to Kaspersky's Viruslabs:
C:\Mslicenf.com
C:\WINDOWS\setupconfig.dat
C:\WINDOWS\afire.dll
Information as to how to send files to the VirusLabs is shown here: http://forum.kaspersky.com/index.php?showtopic=13881
Also click start>run>regedit
Navigate to HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\ and delete all subfolders in that tree which have a long number in it like {2139b242-2337-11dc-850e-000ffe46e22b}
Also, in a removable media device you've recently used on your computer (like a USB stick), there may be a setup.exe and autorun.inf file in them... delete them.
Hold the Shift key on your keyboard when plugging in the usb (to prevent re-infection) and then delete the files.
Edit: added to prevent re-infection mohamed elewa 29.11.2007 16:50 thank you