Author Topic: AUTORUN.EXE, AUTORUN.VBS  (Read 14615 times)

0 Members and 1 Guest are viewing this topic.

Offline alejandro.bonilla

  • Newbie
  • *
  • Posts: 2
« on: May 30, 2007, 04:27:15 PM »
Hi i have avast server edition on a windows 2003 sbs server and it recently detect and remove the file autorun.vbs since then im not able to open my hard drive with a double click i get the message " can not find script file c:/autorun.vbs" i'll be very glad if someone could help me. I've also find the following files in the hard drive:

Logfile of HijackThis v1.99.1
Scan saved at 9:13:07 AM, on 5/30/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\Program Files\Alwil Software\Management Tools\mirror\httpd.exe
C:\Program Files\Alwil Software\Management Tools\avEngine.exe
C:\Program Files\Firebird\Firebird_2_0\bin\fbguard.exe
C:\Program Files\Firebird\Firebird_2_0\bin\fbserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\Program Files\Codework\BrowseControl\BCServer\BCServer.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Exchsrvr\bin\store.exe
c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\aswEnhcd.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
F2 - REG:system.ini: UserInit=userinit.exe,autorun.bat
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - file://C:\Inetpub\ConnectComputer\nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = qcsolucionesfinancieras.local
O17 - HKLM\Software\..\Telephony: DomainName = qcsolucionesfinancieras.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5A4E63-08B9-4CEC-A2E4-C301B5AFC74A}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = qcsolucionesfinancieras.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: avast! iAVS4 Mirror HTTP Server (aswHTTPMirror) - Unknown owner - C:\Program Files\Alwil Software\Management Tools\mirror\httpd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe" /service (file missing)
O23 - Service: avast! Management Server - Unknown owner - C:\Program Files\Alwil Software\Management Tools\avEngine.exe" /ServiceStart (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe" /service (file missing)
O23 - Service: BrowseControl Server (BCServer) - Codework Limited - C:\Program Files\Codework\BrowseControl\BCServer\BCServer.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\bin\fbserver.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: MSSQL$SHAREPOINT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe" -sSHAREPOINT (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SQLAgent$SBSMONITORING - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE" -i SBSMONITORING (file missing)
O23 - Service: SQLAgent$SHAREPOINT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlagent.EXE" -i SHAREPOINT (file missing)

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4875
  • I'm a GNU
    • Don't Surf in the Nude!
« Reply #1 on: May 30, 2007, 04:45:47 PM »
Hi alejandro.bonilla,

Follow the instructions here:
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline alejandro.bonilla

  • Newbie
  • *
  • Posts: 2
« Reply #2 on: May 30, 2007, 10:58:37 PM »
Thanks for the information, but the clean autorun.bat that they use doesnt work with windows 2003 sbs . Is there any other way to solve this?. Thanks

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4875
  • I'm a GNU
    • Don't Surf in the Nude!
« Reply #3 on: May 30, 2007, 11:35:08 PM »
Fix the HijackThis! entry as instructed:

F2 - REG:system.ini: UserInit=userinit.exe,autorun.bat

Then you will have to manually delete/edit autorun files/registry entries as required.

A Google search may bring up some instructions.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
« Reply #4 on: May 31, 2007, 04:52:25 AM »
The cleanautoruns.bat file is written to run only on Windows XP and 2000.  I think the reason for this is the batch file itself does not directly make any registry changes.  Rather, it relies on the fact that the particular keys involved are sort of self correcting.  Windows will delete them once the offending files are gone.  I don't know if the compatability check that precludes running the batch file on Windows 2003 sbs is because of a difference in the way the registry is handled but I'm guessing it simply wasn't tested on that platform.  Still, I'm not confident enough about that to recommend running it anyway even though it could be possible.

When run, the batch file checks for the presence of autorun.* in the root of all drives A: through Z: as well as C:\Windows and C:\Windows\System32 (in the case of XP).  I believe the equivalents in 2003 sbs would be the root of each drive plus C:\winnt and C:\winnt\system32 but you should double check.

If autorun.inf is found in any location the contents and path of each inf file are added to a log for later review as these may be the launch points for other malware.  It will also enumerate the appropriate section of the registry to see if the keys are actually gone.

Backups are made prior to deleting any files.

Even though it will be a bit tedious you can do alot of this manually.  Make sure you check removable drives as this will be the original source of infection.  Also, before deleting or renaming anything post the contents of any autorun.inf file(s) you find (it should be safe to open in notepad) so we can see if we need to deal with anything else.  Renaming is probably preferable to deleting at this point as long as you keep track of the file locations.

In regard to deleting the F2 line in HJT, that is the accepted procedure and it seems to work well.  My preference, however, is to edit the key to remove reference to autorun.bat while keeping userinit.exe intact.  Either way should resolve the problem you have opening your hard drive.  If you use the latter method make a back up of the registry first.

Finally, please upload this file to Virus Total for analysis and post the results

« Last Edit: May 31, 2007, 04:54:05 AM by mauserme »
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline Unnamednetua

  • Newbie
  • *
  • Posts: 1
« Reply #5 on: June 07, 2007, 11:52:07 AM »

DR. WEB online - archive ZIP
В файле > обнаружен вирус Win32.HLLW.Autoruner
> - OK
> - OK
> - OK
> - OK
В файле > обнаружен вирус VBS.Igidak
> - OK

AVAST online       :-[ :'( :'( :'( :'( :'( :'( :'(

Tested file                   Status                 clear clear  clear   clear  clear  clear clear  clear

File ->

I don't speak English ;)

I have send file (virus) for "report" and no search link 
« Last Edit: June 07, 2007, 11:57:51 AM by Unnamednetua »

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30380
  • malware fighter
« Reply #6 on: June 07, 2007, 01:56:31 PM »
Hi Unamednetua,

Tried to translate part of mauserme's message online. You could try also at prompt, or through the Firefox translator add-on English to Russian.

leanautoruns.bat файл написан, чтобы управлять только на Windows XP и 2000. Я думаю, что причина для этого - сам командный файл, непосредственно не делает никаких изменений регистрации. Скорее это полагается на факт, что специфические вовлеченные ключи являются видом сам исправление. Windows удалит их, как только файлы оскорбления ушли. Я не знаю, является ли чек compatability, который устраняет управлять командным файлом на Windows 2003 sbs, из-за различия в способе, которым регистрация обработана, но я -

Тогда Вы должны будете вручную удалить/редактировать записи файлов/реестра, которыми автоуправляют, как требовано.

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Slonotop

  • Newbie
  • *
  • Posts: 1
« Reply #7 on: October 07, 2007, 09:37:12 PM »
The best way to delete all autoruns in a second is this:

Good! ;)