vtststs.dll

[mauserme]

hope this helps.........

Ta 

The only thing unusual I see is that ComboFix  put D:\Autorun.inf in quarantine.  Since you haven't mentioned any problems related to removable media (flash drives, etc) I'm surprised by this.

Please upload the file to Virus Total and post the results.  Its not in the original location now, of course.  It will either be in c:\qoobox\quarantine\  or a subdirectory of that.  If you have trouble finding it open C:\ComboFix-quarantined-files.txt in notepad and it will show you the exact location.

BTW, what is the D: drive?

[SUSZANNAH]

hi there, the D drive is the HP recovery drive, only autorun problem I have been having the last few months is that cd's won't auto start in F drive...........

File Autorun.inf.vir received on 08.21.2007 16:32:28 (CET)
Current status:     finished   
Result: 0/32 (0%)
 Compact
Print results 
Email:   
   
Antivirus   Version   Last Update   Result
AhnLab-V3   2007.8.22.0   2007.08.21   -
AntiVir   7.4.1.62   2007.08.21   -
Authentium   4.93.8   2007.08.20   -
Avast   4.7.1029.0   2007.08.20   -
AVG   7.5.0.484   2007.08.20   -
BitDefender   7.2   2007.08.21   -
CAT-QuickHeal   9.00   2007.08.21   -
ClamAV   0.91   2007.08.21   -
DrWeb   4.33   2007.08.21   -
eSafe   7.0.15.0   2007.08.20   -
eTrust-Vet   31.1.5076   2007.08.21   -
Ewido   4.0   2007.08.21   -
FileAdvisor   1   2007.08.21   -
Fortinet   2.91.0.0   2007.08.21   -
F-Prot   4.3.2.48   2007.08.20   -
F-Secure   6.70.13030.0   2007.08.21   -
Ikarus   T3.1.1.12   2007.08.21   -
Kaspersky   4.0.2.24   2007.08.21   -
McAfee   5101   2007.08.20   -
Microsoft   1.2803   2007.08.21   -
NOD32v2   2473   2007.08.21   -
Norman   5.80.02   2007.08.21   -
Panda   9.0.0.4   2007.08.21   -
Prevx1   V2   2007.08.21   -
Rising   19.37.12.00   2007.08.21   -
Sophos   4.20.0   2007.08.21   -
Sunbelt   2.2.907.0   2007.08.21   -
Symantec   10   2007.08.21   -
TheHacker   6.1.8.171   2007.08.21   -
VBA32   3.12.2.2   2007.08.21   -
VirusBuster   4.3.26:9   2007.08.21   -
Webwasher-Gateway   6.0.1   2007.08.21   -
Additional information
File size: 90 bytes
MD5: 95302117c6e27bd3e9a9d416acd56e40
SHA1: 835996bafc1f83286f2b3b3ac70c39851bcabe8d

don't know is this makes any sense to you, it doesn't to me lol.......whats new !!

[DavidR]

It makes sense in that avast is the only one to detect it, but that is on your system. One of the problems with VT is that its version of the VPS is often older than the users, they have difficulty in updating the VPS.

However, the report normally has something after the - like, for example:
Avast   4.7.1029.0   2007.08.20   - nothing found

So I still have doubts about the file, you could also try Jotti - Multi engine on-line virus scanner.

[SUSZANNAH]

Really odd here David, ran scan through Jotti came back as nothing found, so what has Combofix quarantined???

[DavidR]

There have been many cases of autorun.inf being used in conjunction with USB drive infections, these often put a copu of autorun.inf in the root of any drive or partitions to continue with the replication of the infection.

Normally you don't see a copy of autorun.inf on a hard disk, this is more removable media and usb drives, so it may be because it is on your hard disk that it has been quarantined. Unfortunately I know very little about the workings of combofix to say exactly why it did that.

I believe the only reason you have a copy is because of the recovery partition, this would I assume act like an installation CD and that would have an autorun.ini file.

A search of my system only finds one and that is in a Folder back-up copy of XP SP2 update that I copied of my CD.

[mauserme]

This may be a false positive - very unusual for ComboFix.

In at least some cases HP uses autorun.inf to call the warning screen letting you know you should not modify any files on the recovery partition.

Open autorun.inf.vir in notepad (this should be safe) and post its contents.

[SUSZANNAH]

Hi again. it wont let me open it, it asks to look on net to find the program that wrote it, it's about 1kb in size

[mauserme]

Hi again. it wont let me open it, it asks to look on net to find the program that wrote it, it's about 1kb in size

Is there an option below that to choose from a list of programs?  If there is, check that and choose notepad.

[SUSZANNAH]

this is all it came up with:-


[autorun]
OPEN=setupSNK.exe
ICON=\SMRTNTKY\fcw.ico
ACTION=Wireless Network Setup Wizard

[mauserme]

There's a situation outlined here

http://support.microsoft.com/?kbid=878475

where a hard drive can appear as a USB drive when setting up wireless networking.  I believe this is what happened on your computer.


I think ComboFix detected the file because one of the files it calls (setupSNK.exe) is also a name used by some malware.  This, with the fact that it's unusual to have autorun.inf on a hard drive, makes it look suspicious.

You could probably just delete it as its serving no purpose.

[SUSZANNAH]

Phew!! thanks for that, as long as my wireless on laptop still works thats fine by me 

[mauserme]

Thanks for letting me finish what we started