rjlupin1319's autorun

[oldman]

I managed to get your log opened with word, but with the red spell check it's still difficult. This will get you started while I review the logs.

There is evidence of several autorun infections. I will need to know how many usb devices and hard drives you have and the drive letters.

Please do not plug in any usb device until you have done the tweakui portion. After you have done that part, please only plug in the devices with the drive letters F and I. I'm quessing that D is a fixed hard drive. If not, then attach it also. The OTMOVEIT2 fix will only cover drives C,D,F, and I. If there are more we will do them separatley.

Download and Install Microsoft's TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

Obtain and install TweakUI (right hand panel, 147kb in size), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters

This will prevent autoruns from running on your computer. Make sure you uncheck all drive letters in the list, except your cd/dvd.

Then

Please download
 OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it. Make sure the usb drives are plugged in.


Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Autorun.inf
D:\Autorun.inf
F:\Autorun.inf
I:\Autorun.inf
C:\ntdelect.com /s
D:\ntdelect.com
F:\ntdelect.com
I:\ntdelect.com
C:\kavo.* /s
C:\kavo*.* /s
D:\kavo.* /s
D:\kavo*.* /s
F:\kavo.* /s
F:\kavo*.* /s
I:\kavo.* /s
I:\kavo*.* /s
C:\tmf3w3g0.com /s
d:\tmf3w3g0.com
F:\tmf3w3g0.com
I:\tmf3w3g0.com
C:\q83iwmgf.bat /s
D:\q83iwmgf.bat
F:\q83iwmgf.bat
I:\q83iwmgf.bat
C:\um.cmd /s
D:\um.cmd
F:\um.cmd
I:\um.cmd
C:\lg.cmd /s
D:\lg.cmd
F:\lg.cmd
I:\lg.cmd
C:\8e9gmih.bat /s
D:\8e9gmih.bat
F:\8e9gmih.bat
I:\8e9gmih.bat
C:\f.cmd /s
D:\f.cmd
F:\f.cmd
I:\f.cmd
C:\copetttt.com /s
D:\copetttt.com
F:\copetttt.com
I:\copetttt.com
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28bb8ade-bb0a-11dc-9926-000a3a6420d1}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cee21b8-69e3-11dc-987e-000a3a6420d1}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0aa4b84-74b1-11dc-989d-000a3a6420d1}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f654baf9-36f6-11dc-97ff-806d6172696f}
 

Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.


Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
 C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Now to protect those drives, I will need you to down load and run this program.

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe


Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well. Just skip that part.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

This utility will do a couple of things. First it will remove any autorun.inf it finds. It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart.
 


Just to OTMOVEIT2 results and the Clean autoruns logs.

Thanks

[rjlupin1319]

Thanks for the reply!
I'm currently going through the whole procedure.

My only USB key has not been working for a while. I have one physical drive that is partitioned in two, hence the C: and D:. A friend has connected his and also an external hard drive, but that was at least 3 weeks ago. Other than that, I have an iPod which I set up on the drive letter I:. I've been trying to set my iPod up as a useable external drive, but everytime I launch iTunes the option is still checked off so I have no idea if it is actually used as such or not, or if it could be infected.

In the meantime here are my Clean autoruns results. I could open the previous logs in Notepad, so I haven't got a clue why they didn't work out for you, very sorry about that. Maybe you can click right > save as, instead of opening the link? But you've probably done that already. Anyway here are they are:

Part1.txt
part2.txt


[continued]
Avast! gave me a couple of alerts during the OTMoveIt2 run. I chose the "do nothing" option. Here's the log:

File/Folder C:\Autorun.inf not found.
File/Folder D:\Autorun.inf not found.
File/Folder F:\Autorun.inf not found.
File/Folder I:\Autorun.inf not found.
File/Folder C:\ntdelect.com /s not found.
File/Folder D:\ntdelect.com not found.
File/Folder F:\ntdelect.com not found.
File/Folder I:\ntdelect.com not found.
File/Folder C:\kavo.* /s not found.
File/Folder C:\kavo*.* /s not found.
File/Folder D:\kavo.* /s not found.
File/Folder D:\kavo*.* /s not found.
File/Folder F:\kavo.* /s not found.
File/Folder F:\kavo*.* /s not found.
File/Folder I:\kavo.* /s not found.
File/Folder I:\kavo*.* /s not found.
File/Folder C:\tmf3w3g0.com /s not found.
d:\tmf3w3g0.com moved successfully.
File/Folder F:\tmf3w3g0.com not found.
File/Folder I:\tmf3w3g0.com not found.
File/Folder C:\q83iwmgf.bat /s not found.
D:\q83iwmgf.bat moved successfully.
File/Folder F:\q83iwmgf.bat not found.
File/Folder I:\q83iwmgf.bat not found.
File/Folder C:\um.cmd /s not found.
D:\um.cmd moved successfully.
File/Folder F:\um.cmd not found.
File/Folder I:\um.cmd not found.
File/Folder C:\lg.cmd /s not found.
D:\lg.cmd moved successfully.
File/Folder F:\lg.cmd not found.
File/Folder I:\lg.cmd not found.
File/Folder C:\8e9gmih.bat /s not found.
D:\8e9gmih.bat moved successfully.
File/Folder F:\8e9gmih.bat not found.
File/Folder I:\8e9gmih.bat not found.
File/Folder C:\f.cmd /s not found.
D:\f.cmd moved successfully.
File/Folder F:\f.cmd not found.
File/Folder I:\f.cmd not found.
File/Folder C:\copetttt.com /s not found.
D:\copetttt.com moved successfully.
File/Folder F:\copetttt.com not found.
File/Folder I:\copetttt.com not found.
File/Folder HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28bb8ade-bb0a-11dc-9926-000a3a6420d1} not found.
File/Folder HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cee21b8-69e3-11dc-987e-000a3a6420d1} not found.
File/Folder HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0aa4b84-74b1-11dc-989d-000a3a6420d1} not found.
File/Folder HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f654baf9-36f6-11dc-97ff-806d6172696f} not found.
 
OTMoveIt2 v1.0.21 log created on 03112008_092207

Flash Disinfector ran smoothly. The desktop went blank for a while and then it was "Done!".

[oldman]

No problem as long I can read 'em.

The I drive does show infection, so plug it in. That may be the problem.

[rjlupin1319]

Oops! I forgot about the iPod along the way. Lemme go through the whole process again. 

[edit]
Actually I'm late for work... I'll get back to it later.

[oldman]

No problem, you can run the same otmoveit2 script.

[oldman]

Did you run the script from the lower left box? Looking at the results, it appears to have been run from the top box. It will not work from the upper box.

[rjlupin1319]

OK. I had also done the exact opposite on the Tweak UI step, checking all the boxes instead of unchecking them.

Here is my new OTMoveIt2 log. I've done everything with my iPod connected. There were a lot of infected files on C:.

03122008_095020.log

[oldman]

Looks like they have been moved. Re run flashdrive disinfecter with all drives connected.

how is it now?