AutoPlay Virus

[DavidR]

Buttons are located on browser toolbars (not web pages), so it should be on your browser somewhere. Unfortunately I can be of little help in where or what it looks like as I don't use any instant messenger programs.

[RajaValor]

Buttons are located on browser toolbars (not web pages), so it should be on your browser somewhere. Unfortunately I can be of little help in where or what it looks like as I don't use any instant messenger programs.

Oh, well if its on the actual messenger then yeah theres one on it.

[DavidR]

Then if you use it you obviously don't want to get rid of it.

[RajaValor]

I did a search with Panda Anti-Rootkit and it brought up

C:\Program Files\HPQ\Default Settings\Cpqset.exe:
                        REGISTRY_ENTRY:
                                        KEY:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                        VALUE: Cqset
                                        HIDDEN: TRUE
HIDDEN_REG_KEYS:1

Bad yes? no?

And this?

[DavidR]

It just says it is hidden not that it is a rootkit, a google for the file name should let you know more about it.

Google search string, http://www.google.com/search?q=Cpqset.exe.
More specifically, http://www.auditmypc.com/process/cpqset.asp, indicates:

cpqset.exe known as Hewlett Packard Configuration Tool cpqset, has the following information and may help up understand this process better.

So it looks legit, assuming you have an HP (or compag) system.

[RajaValor]

It just says it is hidden not that it is a rootkit, a google for the file name should let you know more about it.

Google search string, http://www.google.com/search?q=Cpqset.exe.
More specifically, http://www.auditmypc.com/process/cpqset.asp, indicates:

cpqset.exe known as Hewlett Packard Configuration Tool cpqset, has the following information and may help up understand this process better.

So it looks legit, assuming you have an HP (or compag) system.

Yeah I just got the same results when I looked it up. Alot of the sites were saying its not a nessasary program but it interacts with multimedia programs and so forth.

[RajaValor]

I did DL the Trend Micro RookitBuster and had it scan as well.
It brought up a bunch of old temp files for Photoshop 7.0
I went in an tried to manualy delete them and it says something to the effect that one file is protected or in use. I NO LONGER have photoshop 7 though.

Ive also noticed on a temporary file scan; McAfee is erroring out and shuting down when it tries to scan those files.

Your move general

Edit: RAR
I just DL'ed a file shredder and tried it on the photoshop 7 files. Came back with an error message saying "Cant shred files in use"

[RajaValor]

RookitBuster log:


+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.2.0.1014
+----------------------------------------------------


--== Dump Hidden MBR and Hidden File on C:\ ==--
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 2 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\!
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 2 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\I
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 2 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 2 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 2 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 3 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\!
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 3 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\I
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 3 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 3 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 3 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 4 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\!
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 4 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\I
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0

[RajaValor]

[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 4 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 4 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 4 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 7 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\!
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 7 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\I
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 7 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 7 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 7 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 8 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\!
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 8 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\I
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 8 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 8 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
[HIDDEN_FILE]:
   FullPath      : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 8 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo\
   FullPathLength: -1
   DesiredAccess : 0x0
   Options       : 0x0
   Attributes    : 0x21
   ShareAccess   : 0x0
   Type          : 0x0
 25 hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

[DavidR]

Boot into safe mode you should be able to remove them then.

Another tools which would remove them on the next boot or remove what is locking them allowing for deletion:

- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.

[RajaValor]

Boot into safe mode you should be able to remove them then.

Another tools which would remove them on the next boot or remove what is locking them allowing for deletion:

- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.

The MoveOnBoots link no longer has the file and the Unlocker said it deleted the files but infact didnt move them at all.

I went to Safe Mode and at frst wasnt able to delete the files for th same reason I cuoldnt in reg. mode. But I renamed the files and put them through my shredder that I found today; then rescanned with Rootkitbuster and they are no longer there.

The Autoplay bit unfortunantly still is...

Like I stated earlier in post my rundll32.exe runs like a mad man. Sometime it will be listed 2-3 times in the task manager and it seems to stay running during the AutoPlay.

Could that be the problem instead?

Im just throwing things out there b/c I just dont have a clue :I

Maybe its a malfunctioning program?

Edit: Since I took out the corrupt Adobe 7.0 Files; McAfee is able to complete its temperary file scan and is now working its mojo to kill kill kill. *crosses fingers for cure*

[DavidR]

Can you try to get a screenshot of this autoplay when it is running, I still don't really know what you mean by it.

Another link for move-on-boot, http://www.download.com/EMCO-MoveOnBoot/3000-2094_4-10397293.html.

[RajaValor]

It took forever to get a screenshot of it b/c it happend so fast, but I finally got one and when its at its worst at that: http://i140.photobucket.com/albums/r17/RoseStone1/AutoPlayBullshit.jpg

All the folders on the right are all labled AutoPlay and they dont just appear when IE is on if thats your next process of thought.

[DavidR]

Look for autorun.inf files in the root folder of your Hard Disk Partitions, in reality they shouldn't be there as they would normally only be on removable media like CD/DVDs etc.

http://www.google.com/search?q=autoplay+virus

http://en.wikipedia.org/wiki/Autorun

They might be hidden, so ensure you have the settings in the image, Explorer, Tools, Folder Options, View. Once you unhide files, etc. do a search for autorun.inf and report any findings. Right click on one of the copies and select Open With, select notepad. Inside will be a number of commands, copy and paste the contents into a post.

This may have come from an infected USB drive so avoid their use until you can confirm they aren't infected.

I would suggest a forum search for autorun.ini as this has cropped up before and you may glean some useful information.

[RajaValor]

Well I did a search for autorun files and got these out of it; not sure if they are what we want or not but yeah: http://i140.photobucket.com/albums/r17/RoseStone1/iunno.jpg

And this is what they all said:

[autorun]
open=setup.exe
icon=btw.ico
label=BTW

[autorun]
OPEN=Setup.exe
Icon=QuickPlay.ico,0

[autorun]
open = setup.exe

[autorun]
OPEN=setup.exe
ICON=\Setup\artwork\setup.ico
defaulticon=setup.exe,2

shell\LVIPCAP\command=techsupt\CaptureTest\Amcap8.exe
shell\LVIPCAP=Tool - Amcap&8.exe

shell\LVIPCAP\command=Drivers\Bin\setup.exe techsupt
shell\LVIPCAP=Tool - TechSupt Tools

[autorun]
OPEN=setup.exe
ICON=icon\ispsetup.ico

[autorun]
OPEN=CDSTART.EXE
[cdstart]
TITLE="Norton Internet Security"
HOTKEYTITLE="&Install Norton Internet Security"

[autorun]
OPEN=SETUP.EXE

[Unpasteable]

[autorun]
OPEN=setup.exe
ICON=icon\ispsetup.ico

[autorun]
open = setup.exe

[autorun]
OPEN=SETUP.EXE /AUTORUN
ICON=SETUP.EXE,1

shell\configure=&Configure...
shell\configure\command=SETUP.EXE

shell\install=&Install...
shell\install\command=SETUP.EXE

[AUTORUN]
OPEN=AUTO_RUN.EXE

The one that I put in brackets as unpastable is gigantic and in russian and giberish D;
Microsoft works says there is about 14000 words in it alone which makes it practicaly impossible to paste here.
I see Nortan in one of these and I uninstalled that the day I got this laptop.
I can send you the text out of the forum if youd like?

I think we got something here >;