AutoPlay Virus

[DavidR]

Where did you find these autorun.inf files ?

Some look like legitimate program setup routines.

It looks like they come from CDs (or Program folders) and not from your HDD root folders, e.g. C:\, D:\, or any other HDD partition. The location they are found is almost as important as to what is in the file.

Edit, Sorry, I have now looked at the image link you gave and it confirms what I said about their coming from program folders I will copy the image so it appears here, so no need to load another image.

You should also set your folder options to display known file types. Windows Explorer, Tools, Folder Options, View, see second image and ensure the 'Hide extensions for known types is unchecked.'

[oldman]

Hi guys. It seems some thing is living here. Let's see if we can find something in the autoruns.

I'll give you a couple of programs to run. Please post the results of clean autoruns as attachments, as they will be quite long.

Download and Install Microsoft's TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

Obtain and install TweakUI (right hand panel, 147kb in size), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters

This will prevent autoruns from running on your computer. Make sure you uncheck all drive letters in the list, except your cd/dvd.

Download "Clean Autoruns":From HERE

http://forums.techguy.org/attachments/103397d1176780296/clean-autoruns.zip

Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.

Please post those as attachments, using the additional options button on the reply page.

Also run this one. This will give us a look at some different things.


Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

[RajaValor]

I set the files options the way you said DavidR

Heres all the info you wanted oldman all attached files.  ALSO; when I disabled the autoruns like you said oldman.. they still ran. Does that mean the CD/DVD drive is corrupted?

Ive clicked on the properties of my CD/DVD drive and it says all the space is used up and Ive noticed be4 this autoplay bit that sometimes the eject options dont work when I have a disc in the drive.
More bad news?

[RajaValor]

Im also sending out the massive autorun as an attachment seeing as posting it was impossible and I now know about attached files.

[oldman]

Hi

Hmm.. no malicious autoruns, not much of interest in your DSS log either.

Let's back track a little. You said you started getting these autoruns after avast detected a rootkit. What was the detection? And what did you do?

Do you happen to have a CD in the drive when this happens?

Eloborate on this please

the rundll32.exe stays in the manager and switched from my drive "RKJ" to "System" then vanishes as the pop up vanishes.

The image you posted, is autoplay. Plus it looks like it is searching for  a file.

Theres a couple of tools that can be used to try to repair the autoplay function of cd drives, but that's for later.

Let's start with these questions so we can get a better feel for what you are seeing.

Did you use the norton removal tool? There is one autorun pointing at what looks like a norton intsall.

The last attachment, was it also the one you said was unpastable? It's related to HP, perhaps a network driver.

[RajaValor]

Hi

Hmm.. no malicious autoruns, not much of interest in your DSS log either.

Let's back track a little. You said you started getting these autoruns after avast detected a rootkit. What was the detection? And what did you do?

Do you happen to have a CD in the drive when this happens?

Eloborate on this please

the rundll32.exe stays in the manager and switched from my drive "RKJ" to "System" then vanishes as the pop up vanishes.

The image you posted, is autoplay. Plus it looks like it is searching for  a file.

Theres a couple of tools that can be used to try to repair the autoplay function of cd drives, but that's for later.

Let's start with these questions so we can get a better feel for what you are seeing.

Did you use the norton removal tool? There is one autorun pointing at what looks like a norton intsall.

The last attachment, was it also the one you said was unpastable? It's related to HP, perhaps a network driver.

I had the autoplay b4 avast upgraded but as soon as the upgrade happen happend is when the rootkit was identified. I let avast go into boot mode? and delete it like it promted me to.

I never leave CD's in my drives after I turn a comp off and always remove them when Im not using them. At the time the rootkit was ID'ed there was no disc in my drive b/c it was right when I just turned the comp on and avast prompted me for new upgrade.

I have never used norton for any form of repair or mantainace. I have not had norton since 3 months after I bought the laptop and was able to get on the internet; which was when I then replaced it with Avast.

The last attachment is the one that was to large to past; Microsoft Works says that particular auto play is 86 pages long. With all the language changes and odd symbols that are not used in any of the other smaller autoplay files I figures it was an obvious problem. I would of posted it sooned but its obviously to big for posting and again this was be4 I knew about attachment files.

Your move mate.

[oldman]

Sorry for the questions, but I'm trying to get a feel for what is happening.

This is random? Not related to startup, opening certain folder. I'm goin to look at DSS again.

Be back

[RajaValor]

Sorry for the questions, but I'm trying to get a feel for what is happening.

This is random? Not related to startup, opening certain folder. I'm goin to look at DSS again.

Be back

If I just let the comp idol after signing in it the autoplay will play yes.
Ive noticed that for about the first couple hours of opperation its really bad but after that I wont see it again and then if I turn off the comp and come back in a couple or so hours; it will play a couple times but never be as bad as it was on the first time I started up that day.
Come night time and the restart after 8+ hours it will be back to spazing though.

Ask all the questions you want. I dont mind; I just want this gone.

[oldman]

all right let's give this a whirl.

Grab a copy of process explorer
http://ask-leo.com/d-procexp  and perhaps even add it
to your startup group so it also starts automatically
when you log in. It has tools that will allow you to
see what program is creating that window. Or, alternately,
you can wait until the window goes away, and procexp will
highlight for a few second the name of the program that
just closed.

[RajaValor]

all right let's give this a whirl.

Grab a copy of process explorer
http://ask-leo.com/d-procexp  and perhaps even add it
to your startup group so it also starts automatically
when you log in. It has tools that will allow you to
see what program is creating that window. Or, alternately,
you can wait until the window goes away, and procexp will
highlight for a few second the name of the program that
just closed.

I dont know how to set it up to start up automaticaly.
So basicaly Im waiting for the autoplay to show up and see what it says on this?

[oldman]

Sorry, I should have given you more details.

Download the file and save it to your hard drive. When it has finished downloading, extract the file into its own folder and double-click on the procexp.exe to start the program. If this is your first time running the program, it will display a license agreement. Agree to the license agreement and the program will continue. When it is finished loading you will be presented with a screen containing all the running processes on your computer. If the popup is running you should be able to determine what is spawning it.

Just minimize it to the taskbar, when the popup appears, click the minmized program to put it on the screen. If you can't locate it, wait. As mentioned the program that just closed should highlight for a few seconds.

[RajaValor]

Sorry, I should have given you more details.

Download the file and save it to your hard drive. When it has finished downloading, extract the file into its own folder and double-click on the procexp.exe to start the program. If this is your first time running the program, it will display a license agreement. Agree to the license agreement and the program will continue. When it is finished loading you will be presented with a screen containing all the running processes on your computer. If the popup is running you should be able to determine what is spawning it.

Just minimize it to the taskbar, when the popup appears, click the minmized program to put it on the screen. If you can't locate it, wait. As mentioned the program that just closed should highlight for a few seconds.

Mkay I will wait and see if it pops up then; though I doubt it will anymore tonight just to spite me.

[oldman]

I doubt it will anymore tonight just to spite me.

  

ain't that the way...

I'm sure you wll nab it

[RajaValor]

I doubt it will anymore tonight just to spite me.

  

ain't that the way...

I'm sure you wll nab it

It took 8 hours and three tries to catch it on screen shot >;

[oldman]

You should be able to do your normal computer activity. It will make the wait seem less.

Or try to recreate a situation that you know will cause it to appear.