Worm:Win32/Autorun!inf on my computer???

Discussion in 'Computer Security' started by Thanatos, Jan 11, 2011.

  1. Thanatos

    Thanatos Active Member

    Messages:
    2,030
    ive been getting a worm in my computer probably every 10 minutes or so. i just quarantine and delete them, but how do i make it stop?
     
  2. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,332
    Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

    If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com but DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



    Download the HijackThis installer from here.
    Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

    Click Do a system scan and save a logfile

    Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

    Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log
     
  3. Thanatos

    Thanatos Active Member

    Messages:
    2,030
    well the virus isnt on my computer NOW, and i think ive fixed it. no more google toolbar for me.
     
  4. Thanatos

    Thanatos Active Member

    Messages:
    2,030
    dang. it is here again.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 20:06:14, on 1/11/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AMD\RAIDXpert\bin\RAIDXpertService.exe
    C:\Program Files\AMD\RAIDXpert\bin\RAIDXpert.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\ASUS.SYS\config\DVMExportService.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\ofps.exe
    C:\WINDOWS\System32\PSIService.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\RocketFish\Rocketfish Bluetooth Combo\TSR\xDaemon.exe
    C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    C:\Program Files\ASUS\Ai Suite\Q-Button\QButton.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe
    C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
    C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\COMMON~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\system32\zstatus.exe
    C:\WINDOWS\system32\zstatus.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\WinMsgBalloonServer.exe
    C:\WINDOWS\system32\WinMsgBalloonClient.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\newstartbutton.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
    C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\TidySongs\TidySongs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: Shell=newstartbutton.exe
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Alive Text to Speech - {954F618B-0DEC-4D1A-9317-E0FC96F87865} - C:\PROGRA~1\ALIVEM~1\TEXTTO~1\IETOOL~1.DLL
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Rocketfish Input Device Main Program] C:\Program Files\RocketFish\Rocketfish Bluetooth Combo\TSR\xDaemon.exe
    O4 - HKLM\..\Run: [ASUS Update Checker] C:\Program Files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe
    O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\Q-Button\QButton.exe"
    O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\Ai Suite\QFan3\QFanHelp.exe"
    O4 - HKLM\..\Run: [Cpu Level Up help] "C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe"
    O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
    O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe
    O4 - HKLM\..\Run: [Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon
    O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
    O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [USBToolTip] C:\PROGRA~1\COMMON~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
    O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Norton Download Manager{NIS1800128-BETA4-FSD15028}] C:\Documents and Settings\All Users\Documents\Norton\{NIS1800128-BETA4-FSD15028}\NISBetaDownloader.exe /m
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269140226777
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1269140975074
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AMD RAIDXpert (AMD_RAIDXpert) - AMD - C:\Program Files\AMD\RAIDXpert\bin\RAIDXpertService.exe
    O23 - Service: AODService - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Program Files\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM - C:\ASUS.SYS\config\DVMExportService.exe
    O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    O23 - Service: OmniForm Printer - Unknown owner - C:\WINDOWS\system32\ofps.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe

    --
    End of file - 11318 bytes


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4186

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    1/11/2011 20:13:47
    mbam-log-2011-01-11 (20-13-47).txt

    Scan type: Quick scan
    Objects scanned: 141557
    Time elapsed: 5 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    i realize malwarebytes says no items were found but microsoft security essentials sure does.
     
  5. Thanatos

    Thanatos Active Member

    Messages:
    2,030
  6. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,332
    Okay before I even attempt to go through your hijackthis log, your malwarebytes is way outdated and needs to be updated. Please download the latest version from here and install and then update it and then rerun a quick scan and post its log along with a fresh hijackthis log.

    http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

    Click on where it says "download now", no where else or you will download the wrong program.
     
  7. DarthBrownie

    DarthBrownie New Member

    Messages:
    31
    Um okay where to start, what type of security do you have in your computer? Just to give you a headstart: go ahead and get the latest version of malwarebyte and do a quick scan. Then download the following:

    Spybot Search & Destroy:
    http://www.safer-networking.org/index2.html

    Comodo Firewall:
    http://www.comodo.com/home/internet-security/firewall.php

    AVG, Avast! Anti-Virus (free versions) or hell even Kapersky if you wanna spend $:
    http://www.avast.com/index
    http://free.avg.com/us-en/homepage
    http://usa.kaspersky.com/

    Do a quick scan on all programs and if you still have the worm then just do a full scan. If one of them finds the file again try deleting it instead of quarantine. You might as well remove some unwanted programs in your desktop along the way to make it run faster.
     
    Last edited: Jan 24, 2011

Share This Page