|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
10-01-2009, 06:24 AM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2009
Posts: 8
OS: 64 bit vista
|
US Soldiers need your help Win32/AutoRun.VB.DU
Hey all
My name is PFC Carder I am currently deployed to Afghanistan. My virus software (ESET) has found this worm "Win32/AutoRun.VB.DV worm" ESET will delete it however it keeps returning as if it is morphing itself This worm can be found on every drive including removable devices In a 12 hour span ESET deleted and cleaned it over 7000 times. I have tried everything I can think of. It seems to have disabled ESET in safe mode. I have disabled all system backups and AutoRun It seems to attach itself to autorun.inf I am sure every soldier hear or within my platoon has this worm we all share pic and tunes OS = 64bit vista I can not find any info on this worm Please help us |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-02-2009, 01:23 PM
|
#2 (permalink) |
|
Analyst, Security Team
Join Date: Jan 2009
Location: Canada
Posts: 2,166
OS: XP sp3
|
Re: US Soldiers need your help Win32/AutoRun.VB.DU
Hi, this may be very difficult to clean unless every one who has this infection co-operates with the cleaning.
Yours will be especially difficult as you have a 64 bit system and a lot of our tools will not run on a 64bit. First of all. Someone with an XP OS needs to download flash disinfector and everyone needs to clean their USB's, if you are sharing your USB's this is one sure way the infection is spreading and staying alive: Flash disinfector will not work on your 64bit system. Download Flash_Disinfector.exe from HERE and save it to your desktop.
(you can plug in your removable media to disinfect it on the XP computer) NEXT Run MalwareBytes Antimalware. It is a standalone scanner that will clean a lot of the infections from every OS. Anything more than this will have to be done on an individual basis as every operating system is different and one fix may not be the right fix for the next system. The forum asks that your perform the first steps: which is to download DDS and GMER and post the logs: the intructions can be found here: Those programs wont work on your system, you will need to run OTS: If you would like I will be happy to help everyone's computer but lets clean yours up first. When you are clean, post the DDS and GMER logs for computer #2...we'll clean that up, then post logs for computer #3...etc. etc. make sure you don't all follow the instructions I give for the individual computers, the scripts I give out may not be the same. I will now post for the MalwareBytes program and the OTS for YOUR computer. Please download Malwarebytes' Anti-Malware
Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. NEXT Download OTSto your Desktop
__________________
 ASAP & UNITE Member |
|
|
|
10-03-2009, 02:34 AM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2009
Posts: 8
OS: 64 bit vista
|
Re: US Soldiers need your help Win32/AutoRun.VB.DU
Malwarebytes log
Malwarebytes' Anti-Malware 1.41 Database version: 2897 Windows 6.0.6001 Service Pack 1 10/3/2009 10:08:43 AM mbam-log-2009-10-03 (10-08-43).txt Scan type: Quick Scan Objects scanned: 82336 Time elapsed: 3 minute(s), 8 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 5 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: C:\Users\RICHARD CARDER\AppData\Local\Temp\svchost.com (Worm.AutoRun) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hotkey (Worm.AutoRun) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Worm.AutoRun) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Worm.AutoRun) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\user agent (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Users\RICHARD CARDER\AppData\Local\Temp\svchost.com (Worm.AutoRun) -> Quarantined and deleted successfully. C:\Users\RICHARD CARDER\Templates\cache\vmx.exe (Worm.AutoRun) -> Quarantined and deleted successfully. C:\Users\RICHARD CARDER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe (Worm.AutoRun) -> Quarantined and deleted successfully. |
|
|
|
|
10-03-2009, 04:56 AM
|
#5 (permalink) | |
|
Analyst, Security Team
Join Date: Jan 2009
Location: Canada
Posts: 2,166
OS: XP sp3
|
Re: US Soldiers need your help Win32/AutoRun.VB.DU
Hi,
Please do the following: Start OTS Copy/Paste the information inside the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button. Quote:
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTS will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply. NEXT Please go HERE to run Panda's ActiveScan
__________________
ASAP & UNITE Member |
|
|
|
|
|
10-03-2009, 09:09 AM
|
#6 (permalink) |
|
Registered User
Join Date: Oct 2009
Posts: 8
OS: 64 bit vista
|
Re: US Soldiers need your help Win32/AutoRun.VB.DU
OTS LOG
All Processes Killed [Registry - Safe List] Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4661e6-2c41-11de-aee6-a6d30a40f69e}\shell\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4661e6-2c41-11de-aee6-a6d30a40f69e}\shell\AutoRun\command\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4a714f83-2a00-11de-89c8-cc0c4e196bab}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f1f4e8a-1f49-11de-9356-806e6f6e6963}\shell\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f1f4e8a-1f49-11de-9356-806e6f6e6963}\shell\AutoRun\command\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab227604-1f84-11de-9c5d-00235a2929bd}\shell\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab227604-1f84-11de-9c5d-00235a2929bd}\shell\AutoRun\command\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dc10fd03-42dd-11de-88ac-ee7d8020f699}\shell\AutoRun\command\ deleted successfully. [Files/Folders - Modified Within 30 Days] [Empty Temp Folders] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Public User: RICHARD CARDER ->Temp folder emptied: 8747738 bytes File delete failed. C:\Users\RICHARD CARDER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 1392854281 bytes ->Java cache emptied: 31496716 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes File delete failed. C:\Windows\temp\TMP0000006424B2D9F521ED30E8 scheduled to be deleted on reboot. Windows Temp folder emptied: 313367642 bytes RecycleBin emptied: 1077419 bytes Total Files Cleaned = 1666.62 mb < End of fix log > OTS by OldTimer - Version 3.0.20.0 fix logfile created on 10032009_153606 Files\Folders moved on Reboot... File\Folder C:\Windows\temp\TMP0000006424B2D9F521ED30E8 not found! Registry entries deleted on Reboot... ==================================================================================================================== ActiveScan log All Processes Killed [Registry - Safe List] Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4661e6-2c41-11de-aee6-a6d30a40f69e}\shell\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4661e6-2c41-11de-aee6-a6d30a40f69e}\shell\AutoRun\command\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4a714f83-2a00-11de-89c8-cc0c4e196bab}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f1f4e8a-1f49-11de-9356-806e6f6e6963}\shell\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f1f4e8a-1f49-11de-9356-806e6f6e6963}\shell\AutoRun\command\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab227604-1f84-11de-9c5d-00235a2929bd}\shell\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab227604-1f84-11de-9c5d-00235a2929bd}\shell\AutoRun\command\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dc10fd03-42dd-11de-88ac-ee7d8020f699}\shell\AutoRun\command\ deleted successfully. [Files/Folders - Modified Within 30 Days] [Empty Temp Folders] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Public User: RICHARD CARDER ->Temp folder emptied: 8747738 bytes File delete failed. C:\Users\RICHARD CARDER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 1392854281 bytes ->Java cache emptied: 31496716 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes File delete failed. C:\Windows\temp\TMP0000006424B2D9F521ED30E8 scheduled to be deleted on reboot. Windows Temp folder emptied: 313367642 bytes RecycleBin emptied: 1077419 bytes Total Files Cleaned = 1666.62 mb < End of fix log > OTS by OldTimer - Version 3.0.20.0 fix logfile created on 10032009_153606 Files\Folders moved on Reboot... File\Folder C:\Windows\temp\TMP0000006424B2D9F521ED30E8 not found! Registry entries deleted on Reboot... |
|
|
|
|
10-03-2009, 10:15 AM
|
#8 (permalink) |
|
Registered User
Join Date: Oct 2009
Posts: 8
OS: 64 bit vista
|
Re: US Soldiers need your help Win32/AutoRun.VB.DU
OTS LOG
All Processes Killed [Registry - Safe List] Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{23f9e160-1f35-11de-a251-00235a2929bd}\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4661e6-2c41-11de-aee6-a6d30a40f69e}\shell\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c4661e6-2c41-11de-aee6-a6d30a40f69e}\shell\AutoRun\command\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{304dfa19-a402-11de-b106-00235a2929bd}\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4a714f83-2a00-11de-89c8-cc0c4e196bab}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f1f4e8a-1f49-11de-9356-806e6f6e6963}\shell\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f1f4e8a-1f49-11de-9356-806e6f6e6963}\shell\AutoRun\command\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1e15713-4eaa-11de-8715-cb66373a2496}\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab227604-1f84-11de-9c5d-00235a2929bd}\shell\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab227604-1f84-11de-9c5d-00235a2929bd}\shell\AutoRun\command\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\Autoplay\Command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\AutoRun\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\explore\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\open\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bf59872b-a8c6-11de-925e-00235a2929bd}\shell\ws\command\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dc10fd03-42dd-11de-88ac-ee7d8020f699}\shell\AutoRun\command\ deleted successfully. [Files/Folders - Modified Within 30 Days] [Empty Temp Folders] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Public User: RICHARD CARDER ->Temp folder emptied: 8747738 bytes File delete failed. C:\Users\RICHARD CARDER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 1392854281 bytes ->Java cache emptied: 31496716 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes File delete failed. C:\Windows\temp\TMP0000006424B2D9F521ED30E8 scheduled to be deleted on reboot. Windows Temp folder emptied: 313367642 bytes RecycleBin emptied: 1077419 bytes Total Files Cleaned = 1666.62 mb < End of fix log > OTS by OldTimer - Version 3.0.20.0 fix logfile created on 10032009_153606 Files\Folders moved on Reboot... File\Folder C:\Windows\temp\TMP0000006424B2D9F521ED30E8 not found! Registry entries deleted on Reboot... ==================================================================================================================== |
|
|
|
|
10-03-2009, 10:49 AM
|
#9 (permalink) |
|
Analyst, Security Team
Join Date: Jan 2009
Location: Canada
Posts: 2,166
OS: XP sp3
|
Re: US Soldiers need your help Win32/AutoRun.VB.DU
Hi,
You appear to be clean. How is your computer behaving? Please do the following:
NEXT Now we need to create a new clean SYSTEM RESTORE point.
Then remove all previous Restore Points
NEXT if there are any other logs remaining on your desktop, right click and delete them. Below I have included a number of recommendations for how to protect your computer against malware infections.
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Thank you for your patience, and performing all of the procedures requested. You can now post the DDS and GMER logs for computer #2 unless you have any outstanding issues with your computer (ps. how many computers are there?)
__________________
ASAP & UNITE Member |
|
|
|
|
10-03-2009, 10:58 PM
|
#10 (permalink) |
|
Registered User
Join Date: Oct 2009
Posts: 8
OS: 64 bit vista
|
Re: US Soldiers need your help Win32/AutoRun.VB.DU
First of all I would like to thank you for all your help with my computer.
THANKS My computer it running great. There are 12 computers in my squad however I plan to scan each one of them with MalwareBytes program to check for this virus. If there is no infection. then no need to worry about there computer. A few of the guys has done a system restore in order to rid themselves of virus. The most of the guy’s hear are running 64 bit vista all but one I believe and he is running 32 bit vista As soon as I get a chance to scan there computers ill get back to you with there logs. One small problem I did encounter however is that no one hear has windows xp therefore I can not use Flash Disinfector is there any flash driver cleaners that run on vista that you could suggest I was looking around for something and found USB Drive Fresher via http://www.affinity-tools.com/usbfresher/ any thoughts ? again thanks for all your help |
|
|
|
|
10-04-2009, 03:23 AM
|
#11 (permalink) |
|
Analyst, Security Team
Join Date: Jan 2009
Location: Canada
Posts: 2,166
OS: XP sp3
|
Re: US Soldiers need your help Win32/AutoRun.VB.DU
Hi,
I'm not familiar with that program, but it looks like it's designed to do what you need it to do. Unusual everyone has 64 bit systems but that's OK. DDS won't work on them. It will need to be OTS. But Malwarebytes should clean them all up nicely. Post OTS logs for any that still have issues (one at a time)
__________________
ASAP & UNITE Member |
|
|
|
|
10-04-2009, 07:16 AM
|
#12 (permalink) |
|
Registered User
Join Date: Oct 2009
Posts: 8
OS: 64 bit vista
|
Re: US Soldiers need your help Win32/AutoRun.VB.DU
Computer #2
Malwarebytes log Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 6.0.6001 Service Pack 1 10/3/2009 11:11:55 PM mbam-log-2009-10-03 (23-11-55).txt Scan type: Quick Scan Objects scanned: 85875 Time elapsed: 7 minute(s), 51 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 3 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: C:\Users\Ray Hamilton\AppData\Local\Temp\svchost.com (Worm.AutoRun) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hotkey (Worm.AutoRun) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Worm.AutoRun) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\user agent (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Users\Ray Hamilton\AppData\Local\Temp\svchost.com (Worm.AutoRun) -> Quarantined and deleted successfully. C:\Users\Ray Hamilton\Templates\cache\vmx.exe (Worm.AutoRun) -> Quarantined and deleted successfully. C:\Users\Ray Hamilton\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe (Worm.AutoRun) -> Quarantined and deleted successfully. C:\Windows\System32\drivers\oreans32.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\Users\Ray Hamilton\AppData\Local\Temp\scr\Ribbons.exe (Worm.AutoRun) -> Quarantined and deleted successfully. |
|
|
|
|
10-04-2009, 07:34 AM
|
#13 (permalink) | |
|
Analyst, Security Team
Join Date: Jan 2009
Location: Canada
Posts: 2,166
OS: XP sp3
|
Re: US Soldiers need your help Win32/AutoRun.VB.DU
Hi,
Please do the following: Start OTS Copy/Paste the information inside the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button. Quote:
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTS will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply. NEXT: Run the MalwareBytes program again, make sure it comes back clean. Then run the Panda online scan. Please go HERE to run Panda's ActiveScan
__________________
ASAP & UNITE Member |
|
|
|
|
|
10-04-2009, 08:39 AM
|
#14 (permalink) |
|
Analyst, Security Team
Join Date: Jan 2009
Location: Canada
Posts: 2,166
OS: XP sp3
|
Re: US Soldiers need your help Win32/AutoRun.VB.DU
Hi,
I have found a tool to disinfect all your USB's, this will work as well as flash disinfector - have everyone run this tool on their removable media. Down load Autorun Eater and save it to your desktop Run the tool, plugging in all your removable media while doing so.
__________________
ASAP & UNITE Member |
|
|
|
|
10-15-2009, 11:27 PM
|
#15 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3
|
Re: US Soldiers need your help Win32/AutoRun.VB.DU
Since this issue appears resolved, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:
http://www.techsupportforum.com/secu...oval-help.html Surf Safely, and Think Prevention!
__________________
My services are free. However, you can donate to TSF to help keep it running.  Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
| Thread Tools | |
|
|
