Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Auto.exe


  • This topic is locked This topic is locked
7 replies to this topic

#1 KkianN

KkianN

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 PM

Posted 28 October 2007 - 01:52 AM

After i scan and heal a trojan called' trojan horse Downloader Generic6.QSC' which infected my following files C:\auto.exe and D:\auto.exe then I open these 2 drives with click explore to open..how do I get back these 2 files?? someone please help..

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:07 AM

Posted 28 October 2007 - 06:39 AM

You don't want You don't want AUTO.EXE back as it is malware related to a flash drive infection. Symptoms include the inability to open drives/partitions.

Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes a malicious autorun.bat file which calls wscript.exe to run autorun.vbs on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 KkianN

KkianN
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 PM

Posted 28 October 2007 - 08:41 AM

Thanks for helping. Now my computer can run as normal.

By the way, i discovered another thing that my computer always infect the same trojan horse(but in difference path). For example,today I heal 8 trojan files..but after few days, the trojans came out again.

The virus name similar like(only the last alphabet not same):-
Trojan horse PSW.OnlineGames.???
Trojan horse PSW.Legendmir.???
Trojan horse PSW.Generic5.???


I never download online games after I had reformatted my computer.I wonder why this will happen?

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:07 AM

Posted 28 October 2007 - 11:20 AM

Hi KkianN

Trojan horse PSW is a password stealer.
It also modifies some of the files on your system, you should be aware that your user names and passwords may well have been passed back to the author.
I would advise that you use a known 'clean' computer to change any banking passwords or other internet passwords and then submit a HJT log for analysis.
Removing this trojan is something that requires technical know how if it's to be done properly.

A member of the HijackThis Team will walk you through, step by step, how to disinfect your computer.
In the subject header, tell them you may be infected with 'Trojan Horse PSW'

Read the Preparation Guide before posting a HijackThis Log.
Please read, and follow, all directions carefully

Run a log, and post it in the HijackThis Logs and Analysis forum.

Do not, post it in this topic.
Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response from the HJT Team, because they are very busy. Please, be patient, as these people are volunteers. They will help you, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.


If you haven't heard back from them in 5 days, go to this topic, Haven't Had A Reply In Five Days?, and carefully follow all directions.

BBPP6nz.png


#5 KkianN

KkianN
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 PM

Posted 29 October 2007 - 07:26 AM

sorry I not really understand what do you mean by "use a known 'clean' computer to change any banking passwords or other internet passwords?" What means use a known 'clean' computer?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:07 AM

Posted 29 October 2007 - 07:31 AM

Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect your computer from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer (aka: clean)and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 KkianN

KkianN
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 PM

Posted 03 November 2007 - 08:56 AM

Sorry for late reply here..just inform that I posted a log at HJT there. Thanks for your helps anyway.

#8 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:02:07 AM

Posted 03 November 2007 - 09:07 AM

Now that you have a HJT log posted in the HijackThis Logs and Malware Removal forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

This topic will now be closed, since you have an open log posted.
If you have any questions, feel free to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users