Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.sillydc Infection


  • Please log in to reply
10 replies to this topic

#1 sdas57

sdas57

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:06:49 AM

Posted 24 December 2007 - 06:42 AM

Hello anyone.

I am sure someone will be able to tell me the solution. I have tried to do myself but to no avail.
My pen drive got infected by w32.sillydc virus. I suppose it is so since the endpoint symantec antivirus loaded onto my office PC said so, but then it also said virus deleted. Still my problems persist.

First, I inserted my pendrive into a new PC which had virus, and I saw extra folders being created inside my original folders but with an exe extension. And also there was this file svichosst.exe.

Then when I plugged it to my office dekstop and scanned with endpoint symantec. it said w32.sillydc virus and said "deleted". BUT still those folders were visible. I even tried formatting. It formatted but still visible. And sometimes It did not allow to format even (as I tried formatting again and again. so got different messages).

Regedit and task manager are both disabled. SO I am not able to edit the registry to remove the file references!. Sysedit was also disabled. but after I deleted the svichosst.exe file from my system 32 folder (I have windows XP SP2) and also a hidden copy from some other folder.. and also from the prefetch.. sysedit is working but i dont see any odd file.. i saw something ina autoexec.bat and just deleted it fully to make it a blank file.
I also ran msconfig.. and removed the startup svichosst reference. But still it says at the time of booting svichosst not found.

Where is the bootup file that still looks for svichosst?
How to edit the registry if I cannot run regedit?
How will even an antivirus work if it cannot open the registry?
Is there any tool to do this/ clean this?

How to remove the virus from my pen drive? Assuming that it is still there (even after my formatting it as I can still see the folder name.exe files!!. How will I format it without creating the virus again? I mean even if I am able to clean my desktop from virus by some tool which you suggest, how do I insert the pen drive without recreating the virus again, if it is there in the pen drive still? Is it still there?

[By the way though this is not the place to ask this question, but if you know can you tell me or guide me to a link which will tell me whether a 4 GB Pen drive KINGSTON data traveller can become 1 GB after formatting? This is something that happened to me before the virus issue.. I suddenly recalled today that hey this was 4 GB then how come I have been seeing 1 GB? Then I rbrd that this happened when I formatted and never noticed!!]

Okay.. hope someone can tell me the soln.. I am hopeful of that.

Merry Christmas to those who are celebrating this tomorrow!!

Sd

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 PM

Posted 24 December 2007 - 09:20 AM

Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes a malicious autorun.bat file which calls wscript.exe to run autorun.vbs on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Please insert your flash drive before we begin!

Reconfigure Windows XP to show hidden files, folders. Open My Computer, go to Tools > Folder Options and click on the View tab. Under Hidden Files and Folders, check "Show hidden files and Folders", uncheck "Hide Protected operating system Files (recommended)", uncheck "Hide file extensions for known file types", and hit Apply > OK.

Open My Computer, right-click on your primary drive (DO NOT double-click), select "Explore", and search for any autorun.inf at the root. Repeat the search on all your drives (including your flash drive and any recent CDs you have used). If autorun.inf is present continue as follows:

Reboot your computer in "Safe Mode" or "Safe Mode With Command Prompt" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode With Command Prompt".

Go to Start > Run and type: cmd
  • press Ok.
  • At the command prompt, type in your primay drive location, usually C:
  • You may need to change the directory. If so type: cd \
  • Hit Enter.
  • Type: attrib -s -h -r -a autorun.inf
  • Hit Enter.
  • Type: dir
  • Hit Enter. This will allow you to see and confirm the Autorun files.
  • Type: del autorun.inf
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
  • Exit the command prompt and reboot normally.
When done remove the Startup RUN value by downloading and using Autoruns.

Please download MsnCleaner.zip and save to you Desktop. In addition to removing infected files, it will remove certain restrictions on your system often disabled by malware.
  • Extract (unzip) the file to your desktop. (click here if your not sure how to do this) but DO NOT use it yet.
  • Reboot your computer in "Safe Mode" using the F8. To do this restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A boot menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Double-click MsnCleaner.exe to run the tool.
  • Click the "Analyze" button.
  • A report will be created after the scan and will be saved to C:\MsnCleaner.txt.
  • If it finds an infection, click the "Deleted" button.
  • Reboot normally and post the contents of MsnCleaner.txt in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sdas57

sdas57
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:06:49 AM

Posted 25 December 2007 - 08:33 AM

Thanks I will try these and tell you on 27th Dec 07 as I am not going to office before that. Then I will post the contents as asked for further investigation.

The matter is even more complicated but what you have said seems right as I did see a autrun.inf file on the USB.... even after formatting (on a different PC- which too much have got infected and the virus must have spread on my office PCs through LAN (Endpoint symantec does not seem to prevent this!).

Thanks once again. I will reply on 27th.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 PM

Posted 25 December 2007 - 10:02 AM

Yes you need to check any computer that your usb stick was plugged in to. Chances are they are infected as well. That's how this type of infection works.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Turnips

Turnips

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 26 December 2007 - 08:03 PM

I'm sure that's the Rontokbro worm. I got that before! I solved it with a system restore.

#6 sdas57

sdas57
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:06:49 AM

Posted 27 December 2007 - 05:34 AM

No the system restore like regedit and task manager got disabled too. System restore did not actually get disabled but it did not restore -said "failed to restore, choose another point" So the worm was not allowing it to happen.

Anyway, I found there was no AUTORUN.INF file but an Autorun.ini file. It was found using your MSCLEANER!!! Very good program. I am unable to paste the contents as I ran it a second time and now it says detected files=0, cleaned=0 and undeleted files=0. But earlier first time it detected 3 files one was the autorun.ini and one was a log.txt and the 3rd was something (not an executable file but some system file) I forget now. However the first time I FORGOT to choose enable task manager etc. SO the 2nd time I did that and hey the task manager and regedit was again working.

I of course re-booted.
Additionally I also searched the file SSVICHOSST.EXE from the registry and deleted all references to that. Because otherwise it was appearing in the MSCONFIG -> startup choices though no program was not calling it now once the AUTORUN.INI file was deleted and any case I had earlier deleted the SSVICHOSST.exe manually also...

Now my PC is clean.
And yes the USB is also clean. I just low level formatted it, since it was having another problem- that of showing 1 GB space when it was 4 GB (not due to virus but because of some other reason- which I am not sure)

thanks for the great tip!!
Happu New Year!!
sd

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 PM

Posted 27 December 2007 - 08:44 AM

Good job sdas57.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 ankdh

ankdh

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 30 December 2007 - 07:49 PM

Hello, I am a new user, and am suffering from a somewhat similar problem.

Basically, AVG has recognised, but repeatedly failed to heal a virus called 'autorun.inf'. The effect of the virus is that it stops you from being able to access folders and files [e.g Go to My Computer, click on C: drive, and it'll ask you what program you want to open C: drive with...]. I've been able to access everything as per normal by just right-clicking the Start Menu and clicking on 'explore' and working from there, but autorun.inf seems to project itself onto every other portable drive you stick into the computer, so it spreads to other computers etc.

It's very annoying, and though I've researched it a little, people seem unsure what it is and how to get rid of it. I gather that 'autorun.inf' itself isn't a virus, but it can be hijacked by something else. In any case, having tried various solutions, they all centre arounf starting the computer in safe mode, running a virus scan and removing the virus both manually and with anti-virus software.

The 'autorun.inf' file does not appear in the place it is listed [ C:drive ] however, and the anti-virus system always says it is unable to heal the file.

Thank you very much in advance for any help you may be able to provide [and I hope you're having a better new year than I...!]

{Apologies if this is posted in the wrong place}

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 PM

Posted 30 December 2007 - 11:41 PM

Welcome to BC ankdh

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more people in the same thread with different problems. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 tails doll

tails doll

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 27 January 2011 - 09:21 PM

i am a new user :lol:
but
i got the same problem but i have windows 7 and norton is not deleting it...i tryed everything from looking in the reg. to antiviruses
what should i do :(

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 PM

Posted 28 January 2011 - 07:18 AM

Welcome to BC tails doll

The topic you replied to is four years old. Please read my previous post for starting your own topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users