Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring Win32:agent-hig [wrm] Detected On Autorun.inf


  • Please log in to reply
8 replies to this topic

#1 neurowhat

neurowhat

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 30 January 2008 - 01:52 PM

Hi -
I seem to have brought home some worm or virus from my computer at work through my flashdrive. I noticed earlier today that there was a strange .exe file on my main folder on my flashdrive. It's name is: S-1-5-21-1214440339.exe. I have to admit that I did click on it after a while because I thought it was a program file I had downloaded for a colleague. It wasn't. Clicking on it didn't do anything though (that I observed).

However, later when I had restarted my laptop, the C: folder kept opening up automatically and if I closed it it would reopen once more. I then looked at the folder and noticed the same S...0339.exe file. I ran Avast and it detected a Win32: Agent-HIG [Wrm] on the autorun.inf file - twice (once in C: and once in C:\Documents and Settings\Owner. A JS:Redirctor [trj] was also found in the C:Documents and Settings/Owner/Local Settings/Appications folder. I moved these files to the chest. At some point during the scan, my computer shut-down (not so weird because it has been doing that every once in a while for past few months.)

I restarted my laptop and there was the C folder again with the same strange file. This time when I ran Avast and it found the same worm again I decided to delete the autorun.inf file.

Less than 10 minutes later the files are back on teh C drive AND on my flashdrive which was clear only moments ago.
Also the D drive has the same files in it. I am afraid to look but I am sure my ipod and my external harddrive which were connected earlier today will have the same files also.

My latest attempt has been to delete the S-etc.exe file and move the infected autorun.inf file to the chest and I did this for both C and D drives. It keeps coming back. I am not sure if it's because once I open a folder that has this file it sends to the other drives or what.


Please - What is this and How do I get rid of it?
If I delete the autorun.inf file from my C: drive will I be able to restart my computer normally?

BC AdBot (Login to Remove)

 


#2 neurowhat

neurowhat
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 31 January 2008 - 04:31 AM

CAN'T ANYBODY HELP ME????
I am so surprised that no one out there has ANY suggestions. The same happened a forum.avast.com until someone there recommended this forum. Is this that complicated of a problem???

I have at this point through the use of only virusing scanning deleted and moved all the infected files. They are in the restore folders, the recycled folders, and everytime I actually click on a drive to open it - the files come back.

When everything is secured and out of the way however - particularly the infected autorun.inf files - when I right click on a drive instead of "open" and "explore" I get random symbols like "!?"!#" but they seem to be foreign language symbols liek the upside down ? in spanish>

I wonder if it is possible to create a new autorun.inf file.??

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 AM

Posted 01 February 2008 - 06:30 AM

From what you describe, it appears to be a flash drive infection. Symptoms include the inability to open drives/partitions.

Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Please insert your flash drive before we begin!

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Go to Start > Run and type: cmd
  • press Ok.
  • At the command prompt, type in your primay drive location, usually C:
  • You may need to change the directory. If so type: cd \
  • Hit Enter.
  • Type: dir /s S-1-5-21-1214440339.exe
  • Hit Enter.
  • If the file is present, type: del S-1-5-21-1214440339.exe
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
  • Exit the command prompt.
Go to Start > Run and type: regedit
Press "OK" and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the right pane you should see the default entries:
Shell = Explorer.exe
Userinit = C:\WINDOWS\system32\userinit.exe,


Post back and let me know if thats what you see.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 neurowhat

neurowhat
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 05 February 2008 - 08:11 AM

Thank you for your response. I don't seem to have much trouble for the time being as the virus/worm no longer comes up with the virus scans. However I still have no autorun.inf files.
Should I still go through your suggestions?
If so, I am not clear on your steps regarding the deletion of directories:

"Go to Start > Run and type: cmd

* press Ok.
* At the command prompt, type in your primay drive location, usually C:
* You may need to change the directory. If so type: cd \
* Hit Enter.
* Type: dir /s S-1-5-21-1214440339.exe
* Hit Enter.
* If the file is present, type: del S-1-5-21-1214440339.exe
* Hit Enter.
* Repeat the above commands for each drive on your computer.
* Exit the command prompt."


When you say repeat the above commands for each drive on your computer - am i simply searching for the s---etc .exe file and deleting only that? i wouldn't be deleting any directories themselves, right?

p.s. to you and all other readers of my post: i apologize if my second post sounded impatient or nasty. i didn't mean it to come out that way.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 AM

Posted 05 February 2008 - 09:08 AM

I am not clear on your steps regarding the deletion of directories

I'm not asking you to delete a directory. I'm having you search a directory and delete S-1-5-21-1214440339.exe if its found. And yes, you should repeat the search on each drive to see if the file is present and delete if it is.

Then I'm having your check the Shell and Userinit keys in your registry to see if they are ok or have been modified.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 neurowhat

neurowhat
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 05 February 2008 - 10:35 AM

I followed your instructions to the letter and then again by excluding that lower case "s" in this line:
Type: dir /s S-1-5-21-1214440339.exe in case it was a mistake.

The file was not found in any of my directories.

So I went ahead with the second part of the instructions and looked in the registry
I found:
Shell = Explorer.exe
BUT
for Userinit = userinit.exe,S-1-5-21-1214440339.exe

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 AM

Posted 05 February 2008 - 10:47 AM

Go to Start > Run and type: regedit
  • Click OK.
  • On the left side, click to highlight My Computer at the top.
  • Go up to File Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File > Exit.
Go to Start > Run and type: regedit
Press "OK" and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the right hand pane, double-click on Userinit
In the 'Edit String' box, edit the "Value data:" to read exactly (including the comma on the end) as follows: C:\WINDOWS\system32\userinit.exe,
Press "OK" when done.
Exit regedit and reboot your computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 neurowhat

neurowhat
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 05 February 2008 - 11:04 AM

Looks like it worked!
Thank you very very much!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 AM

Posted 05 February 2008 - 11:19 AM

Good job.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users