Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Evil Unkown Autorun Trojan, Can't Get Rid Of It

  • Please log in to reply
1 reply to this topic

#1 AugustusTech


  • Members
  • 1 posts
  • Local time:11:50 PM

Posted 13 September 2008 - 10:02 PM

Hi Guys. I have been infected by the most cruel virus/trojan I have ever seen. I have no idea what it is called nor how to stop it, but I've learned some things about it. First up, the internet does not appear to be working on my pc so I am typing this from a dodgey university computer. I couldnt get the actual hihjack this logfile (since the net is down and this thing loads itself to drives) but I took a picture of it, then am going to type it off of that.

R1 - HKCU\Software\Microsoft\Windows\Current Version\Internet Settings, Proxy Server = Proxyhost.canberra.edu.au: 80
04 - HKLM\..\[Nod32Kui] "C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
04 - HKLM\..\Run: [Nwiz] nwiz.exe /install
04 - HKLM\..\[NvMediaCenter] RunDll32.exe C:\Windows\system32\NvMcTray.dll, NvTaskbarInit
04 - HKLM\..\[Soundman] Soundman.exe
04 - HKLM\..\[CTFMon] ctfmon.exe C:\Windows\system32\Ctfmon
04 - Global Startup - Thunder.exe
08 - Extra Context menu item: E&xport to Microsoft Excel - res://C:\Progra~1\Micro~2\Office11\Excel.exe\3000
09 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Progra~1\Micro~2\Office11\REFIEBAR.DLL
09 - Exra Button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Netword Diagnostic\xpnetdiag.exe (file missing)
09 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
09 - Extra 'Tools' Menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
020 - Winlogon Notify: dimsntfy - %systemroot%\system32\dimsntfy.dll (file missing)
023 - Service: NOD32 Kernel Service (Nod32krn) - ESET - C:\Program Files\Eset\Nod32krn.exe
023 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Windows Firewall is automatically turned off,
the system clock is changed to 2004,
My Virus scanner (Nod32) has been messed with and shut down,
Another Prgram is using regedit so i cant access it,
Can not get into safe mode
I couldnt view hidden files (this time I turned on hidden files before that got broken)
Internet isnt working properly
Computer is slower
Process Explorer gets shutdown when i start it

The Virus
From the time I have spent fighting this thing I have found this. It loads an autorun file (autorun.inf i think, dont quote me on the ext) program onto all drives along with the file it loads, an msdos batch file, name changes each time i kill off the virus - So far it has been KDG, MOON, KG and now CSG. The autorun text reads [Autorun] Shell\open=jibberish letters Shell\Open\command=KDG.pif (or whatever correspoding virus it has loaded). It then does the same for explore. thus if you try to open the hard drive you will install that process and cant open it. A way around this is to use run to go to C: . I have edited the autorun to not do so.

I believe the virus has replaced windows files from a message i got from windows once.
I don't know what the virus is, nor where its head files are.

I don't know what started this virus, I can't say I've been on any risky sites. Before the virus loaded I had tried to download windows live messenger. When the virus hit, i managed to get into system restore, but it came back pretty quick. After a while I decided to reinstall windows but it came back later. I then formatted the entire hd and reinstalled windows and thought I was doing fine, next day I see the same symptoms and my heart sinks.
I am running another hard drive and where as it does infect all hard drives, before I formatted I took the infection off of this hard drive (used restore to give me enough time to get into safe mode). I don't think it has come back this way. I am on a campus network at university, maybe it is infected? The last thing that happened before i caught it this time was my now newly installed Windows Office started loading something from the internet. Is a campus borne virus using legit windows programs (Live, Office) to get in?

I have a group of major law essays due soon and am already behind because of this. I'm sure I can get to safe mode by restore, but I need some information of what I am dealing with. Please help.

EDIT: I have been looking over the system volume information folder. I realized that they are also loaded onto my other hard drive, and that System Restore has loaded a jibberish named msdos batch file along with an autorun file in all of the restore points, and that the change logs include a ref to the autorun inf and the proper name for the msdos batch file (such as MOON). I am thinking that this may have carried the virus to my new format. It also seems that a trojan IS on the network. The network has been constantly crashing and somebody else has mentioned a trojan attacking their system.
Also, i can now get the internet to work through firefox.

Edited by AugustusTech, 14 September 2008 - 01:55 AM.

BC AdBot (Login to Remove)


#2 rigel



  • Members
  • 12,944 posts
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:50 AM

Posted 14 September 2008 - 04:00 PM

Hi AugustusTech

First, manually reset your system clock if possible. Then run the following procedure...

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users