Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advanced Help Needed.


  • Please log in to reply
13 replies to this topic

#1 Obeyance

Obeyance

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 05 March 2009 - 03:49 PM

Ok time to write a book. First off my computer started acting funny. Nothing to far out of the ordinary for spyware/adware so i scanned and removed several objects, nothing ot major. But here in the past month my box has been acting real bad. Here in the past couple weeks has been the worst. It started with me not being able to run some programs here and there (they would crash before fully loading). Now its pretty much everything. If install something and run it it works fine. For instance. I can download and install Toribash, a small game, but the next time i run it it crashes. All of my games do the same thing. I can reinstall them and they work but if i try and play them after exiting they crash. And some of my system cleaning programs do the same. I have run hijack this and theres nothing out of the ordinary in there. Infact theres a lot less then normal (dot dot dot). I have run Malwarebyte's AntiMalware and it list off at least 4 files that it says are infected with "Backdoor.ProRat". It will not remove them without a restart. Thats fine and dandy but when i restart explorer.exe has a problem and wont load the desktop. I can fix that by killing explorer.exe in the taskmanager but malwarebyte's wont restart to clean the infection which its suposed to do before windows fully initializes. I went as far as downloading the trojan program itself and messing around with it (without clicking the server of course, im not dumb =p) and found that it has infection removal built in, just in case i guess but it responded with "you do not have ProRat on your system". Stumped i searched around for a ProRat specific removal program and found one. It also said i was not infected with ProRat. So now im starting to think that MwB's is wrong. But im lost on what to look for anymore. After playing around with my system for a few hours here (6 and a half to be correct) I have come to the relization of this.

A. The virus/worm/malware creates .tmp files with random names in "C:\Documents and Settings\Admin\Local Settings\temp" And in C:\Windows\Temp.
B. It affects explorer.exe
C. It changes registry keys for IE.

I dont use IE but w/e...

Here is the log from Malwarebyte's

---------------------------
Malwarebytes' Anti-Malware 1.34
Database version: 1819
Windows 5.1.2600 Service Pack 2

2009-03-05 06:42:54
mbam-log-2009-03-05 (06-42-47).txt

Scan type: Quick Scan
Objects scanned: 65239
Time elapsed: 1 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\temp\yha2.tmp (Backdoor.ProRat) -> No action taken.
C:\WINDOWS\temp\gia3.tmp (Backdoor.ProRat) -> No action taken.
C:\Documents and Settings\Admin\Local Settings\temp\qvg9E.tmp (Backdoor.ProRat) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\temp\yha2.tmp (Backdoor.ProRat) -> No action taken.
C:\WINDOWS\temp\gia3.tmp (Backdoor.ProRat) -> No action taken.
C:\Documents and Settings\Admin\Local Settings\temp\qvg9E.tmp (Backdoor.ProRat) -> No action taken.
-------------------------------------------------------------

Also. Theres a file im unfamiliar with and i cant find anything about it when i google it (im good at hunting down info generally) Its file name is btnconfig.

Further info here. I opened one of the .tmp files in notepad even though i figured it was going to be gobldyguk as its not a text document they still sometimes provide some kind of info even if its a word here a phase there. And i got this. It started out making the statement " L!��This program must be run under Win32 $7 " After that its gobldyguk as im sure we all figured, but the ending of the file caught me as striking. Heres the ending.


------------
' '  ‚ KERNEL32.DLL ADVAPI32.DLL COMCTL32.DLL GDI32.DLL MPR.DLL OLE32.DLL OLEAUT32.DLL USER32.DLL WSOCK32.DLL LoadLibraryA GetProcAddress RegCloseKey ImageList_Add BitBlt WNetCloseEnum IsEqualGUID SysStringLen GetDC )  / / ' ( l)   ! @K PK d[ t[ i i j j j j $j ,j 4j <j Dj Lj j j j k Pk k k l �l l €žn o 0p q q ts |u Dw (x x Hy †y |z “z z z œC C ) ) * * 4* N* i* €ž* * * * * * + (+ A+ P+ }+ €“+ + + + , J, o, €™, , , - 9- g- |- €™- - - - - . . /. D. ^. y. €ž. . €œ. Ÿ.               +    $ ( * ) ! # "  % & '      

,   . - @$xp$12Nmudp@TNMUDP @$xp$15Nmudp@TOnStatus @$xp$16Nmudp@TOnReceive @$xp$18Nmudp@TBuffInvalid @$xp$18Nmudp@UDPSockError @$xp$19Nmudp@THandlerEvent @$xp$19Nmudp@TOnErrorEvent @$xp$20Nmudp@TStreamInvalid @@Functionsunit@Finalize @@Functionsunit@Initialize @@Funcunit@Finalize @@Funcunit@Initialize @@Lifeunit@Finalize @@Lifeunit@Initialize @Nmudp@Finalization$qqrv @Nmudp@TNMUDP@ @Nmudp@TNMUDP@$bctr$qqrp18Classes@TComponent @Nmudp@TNMUDP@$bdtr$qqrv @Nmudp@TNMUDP@ErrorManager$qqrus @Nmudp@TNMUDP@Loaded$qqrv @Nmudp@TNMUDP@ProcessIncomingdata$qqrv @Nmudp@TNMUDP@ReadBuffer$qqrpcxiri @Nmudp@TNMUDP@ReadStream$qqrp15Classes@TStream @Nmudp@TNMUDP@ResolveRemoteHost$qqrv @Nmudp@TNMUDP@SendBuffer$qqrpxcxii @Nmudp@TNMUDP@SendStream$qqrp15Classes@TStream @Nmudp@TNMUDP@SetLocalPort$qqri @Nmudp@TNMUDP@SocketErrorStr$qqrus @Nmudp@TNMUDP@StatusMessage$qqruc17System@AnsiString @Nmudp@TNMUDP@WndProc$qqrr17Messages@TMessage @Nmudp@UDPSockError@ @Nmudp@_Cons_Err_Addr @Nmudp@_Cons_Err_Buffer @Nmudp@_Cons_Msg_Data @Nmudp@_Cons_Msg_ELkp @Nmudp@_Cons_Msg_Echk @Nmudp@_Cons_Msg_Eno @Nmudp@_Cons_Msg_InvStrm @Nmudp@_Cons_Msg_Lkp @Nmudp@_Cons_Msg_Wsk @Nmudp@_Cons_Palette_Inet @Nmudp@initialization$qqrv AttachHook Debug Initiate _FuncModule ___CPPdebugHook  9

------------------------
K now is when i say.. PLZ HLP KTHX. =(

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 05 March 2009 - 04:17 PM

Hello.

Backdoors are nasty and saying that it affects explorer.exe is another sign that it's a very nasty infection to deal with or have on your machine.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Obeyance

Obeyance
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 05 March 2009 - 04:48 PM

Um. Yeah obviously i know thats its a trojan being as i said it was. I mean. Thats what Malwarebyte's says it is. Infact the trojan it says it is, is ProRat. Which i also said i believe to not be correct. I typed all this out in my post already. I think you need to reread my post.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 05 March 2009 - 05:08 PM

Hello.

I think you may need to re-read my post as well. I said you have a backdoor infection. It's no just a trojan. There are a lot of different types of Trojan out there, but specifically this one is a backdoor.

Why would you think MBAM is wrong and not the tool you used is wrong perhaps? I'm not saying that tool is wrong but why do you think MBAM is wrong just because that tool said it's not there? Also, downloading the Trojan itself was not wise, not even sure if that trojan you played around was the one you got infected. What about the term "self extracting"?

I suggest you read this page regarding the infection.

If you read that page, it shows that explorer gets modified in the registry and that is probably why explorer is not working well right now...

In the Summary section of that page it says:

Backdoor.Prorat:
Is a Backdoor Trojan horse that gives an attacker full control over your computer.
Opens a port on the system.
Is written in Delphi.
Is packed with UPX.


Also, the reason why you might of got the message "you do not have ProRat on your system" is because the main infection of it is already gone but only some leftovers remain. However, even if that is the case your computer was or may be compromised already.

Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Obeyance

Obeyance
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 05 March 2009 - 06:40 PM

No i understood what you said the first time. I know what you ment/mean. Im just aggravated and i felt like you were treating me as if i was stupid. Of course i understand what all that means as i used to be a script kiddy myself back when i was in the early teens. Its just stupid stuff kids do when they are heavy into computers and hacking (the correct term of the word that is). Learning. Im no longer a novice but i wouldnt consider myself pro. There still much to learn. Though programs like ProRat .. Sub7, Wincrash2k, BackOrifice, and the slew of other Server/Client trojans are pretty much all the same. Though i know that when used by malicious users they generally attach other more severe objects with it. As like in the Nimda virus which in itself is not that bad of a problem but the reason its so detrimental is because it piggy backs other bad things that the user attaches to it. Now. What im infected with might be as you said self extracting ProRat infected files here and there but only as a piggy backed and attaching it to the .tmp files its creating. The cause of the problem is not determined yet. The reason i downloaded ProRat is because i have used programs like it as i said there a min ago. The programs themselves generally have a cleaning utility or a "server remover" Just incase you are noobish and run the server on your own machine. I trust in the "honor amongst thieves" rule in that it does remove it. Even though this says there isnt anything on the computer MwB's still says that the files exist. Its contradictive. But if you look at the files it says are infected they are all .tmp files. The source creating the files is not found. Thats why im posting on here asking for suggestions. Formating is the sure fire best best but i have data on here that is not replacable and i have no way of transfering it off as this problem has spread across the board and is affecting my burner and other applications in which i would use to aid myself in fixing the problem. Thats why i ask for advanced users to help. Its not an easy fix. Its not an easy oh well its this right here answer. So help me out eh? As for explorer. Thats something i havent figured out yet as well. Yes i figure it has to do with my reg. But as im not to keen on how exactly to edit the registry im not going to go in there guns blazing and screw up my computer more lol. Though when i get home ill try and do what the removal tab says to do in the page you linked me. Though even that being said. I would still like assistance in what else it could be. Im in and out from work and i check messages often so post away.

#6 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:05:59 PM

Posted 05 March 2009 - 08:09 PM

What anti-virus are you running?
winkey.dll and reginv.dll are injected into most running processes, creating the tmp files.
Explorer.exe is replaced by fservice.exe in the Winlogon registry key.
It may also drop a fake version of "regedit" in C:\Windows. The fake one is about 72kb.
The original is about 142kb.
The "gobldyguk" is binary code, obscured by the FSG v2.0 Packer.
The bits you can read are just functions for the compiler.
Trojan Remover claims to remove it:
http://www.simplysup.com/tremover/index.html

This is a rather nasty program and the cleanup may require more than point and click.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 05 March 2009 - 08:21 PM

Hello.

I apologize if I dis-respected you in anyway and I'm sure you are a very experience user in computers and have a high degree of knowledge in computers. I did not mean in anyway to offend you or made you upset. If I did, I'm sorry.

If you took a look at the infection you know it's not a pleasant infection at all and is very nasty.

Formating is the sure fire best best but i have data on here that is not replacable and i have no way of transfering it off as this problem has spread across the board and is affecting my burner and other applications in which i would use to aid myself in fixing the problem.

I see, but my main message in my first post was to warn you that your computer may be compromised and to allow you to change any passwords etc... in case you do any financial dealings or anything related to that fast. I was not forcing you to format the computer. I just wanted to let you know the infection you have currently. If you do not want to format, just reply back telling us so.

As Raw mentioned this is not a easy infection to deal with using the common tools or windows built in tools or a process that takes a few clicks. I'm sure you are aware of that and therefore I will not go into details.

With that said it would be better if you start another topic in the HJT-Malware Removal forum for further assistance, as some tools are restricted in this area and cannot be used to deal with certain infections.

Preparation Guide: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
HJT-Malware Removal forum: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
What to do when you have no reply for 5 days: http://www.bleepingcomputer.com/forums/t/176012/post-in-this-thread-when-you-havent-received-an-answer-in-five-days/

Good Luck!

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:59 PM

Posted 05 March 2009 - 11:31 PM

Our staff members are all trained volunteers who freely give their time to assist folks with malware removal. Part of that assistance is to ensure members understand the nature of the infection and available options. Most of our members are novice users and we provide help based on that since we do not know the extent of experience or knowledge they may have.

Your tone has been disrespectful to extremeboy who was offering you his expert assistance. While I understand your frustration with dealing with malware infection, condescending and disrespectful remarks will not be tolerated. If you cannot respect our staff, then maybe our community is not the place for you to participate.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Obeyance

Obeyance
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 06 March 2009 - 02:00 PM

Ok I followed the page you linked and found nothing wrong. I did download Glary Registry Repair and it found a ton of errors (i dont remember how many but it was a 3 digit number). I restarted into safe mode and ran MBAM and it found the same temp files (with different names as per usual) I restarted to complete and it didnt do anything again. I ran the scan again and the files are still there but with different names. After running the Registry Repair program and booting into safemode the first time explorer.exe didn't have any problems. But after spending 2 hours in safe mode running scans and digging around, i found nothing else to report. MBAM doesn't find anything other then the .tmp files. I got Adaware to run finally. I guess the registry repair was what i need for programs to run correctly. It found 11 MRU List which isnt really that big of a deal as you know, but it did find 16 "Win32.Virus.Parite". I downloaded what raw said reportedly removes ProRat, and ran it. It did not find Prorat but it did say that my userint.exe file was either an incorrect size or version but could not fix it due to it being a system file and there not being a backup of it. On restart Adaware did not remove the files selected to be removed at restart. The file that i find to be the most consistent is *da2.tmp (where as the astric is used correctly and means its a wildcard "yda2.tmp, ada2.tmp" ect ect) I believe that the file is rotating names before or after i restart as to avoid being removed. There is now a new file in the temp folder that hasnt been there. Adaware found it as a Win32.virus.parite as well. Its file name is "temp.fr2A82" Im unsure if its file name rotates as well as of yet. Any info usable here in diagnosing the culprit?


From reading some other forum post here and there via google search. I have found out that Pirate is most likely the real reason. People are saying its doing about the same thing to their machines as it is mine. Now the problem is to find out how to get rid of it. Which everyone is saying formate again. Like i said before. I know its the "sure fire way" to fix all problems but i cant quit do that. That is my last ditch effort.

Edited by Obeyance, 06 March 2009 - 02:22 PM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 06 March 2009 - 03:33 PM

Hello.

Preparation Guide: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
HJT-Malware Removal forum: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
What to do when you have no reply for 5 days: http://www.bleepingcomputer.com/forums/t/176012/post-in-this-thread-when-you-havent-received-an-answer-in-five-days/

Posting in that topic might be better right now. If userinit.exe is really infected then I suggest you even more to start a topic over there. Quick note, if your computer does NOT have a clean copy of userinit.exe then you would need your windows disk to repair that specfic file. That was why you might first want to do a repiar install and then format the computer. Anyways, since you don't want to please start a topic in that forum.

Good luck.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Obeyance

Obeyance
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 06 March 2009 - 08:04 PM

Which topic to post under? I seem to have a problem with finding the correct place to put things on here heh.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 06 March 2009 - 08:37 PM

Hello.

I said the HJT-Malware Removal forum. Did you not see the links I provided under that and in post #7?

Read the Preparation Guide first and follow the instructions there to scan with DDS.exe

Then post it in the HJT-Malware Removal forum with the DDS logs add in any description as needed.. You will probably not receive a reply fairly quickly, it may take up to 5 days or more/less. That is where the 5 days no reply forum comes in to play. If you do not get a reply withing 5 days or more, post a topic there to remind us. Once you post a post there you will probably receive a reply withing a few days. Please be patient as we have over 500 logs that need to be answered. :thumbsup:

Good luck :flowers:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Obeyance

Obeyance
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 07 March 2009 - 02:52 AM

Problem solved. After about 12 hours of cleaning my system is free of infection. Nothing i have shows anything on the system anymore and nothing comes up in my network tools either. NOD32 came in real handy. I will probably buy this tool as it fixed my other computers problems as well.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 07 March 2009 - 11:30 AM

Glad you fixed it and thanks for letting us know.

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Some prevention tips.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smrgsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck

With Regards,
Extremeboy

Edited by extremeboy, 07 March 2009 - 11:31 AM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users