Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.SillyDC Infection, half resolved.


  • Please log in to reply
2 replies to this topic

#1 Namso

Namso

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 15 September 2009 - 08:10 AM

Hi all, I saw the thread "W32.SillyDC Infection" and I have a similar problem to that user.

My computer had this autorun.inf virus, and NOD32 deleted it. But now I have these damn VBS Script files everywhere! it makes an image of my files. I have tried many softwares, NOD32, Norton, Spybot S&D, Ad Aware, Malware Bytes But none of them seem to be able to get rid of them!

I'm running Windows XP SP2 with Norton Anti Virus 2009.

Here is a picture of what I mean.
Posted Image

It has done this to a heap of my files.. I've deleted as much as I can.

When I click on the "CORAL HOMES PTY LTD2.vbs" file norton shows this message.
Posted Image

it "blocks" it but does not delete it.

Please help i've been trying to get rid of this thing for days, and it has no spread to my external hard drive with all my files too! :thumbsup:

Please help, any help at all will be sincerely appreciated.

Cheers
-Namso

PS. If you need anymore info, please ask me and i will provide!

Edited by Namso, 15 September 2009 - 01:44 PM.


BC AdBot (Login to Remove)

 


#2 Namso

Namso
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 16 September 2009 - 03:15 AM

The actual virus is called W32.SillyDC, its a worm of some sort. It places an autorun.inf file on all your hard disks and removeable storage drives.

When you plug it in, it runs that autorun.inf file which executes a batch file that does all this crazy bleep (some cases disabled task manager, regedit and system restore)

In my case NOD32 deleted it before it could do anything, but for some reason, I had images of all my files everywhere, but as VBS Script files.

I found that all of the files were 11kb in size and modified on 24/03/2007 at 7:47am. They all had same size/date.

So I did a search, specifying everything under 12kb that was modified/created 24/03/2007. Found 860 files, ctrl+a Shift Delete, and now its all gone.

Norton does not come up with all these notifications anymore, so I'm assuming it is clean. I will run a scan one more time though just to be safe. I'm so glad its all gone, one of the most annoying viruses i've had in a while.

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:49 PM

Posted 16 September 2009 - 08:51 PM

Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
-------------------------------

What it does:

The vaccination is two fold. If the computer's autorun settings are enabled, then files can spread to any drive that's plugged in. If the drives themselves are vaccinated, all the tool does is prevent the autorun.inf file from executing any of the malicious content that may have been copied to the drive when it's plugged in.

In other words, say you vaccinate your USB drive. The tool writes an autorun.inf file that's harmless. When it's inserted in a computer that does not have autorun disabled, the computer will attempt to read and process the autorun.inf file from the inserted drive. If an infection that spreads to network or USB drives is present on the computer, the infection may very well succeed in putting the files on the drive, but they will not be able to overwrite the autorun.inf file and as such the files will not run without user input (i.e. actually clicking on them).

If the computer's infected and that infection tries to multiply to external drives, then yes, it'll likely copy some files to it. You could then remove those as they wouldn't be running automatically once the drive's inserted in another PC. Nothing you do will stop files from being copied over to an external drive if an infection of that type is present on the system. Well, technically you can prevent that by setting the write protect mode, but not every USB drive has one of those and it prevents writing anything to the drive.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users