Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.win32.Autorun.hrn


  • Please log in to reply
1 reply to this topic

#1 Aidi

Aidi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 22 November 2009 - 11:48 PM

Hi

My problem is:
The source is USB Flash Memory
Zone Alarm catch Viruses and delete them

Then I have faced these issues:
Incorrect password when log in, I used other account to find that what I press on the keyboard was not always what it appears on Notepad. (I copied my password after writing it on Notepad and switch to my full access account)

Task Manager disabled, Folder Options Missed.

I have run Zone Alarm Scan autorun.inf found on each driver, reported as Trojan.win32.Autorun.hrn
As a fix it delete them.

I have run Spybot S&D, and found some problems:
22.11.2009 21:01:30 - found: Microsoft.Windows.Explorer User settings
22.11.2009 21:01:30 - found: Microsoft.Windows.Explorer User settings
22.11.2009 21:01:46 - found: Microsoft.WindowsSecurityCenter.TaskManager Settings
22.11.2009 21:01:46 - found: Microsoft.WindowsSecurityCenter.TaskManager Settings
22.11.2009 21:01:51 - found: Microsoft.WindowsSecurityCenter.RegistryTools Settings
22.11.2009 21:01:51 - found: Microsoft.WindowsSecurityCenter.RegistryTools Settings

Fixed them and Restart my machine.
Ops. the symptoms returned back.

Restart to Safemode.

Using TuneUp StartUp Manager I found 6 new entries on the automatically starting programs:
2 of them are in the Necessary Startup Programs category, both called "Volume Control" and point to Start Menu\Programs\startup\sndvol32.exe, but one for All Users folder, and the other on my account folder.
I tried to disable them and delete them but an access denied error box appeared.

The other 4 startup programes are all called "Generic Host Process ..." I deleted them, and don't remember the name exactly.'
any way one of them point to svchost.exe on a Temp folder.
other one point to Templates/cash
This what I can remember.

I go to Start Menu\Programs\startup\ folder but couldn't find the sndvol32.exe, using command line (cmd) I navigate to it Start Menu\Programs\startup\, and dir /a:s, it appeared,

attrib -s -h -r sndvol32.exe
del sndvol32.exe


I did this on each user and All Users startup folder.

go to C:\ and do edit autorun.inf I found that it direct the Open and Explore commands to thumbs.db, and add Open in SAFE MODE command to the context menu.

c:
cd \
attrib -s -h -r thumbs.db
del thumbs.db


I did this for each driver.

Then restart in Safe mode also.
Ops :flowers: , everything return as it was.

Google it, and reach this page:
http://forum.avira.com/wbb/index.php?page=...p;postID=858571

When I read "ComboFix does the job.", I search for it, download it and run it (:trumpet: I know I shouldn't do that directly)
Any way I think it did the job and remove the infected files.

I'm writing this post after finishing the ComboFix, and I'm going to restart my machine now, and I hope the nightmare ended.

Can I post the ComboFix log :thumbsup: ?
and how can protect my pc form the USB attacks ?

Thanks a lot.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:46 AM

Posted 23 November 2009 - 01:12 PM

Hello,, You will still need to run this.. ComboFix logs can Only be posted with an HJT log when requested in theHJT Malware removal forum.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
[i]Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being instaRerun MBAM (MalwareBytes) like this:



Please Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, [color="#8B0000"]Post new scan log
and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users