Grateful if you can help me with this impossible worm - a VBS varient, perhaps SASAN.D or SLOGOD.M.
OS: WinXP SP3
* Propogates rapidly through insertion of memory stick (I got it at hotel business centre in Djibouti - it's in my thumbdrives, laptop, and my desktop)
* Every 10 seconds it tries to activate CD-ROM drive (which makes a noise)
* Persistent "Windows - No Disk" Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c
* Two new hidden files installed on memory stick within a few seconds of re-formatting:
Running HijackThis, I can see it:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\explorer.vbe
It may also be the wscript.exe that's running in the background.
What I have tried:
I've scanned with SpyBot S&D, Iobit Security 360, AVG, STOPZilla, and Windows OneCare Safety Scanner - to no avail. On both my laptop and PC. OneCare identified Worm:VBS/Slogod.M in c:/windows/system32/explorer.vbe in both computers, but cannot remove it.
I deactivated the warning messages that were slowing the machine by changing errormode value from 0 to 2 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows]. This does not impact the infection though, just palliates the symptoms.
Can't follow directions for disabling the worm, as none of the registry files match those on my computer - http://about-threats.trendmicro.com/Archiv...=VBS_AGENT.AMAF