pauldfreed Posted September 21, 2009 ID:130705 Share Posted September 21, 2009 Hello,I've run across a problem. I'm getting an identification of Worm.AutoRun on full scans. When I tell it to clean and reboot, it either is still there or comes back within one or two reboots. The file being identified is C:\Windows\System32\utorrent.exe. I've scanned the computer with Avira, AVG, Bitdefender and a couple of other utilities and they find nothing. The problem is, it keeps coming back. We're pretty sure that the thing is an infection and not a false positive, because if you create a file utorrent.exe and try to copy it into C:\Windows\System32 you get an access denied error. We can't see the file in Explorer, or using a BartPE disk or Linux System Rescue CD, yet we keep being told it's there by Malwarebytes'. Hooked the hard drive into another computer and it now scans with the same Worm.AutoRun. Any suggestions, other than nuke from orbit and scrub to bare metal?PS: Combofix identifies this pest, but fails to clean it. It also seems to be turning System Restore back on. Link to post Share on other sites More sharing options...
pauldfreed Posted September 21, 2009 Author ID:130710 Share Posted September 21, 2009 Here's the HiJackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:07:15 PM, on 9/21/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exeC:\Program Files\BitDefender\BitDefender 2010\vsserv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Kaseya\Agent\AgentMon.exeC:\Program Files\RealVNC\VNC4\WinVNC4.exeC:\WINDOWS\system32\SearchIndexer.exeC:\Program Files\BitDefender\BitDefender 2010\bdagent.exeC:\WINDOWS\Explorer.EXEC:\Program Files\BitDefender\BitDefender 2010\seccenter.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Kaseya\Agent\KaUsrTsk.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Desktop Search\WindowsSearch.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeD:\Install Folder\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tms.selfip.com:5720/access/accessRoot.asp?39356R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dllO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [TMS Client Service Helper] C:\Program Files\Kaseya\Agent\KaUsrTsk.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://tms.ywttinc.com:5720/inc/kaxRemote.dllO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: TMS Client (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exeO23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exeO23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exeO23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe--End of file - 4964 bytesAnd before I get scolded for having more than one active antivirus program, this is the computer I was testing the original infected hard drive on that the virus jumped to. This system only had Avira running on it at the time of infection. I've been trying to find something, anything, that will detect and clean this little bugger off. So far only Malwarebytes' and Combofix will detect it. Link to post Share on other sites More sharing options...
Recommended Posts