Jump to content

malware infected laptop - worm.autorun

pankaj phull
 Share

Recommended Posts

pankaj phull

pankaj phull

Posted
Posted

dear experts,

my laptop had been infected with autorun.worm as detected by malwareyte, but unable to disinfect/deletepleae find the log report below...

needs u r help

regards,

pankaj

Malwarebytes' Anti-Malware 1.41

Database version: 3159

Windows 5.1.2600 Service Pack 3

11/13/2009 10:20:59 AM

mbam-log-2009-11-13 (10-20-52).txt

Scan type: Full Scan (C:\|)

Objects scanned: 234520

Time elapsed: 1 hour(s), 14 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\2D7E87\RegEx.fnr (Worm.AutoRun) -> No action taken.

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites
pankaj phull

pankaj phull

Posted
  • Author
Posted
Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

ComboFix.txt

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

Next database version of Malwarebytes should detect this variant you're dealing with..

Let's deal with this manually for now, so...

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Folder::

c:\windows\system32\DF8D63

c:\windows\system32\D3BB71

c:\windows\system32\2D7E87

c:\windows\system32\494742

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites
pankaj phull

pankaj phull

Posted
  • Author
Posted
Hi,

Next database version of Malwarebytes should detect this variant you're dealing with..

Let's deal with this manually for now, so...

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Dear Expert,

As instructed in above post had run the scan again please find below the txt file after new scan...

hope to get further assistance from you...

thanks & best regards,

pankaj

ComboFix.txt

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites
pankaj phull

pankaj phull

Posted
  • Author
Posted
Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

thanks a lot for your help!

it all went right as adviced i rescanned the computer, but today morning when i restarted the laptop it showed me blue screen with memory error...,now i am using my friends laptop to post this message.... help me out what to do now....its asking run CHKDSK /F in blue screen but its not booting...

requires desperate help.

regards,

Pankaj

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

That's strange though... because you already rebooted twice before after the instructions and there were no problems. Have you ran chkdsk /f via recovery console?

Also, have you tried "Last known Good"?

I see in your first log that Combofix deleted pciide.sys, which is a legitimate file, but Windows file protection kicked in here and immediately replaced the file again, because it allowed 2 reboots afterwards.

So that's why I doubt if it's the pciide.sys, because it won't allow a reboot after the first run...

But to make sure, Use the recovery console option which Combofix installed.

To start the Recovery Console when it is installed on your hard drive:

1. Reboot your computer and as Windows starts it will present you with your startup options for exactly two seconds, which in your case will be Microsoft Windows XP Professional and Microsoft Windows Recovery Console

2. With the arrows keys on your keyboard select the option listed as Microsoft Windows Recovery Console and press the enter key on your keyboard.

3. The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.

4. It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.

5. If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console (see my instructions below to copy the file).

To start the Recovery Console directly from the Windows XP CD you would do the following:

1. Insert the Windows XP cd in your computer.

2. Restart your computer so you are booting off of the CD.

3. When the Welcome to Setup screen appears, press the R button on your keyboard to start the Recovery Console.

4. The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.

5. It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.

6. If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.

In the Recovery Console,

Once at the command prompt, type carefully:

copy c:\windows\system32\dllcache\pciide.sys c:\windows\system32\drivers\pciide.sys

then press enter

then type exit at the command prompt, press enter and that will exit the Recovery Console and attempt to restart your machine

if it can not find the file at c:\windows\system32\dllcache\pciide.sys then type

copy c:\i386\pciide.sys c:\windows\system32\drivers\pciide.sys

But it's puzzling me why it allowed 2 reboots first (assuming the file was already restored via Windows file protection)...

A Windows repair install may fix this as well though. This won't delete any data.

See here how to do this: http://michaelstevenstech.com/XPrepairinstall.htm

This if above doesn't work, because as I said, it's puzzling me if it was indeed the pciide.sys, so a Windows repair install may fix whatever else was damaged by this worm.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept