Series of attacks from TR and Worm.Autorun

[growingcorn]

Hello MBAM support team,

I have been hit hard by a series of threats as briefly described in my post title. I will attempt at best to illustrate how the problem surfaced and what I did to remove them in the following.

[Causes]

1)

I had a Kingmax 2GB reader and another Kingsoft Data Traveler USB pen drive in two of my USB ports. After removing the Kingsoft Data Traveler pen drive, my computer began to open multiple instances of cmd.exe, net1.exe, net.exe, ipconfig.exe, and wcoredt.exe.

2)

The virus disabled the System Restore function (saying that Group Policy has changed the rights and wouldn't allow me to re-enable it. Upon re-enabling, an error appears).

3)

I was also unable to open antivirus websites to run online scans nor could I update my virus protection softwares.

4)

The virus also hacked the AVG anti-virus program.

[Attempted Solution]

I was able to use Avira to scan for viruses and came across one that caught my attention. *Worm.Autorun 265223* This worm pinpointed to wcoredt.exe so I allowed Avira to delete the file and then my computer was back to its original state.

I ran CCleaner and ATF-cleaner after doing this. Then I ran a Spybot scan but it didn't detect any possible threats. SuperAntispyware detected one Backdoor and was removed.

However, I'm still not convinced that the virus has been completely removed. I have Combofix and GRE Rootkit scan in my computer but haven't started it up. I'm hoping that your team could assist and guide me to clean my computer up. Since my computer was restored, I was able to update Malwarebytes and do a Panda ActiveScan.

Here is the Malwarebytes log file

Malwarebytes' Anti-Malware 1.44

Database version: 3787

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

25/02/2010 12:06:46 PM

mbam-log-2010-02-25 (12-06-46).txt

Scan type: Quick Scan

Objects scanned: 108835

Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

===================

Here is the Panda ActiveScan file

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2010-02-25 11:51:25

PROTECTIONS: 1

MALWARE: 2

SUSPECTS: 1

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

AntiVir Desktop 9.0.1.32 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

01674996 Application/Psexec.A HackTools No 0 No No c:\documents and settings\administrator\my documents\torrents\completed\combofix - must have- windows antivirus spyware remover- smitfraud virtuemoddll vundo pchurricane.com.zip[combofix.exe][32788r22fwjfw\psexec.cfexe]

04186388 Generic Trojan Virus/Trojan No 0 Yes No c:\documents and settings\administrator\my documents\torrents\completed\combofix - must have- windows antivirus spyware remover- smitfraud virtuemoddll vundo pchurricane.com.zip[combofix.exe]

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

No c:\documents and settings\administrator\local settings\temporary internet files\content.ie5\trpyys8c\debug[1].zip

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

217842 HIGH MS10-015

217839 HIGH MS10-012

217838 HIGH MS10-011

217834 HIGH MS10-008

217833 HIGH MS10-007

217832 HIGH MS10-006

217831 HIGH MS10-005

217169 HIGH MS10-002

216839 HIGH MS10-001

215938 HIGH MS09-072

215935 HIGH MS09-069

215048 HIGH MS09-065

214076 HIGH MS09-059

971486 HIGH MS09-058

214074 HIGH MS09-057

214073 HIGH MS09-056

214072 HIGH MS09-055

214071 HIGH MS09-054

213109 HIGH MS09-046

212494 HIGH MS09-042

212493 HIGH MS09-041

212530 HIGH MS09-034

211784 HIGH MS09-032

211781 HIGH MS09-029

210625 HIGH MS09-026

210624 HIGH MS09-025

210621 HIGH MS09-022

210618 HIGH MS09-019

208380 HIGH MS09-015

208378 HIGH MS09-013

208377 HIGH MS09-012

206981 HIGH MS09-007

206980 HIGH MS09-006

204670 HIGH MS09-001

203505 HIGH MS08-071

202465 HIGH MS08-068

201683 HIGH MS08-067

201258 HIGH MS08-066

201256 HIGH MS08-064

201255 HIGH MS08-063

201253 HIGH MS08-061

209275 HIGH MS08-049

196455 MEDIUM MS08-037

194862 HIGH MS08-032

194860 HIGH MS08-030

191618 HIGH MS08-025

191616 HIGH MS08-023

191614 HIGH MS08-021

191613 HIGH MS08-020

187733 HIGH MS08-008

184380 MEDIUM MS08-002

184379 MEDIUM MS08-001

182046 HIGH MS07-067

179553 HIGH MS07-061

176383 HIGH MS07-058

170907 HIGH MS07-046

170904 HIGH MS07-043

164915 HIGH MS07-035

164911 HIGH MS07-031

157262 HIGH MS07-022

157261 HIGH MS07-021

157260 HIGH MS07-020

157259 HIGH MS07-019

156477 HIGH MS07-017

150249 HIGH MS07-013

150248 HIGH MS07-012

150247 HIGH MS07-011

150243 HIGH MS07-008

150242 HIGH MS07-007

150241 MEDIUM MS07-006

141033 MEDIUM MS06-075

137571 HIGH MS06-070

133387 MEDIUM MS06-065

133386 MEDIUM MS06-064

133385 MEDIUM MS06-063

133379 HIGH MS06-057

129977 MEDIUM MS06-053

129976 MEDIUM MS06-052

126093 HIGH MS06-051

126092 MEDIUM MS06-050

126087 HIGH MS06-046

126086 MEDIUM MS06-045

126082 HIGH MS06-041

126081 HIGH MS06-040

123421 HIGH MS06-036

123420 HIGH MS06-035

120825 MEDIUM MS06-032

120823 MEDIUM MS06-030

120818 HIGH MS06-025

120815 HIGH MS06-022

117384 MEDIUM MS06-018

114666 HIGH MS06-015

108744 MEDIUM MS06-008

108743 MEDIUM MS06-007

108742 MEDIUM MS06-006

104567 HIGH MS06-002

104237 HIGH MS06-001

96574 HIGH MS05-053

93395 HIGH MS05-051

93454 MEDIUM MS05-049

;===============================================================================

================================================================================

=

===================

[Maurice Naggar]

You had an autorun infection and the 2 USB drives were a central part in spreading the infection. They have to be cleaned as well.

Tell me if you have resolved your issues.

If you still need guided help, please print out, read and follow the directions here, skipping any steps you are unable to complete.

Copy & Paste in a reply here the Gmer.txt log, and the DDS logs.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!