Need Help Removing A Virus[RESOLVED]

[intocomputing2]

notepad d:\autorun.ini

for this one notepad launches but the log it's empty

dir d: > c:\output.txt

and for this one nothing happens

Edited December 30, 2008 by intocomputing2

[Andro1d]

Hey,

Very sorry for the delay, I never got an email saying you responded.

Give me a bit to catch up on this thread and do some more research, then I will get back to you tonight.

[intocomputing2]

ok thx monsterenergy22

[Andro1d]

Please re-run the Kaspersky Online Scanner, and save the log to your desktop. Please post the log in your next reply.

[intocomputing2]

Please re-run the Kaspersky Online Scanner, and save the log to your desktop. Please post the log in your next reply.

here's the new log:

KASPERSKY ONLINE SCANNER 7 REPORT

Thursday, January 8, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Thursday, January 08, 2009 13:13:25

Records in database: 1587187

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

Scan statistics:

Files scanned: 68972

Threat name: 2

Infected objects: 2

Suspicious objects: 0

Duration of the scan: 01:51:26

File name / Threat name / Threats count

C:\_OTMoveIt\MovedFiles\12302008_102636\ZGH.PIF Infected: Worm.Win32.AutoRun.vzw 1

C:\_OTMoveIt\MovedFiles\12302008_102636\ZGWZ.PIF Infected: Worm.Win32.AutoRun.vmn 1

The selected area was scanned.

[Andro1d]

Hey,

• Make sure you have an Internet Connection.
  
• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  
• Click on the CleanUp! button
  
• A list of tool components used in the Cleanup of malware will be downloaded.
  
• If your Firewall or Real Time protection attempts to block OtMoveit3 to reach the Internet, please allow the application to do so.
  
• Click Yes to beging the Cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
  

Then

Please post the following log.

c:\output.txt

Then

Please go to Start

• Run
  
• Type cmd
  
• Press Ok
  
• Copy and paste the two following commands one at a time into the cmd box
  

notepad d:\autorun.inf

Please post the log that opens in notepad

[intocomputing2]

I"m not quite sure what just happened, I chose the option to allow the computer to reboot but now that it has, the icon for OTMoveIt dissapeared, so I now I can't post the log.

[Andro1d]

Hey,

OTMoveIt cleaned up itself, no need to post a log from it.

Can you please post the following two

• c:\output.txt
  
• and the log that opens in notepad after running the above command
  

[intocomputing2]

Hey,

OTMoveIt cleaned up itself, no need to post a log from it.

Can you please post the following two

• c:\output.txt
  
• and the log that opens in notepad after running the above command
  

I'm a bit confused, so after going to start >> run >> cmd I have to type "output.txt" and then post the log that opens right there, correct?

Edited January 10, 2009 by intocomputing2

[Andro1d]

Hi,

Step 1

Please go to your C: Drive.

Start => My Computer => Local Disk (C:)

There you should see a text file named output.txt, please open it and post it here.

Step 2

Please go to Start

• Run
  
• Type cmd
  
• Press Ok
  
• Copy and paste the following command into the cmd box
  

notepad d:\autorun.inf

Please post the log that opens in notepad after running the command.

In your next post please post the above 2 different logs.

[intocomputing2]

Here's the log for step 1:

Volume in drive D has no label.

Volume Serial Number is 8DC4-AA31

Directory of D:\

06/23/2005 07:39 PM <DIR> ac3filterfi

02/18/2007 07:29 PM 78 Alfred Whitney Griswold - Wikipedia, the free encyclopedia.URL

08/08/2008 11:17 AM 25,906,688 BAIS-BSIS_Brochure.doc

12/09/2006 02:21 AM <DIR> BC5

06/01/2005 04:03 PM <DIR> BDE32

05/17/2008 02:06 AM 24,064 confirmation number for this payment.doc

02/25/2007 03:12 PM 49 DHS Services Lobby.URL

07/26/2007 05:42 PM <DIR> DivXfi

05/29/2005 11:02 AM 48,640 documents to edit and send to J.doc

02/08/2007 03:03 PM 146,612 DPNP-01-12-2003-A.pdf

04/15/2007 11:19 PM <DIR> DVDFabDecrypter_Temp

08/06/2008 05:31 PM 422,967 eStmt_2007-03-23.pdf

10/10/2006 12:36 AM <DIR> FLVplayerfi

05/21/2006 12:32 PM <DIR> Iomegazip drive

07/09/2005 09:29 PM <DIR> JetAudiofi

02/25/2007 03:13 PM 76 Mapas ambientales para comunidades saludables - HUD.URL

02/27/2007 03:44 PM 73,216 MarkApicella.doc

09/16/2006 02:03 PM <DIR> MEreader fi

10/26/2004 04:45 PM 75,776 Mesages to read imediately.doc

01/27/2007 02:19 PM 58 mike02 funny animal. The Turtle..URL

08/13/2007 09:45 PM <DIR> MOxp

09/05/2007 09:04 PM <DIR> My Documents

04/28/2005 04:46 PM 881,865 N-400.pdf

08/13/2008 09:40 AM 127,418 nursing.program.pdf

05/18/2005 12:15 AM 114 Open Media Network.url

08/27/2006 09:06 PM 3,215,844 Partida_de_Nacimiento.jpg

09/29/2008 08:09 PM <DIR> pfi

10/25/2006 01:24 AM 190 Practice Questions for the U.S. Citizenship Exam - SFPL.org.url

02/05/2005 07:44 PM <DIR> PROGRAM FILES

05/21/2008 08:34 PM 904,501 ProtoWallInstaller7.exe

01/13/2007 02:57 AM 97 RegisteredWorks - Google Search.URL

07/25/2006 09:30 AM <DIR> Shareazafi

04/13/2004 11:48 AM 165 Smithsonian Institution.url

12/22/2008 07:46 PM <DIR> Software Backup recent

09/26/2006 02:20 PM <DIR> Trillianfi

08/03/2006 05:46 PM <DIR> Unused icons

05/01/2005 10:21 PM <DIR> UT2004patch

11/17/2005 02:16 PM <DIR> Winrarfi

19 File(s) 31,828,418 bytes

19 Dir(s) 50,311,450,624 bytes free

and here's the log for step 2:

[AutoRun]

shell\open=´ò¿ª(&O)

shell\open\Command=GLXB.PIF

shell\open\Default=1

shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)

shell\explore\command=GLXB.PIF

[Andro1d]

Hey,

Open notepad and copy and paste the following code box in it starting with @echo off

@echo off
echo Delitor by wng_z3r0 >deleteOutput.txt
echo. >>deleteOutput.txt
echo Files to delete: >>deleteOutput.txt
echo ************************** >>deleteOutput.txt
echo "d:\autorun.inf" >>deleteOutput.txt
attrib "d:\autorun.inf" -h -r -s
del /f /q "d:\autorun.inf"
echo. >>deleteOutput.txt
echo END Files to delete: >>deleteOutput.txt
echo ************************** >>deleteOutput.txt
echo. >>deleteOutput.txt
echo. >>deleteOutput.txt
echo. >>deleteOutput.txt
echo Files remaining after deletion: >>deleteOutput.txt
echo ************************** >>deleteOutput.txt
if exist "d:\autorun.inf" echo "d:\autorun.inf" is STILL present >>deleteOutput.txt
if exist "d:\autorun.inf" dir /q "d:\autorun.inf" >>deleteOutput.txt
echo. >>deleteOutput.txt
echo END of file: >>deleteOutput.txt
echo ************************** >>deleteOutput.txt
start notepad "%cd%\deleteOutput.txt"
exit

Save this as del.bat , choose to save as *all files and place it on your desktop.

It should look like this:

Doubleclick del.bat.

Notepad should open and please post the log that it gives you.

Let me know if you can access your D: drive now.

[intocomputing2]

Notepad should open and please post the log that it gives you.

Let me know if you can access your D: drive now.

here's the new log of notepad:

Delitor by wng_z3r0

Files to delete:

**************************

"d:\autorun.inf"

END Files to delete:

**************************

Files remaining after deletion:

**************************

END of file:

**************************

I still can't access the drive D:

Edited January 11, 2009 by intocomputing2

[Andro1d]

Hey,

Sorry for the delay, I am getting outside opinions on this so it might take me a day or two extra to respond.

Please do the following again.

Go to Start

• Run
  
• Type cmd
  
• Press Ok
  
• Copy and paste the following command into the cmd box
  

notepad d:\autorun.inf

Please post the log that opens in notepad after running the command.

[intocomputing2]

Hey,

Sorry for the delay, I am getting outside opinions on this so it might take me a day or two extra to respond.

np monsterenergy22 and thanks once again for your help

Go to Start

• Run
  
• Type cmd
  
• Press Ok
  
• Copy and paste the following command into the cmd box
  

notepad d:\autorun.inf

Please post the log that opens in notepad after running the command.

the log is empty I get this message instead:

[intocomputing2]

I just got access back to the D: drive again, not sure how I tried my computer once again and it was possible to gain access!

[Andro1d]

Nice job your log looks clean!

I am glad to hear everything is back to normal!

Please use the following suggestions to help prevent reinfection.

Also, you may delete any tools I had you download during the cleaning process.

System Restore maintains a backup of your programs and may also backup infections, so please reset it to make a clean Restore Point.

Please do this:

On the Desktop, right-click My Computer > click Properties > click the System Restore tab.

Check Turn off System Restore.

Click Apply > a window will pop up and ask if you really want to turn it off > click Yes.

Please wait a few moments to let it clear.

Now please remove the check from Turn off System Restore.

Click Apply, and then click OK.

System Restore will be working again and will have a new Restore Point.

The following is a list of tools and utilities that I like to suggest to people to help keep from getting infected again. As a note, all of the tools and utilities mentioned are either free or have free versions available.

Malwarebytes' Anti-Malware - A very powerful tool which searches and kills malware that infects your system.

**Tutorial on installing & using this product can be found HERE**

SpywareBlaster - Great prevention tool to keep malware from installing on your system.

**Tutorial on installing & using this product can be found HERE**

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

**Tutorial on installing & using this product can be found HERE**

MVPS Hosts file - This handy download replaces your current HOSTS file with one containing well known ad sites and other bad/malicous sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out malware that like to reside in the temp folders.

Firewall A firewall is very important, in order to protect your computer from hackers. I notice that you don't have one installed! Therefore I recommend Comodo, Online Armor, or Outpost.

**Tutorial on Firewalls can be found HERE**

Internet Browser - Internet Explorer is not the safest not the fastest internew browser anymore. There are way better alternatives out there that are faster, more secure, and have many more useful features. I recommend Opera or Firefox

It is important to run only one of each type of protection program in resident mode at a time since conflicts can make them less effective. This would mean only one resident antivirus, firewall and scanning type of anti-spyware. Programs like Spyware Blaster and MBAM do not conflict with any of these since they don't have a real time scanning engine that would conflict.

Windows Updates - It is highly recommended to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

It is also highly recommended to stay on top of your updates at all times, for Windows and all the above mentioned applications. This will ensure that you stay protected at the maximum level possible.

Finally, I strongly recommend How did I get infected in the first place? (by Tony Klein)

Good luck and safe surfing

[intocomputing2]

thx a lot monsterenergy22

[Andro1d]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.