Followed all instructions but still have worm

I ran all the programs suggested: Spybot, Combofix, SuperAntivirus and also MG tools. I still have this horrid Autorun worm and can't seem to get rid of it. I also ran AVG. My logs are attached.

Thanks for any help!

 

Hi hedylarue,
Welcome to Major Geeks!
interesting name!

I'm looking at your logs. This takes some time, so please be patient. Was there any log from SuperAntiSpyware? Also, you haven't installed Java Runtime. If you want to do that, please go here to install the current version of Sun Java: Sun Java Runtime Environment

abri

 

I'll install Java now. I couldn't find the SuperAntiSpyware log. Should I run it again?

 

Hi hedylarue,

No, you don't need to rerun Superantispyware. Please continue with the following instructions:

1) Please disable your guest account if this has not already been done.

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

After you click fix, just close hijackthis.

4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

OK...I followed all your steps and it seems to be running good and also I'm able to view my hidden files and folders at this point.

Does it look ok?

Also, if it's ok now, what is the best way for me to avoid flash drive viruses in the future?

Thanks

 

Hi hedylarue,

It looks better. Please run Combofix one more time and attach the log for me.

Flash drives can be a problem. It's helpful if you can scan your flashdrive when you scan the rest of the computer for viruses. BitDefender has an online scan which allows you to choose which drive you want to have scanned which enables you to check just the flash drive from time to time. You can find that here: Alternate Scans

In the Alternate Scans you will find both online and offline scans. The one I'm thinking of is the online scan which requires that you use Internet Explorer and have Active X enabled.

abri

 

My computer seems to be normal but I'm not able to run Combofix anymore. When I run it, it starts and then it gets to a blue screen and just sits there. It never did that before so I'm not sure what's going on.

 

Hi hedylarue,
Please do the following:

Run Avenger again as you did in post 4, step 6 only this time use the contents of this box:

After you run Avenger, please run CCleaner at the default setting with the windows tab as the one on top.

Check the Avenger log and if Avenger successfully removed autorun.inf, please go ahead with the final cleanup instructions in the box below:

abri

 

I ran Avenger and it didn't find autorun.inf but it did say it deleted a couple of other things which seems weird since I only asked it to delete autorun.inf

I've attached the Avenger log.

 

Hi Hedylarue,

I'm not sure if Avenger ran at all because the log you posted is the same as the old one. I'll post you some more complete instructions, but before I do, please open the folder called C:\autorun.inf and tell me what is in it. In Windows Explorer, it should look like a folder, not a file.

I will give you the complete instructions this time. See if it works this time.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Attach the new log with your next post along with information about what's in the autorun.inf folder.
abri

 

Ok...it worked that time. The log is attached.

That file is actually located in C/: in a folder called Avenger and inside that a folder called autorun.inf

Inside the autorun.inf folder is a file called lp3 and it says "This folder was created by Flash Disinfector"

I had run Flash Disinfector back when I first got the virus.

 

Hi hedylarue,

Please go ahead with the final cleanup instructions in post 8. That should delete anything which may have gotten into the Avenger removal procedures. I don't know if I ever commented on your question as to avoiding flash drive viruses. Your flashdrive will be as good as what you put onto it. When you back up things, do it at a time after you've run your antispyware and antivirus scans and after you've used CCleaner to remove all your temporary files. This will make it more likely that you are transferring clean files. Also, when you need to use it to move something from one place to another more quickly, simple common sense is the best medicine. Most viruses come in through forwarded e-mails with attachments, by clicking on the wrong things at websites, through p2p file sharing programs, and messengers. There's no way to offer yourself 100 % protection without giving up the internet altogether, so make some decisions about the source of the file you want to put on the flash drive and if there's a chance it might be infected. If you use it on someone else's computer, is this someone who takes good care of their computer or are they careless?

There's a tool you can consider using named Flash Disinfector by sUBs. You might find that useful. Only use it if you already have an infection!

http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/


Finally, consider scanning your flash drive from time to time with the Using BitDefender Online Scan
online scan, because with this particular scan, you can have it scan any drive you choose. After you click on the I agree button, you'll get a window with the option Select what you want to check for viruses. When you click on that, it will give you a browse of your system and allow you just to check one of your drives. I find this a useful tool. You have to use Internet Explorer for the BitDefender scan and your active X has to be enabled.

I hope this helps you.
abri