Internet Security Essentials et al

View previous topic View next topic Go down

Re: Internet Security Essentials et al

Post by jules_uk on Fri 22 Apr - 19:21

Hi Crush

There is only one hard drive partition which is C. I do have a USB drive D and also a CD drive available. What would you like me to try?

Jules


Last edited by jules_uk on Fri 22 Apr - 19:35; edited 1 time in total (Reason for editing : typo)

jules_uk
Novice
Novice

Posts Posts : 18
Joined Joined : 2011-03-30
OS OS : XP
Points Points : 21028
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Internet Security Essentials et al

Post by Crush on Sat 23 Apr - 4:47

There should be the USB drive labeled F. That one is infected with an autorun worm.

Once you have it:

Please download Flash_Disinfector from [You must be registered and logged in to see this link.]

  • First, download it to your desktop.
  • Now double click it to run it and will tell it you what to do when you open it.
  • It will temporarily kill explorer.exe and your desktop will go blank.
  • Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  • It will make a dummy autorun.inf in the root of every drive.
  • You can now delete Flash_Disinfector.exe.

=========

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O33 - MountPoints2\{7141d0c1-3b99-11e0-bcb3-00032f2874ad}\Shell - "" = AutoRun
    O33 - MountPoints2\{7141d0c1-3b99-11e0-bcb3-00032f2874ad}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{7141d0c1-3b99-11e0-bcb3-00032f2874ad}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
    O33 - MountPoints2\{e34a8c80-332c-11de-ba1f-00032f2874ad}\Shell - "" = AutoRun
    O33 - MountPoints2\{e34a8c80-332c-11de-ba1f-00032f2874ad}\Shell\Auto\command - "" = F:\RavMon.exe
    O33 - MountPoints2\{e34a8c80-332c-11de-ba1f-00032f2874ad}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{e34a8c80-332c-11de-ba1f-00032f2874ad}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25556


  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-28
Gender Gender : Male
Points Points : 42088
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Internet Security Essentials et al

Post by jules_uk on Sat 23 Apr - 7:13

Hi Crush

I don't have an F: drive. When I put a USB stick in it gets the letter D: assigned to it. E: is the DVD/CD Drive and G: is the MemoryStick but there is no F:. It must have been some previous device that someone else plugged in I guess.

I tried downloading Flash_Disinfector from the link you gave using a working computer but AVG flagged it as a threat. See this screenshot: [You must be registered and logged in to see this link.]. Is there a problem with the file you linked?

I have run the OTL commands you gave though and here is the log:

========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7141d0c1-3b99-11e0-bcb3-00032f2874ad}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7141d0c1-3b99-11e0-bcb3-00032f2874ad}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7141d0c1-3b99-11e0-bcb3-00032f2874ad}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7141d0c1-3b99-11e0-bcb3-00032f2874ad}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7141d0c1-3b99-11e0-bcb3-00032f2874ad}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7141d0c1-3b99-11e0-bcb3-00032f2874ad}\ not found.
File D:\LaunchU3.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e34a8c80-332c-11de-ba1f-00032f2874ad}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e34a8c80-332c-11de-ba1f-00032f2874ad}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e34a8c80-332c-11de-ba1f-00032f2874ad}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e34a8c80-332c-11de-ba1f-00032f2874ad}\ not found.
File F:\RavMon.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e34a8c80-332c-11de-ba1f-00032f2874ad}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e34a8c80-332c-11de-ba1f-00032f2874ad}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e34a8c80-332c-11de-ba1f-00032f2874ad}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e34a8c80-332c-11de-ba1f-00032f2874ad}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

OTL by OldTimer - Version 3.2.22.3 log created on 04222011_210304

What do you suggest now?

jules_uk
Novice
Novice

Posts Posts : 18
Joined Joined : 2011-03-30
OS OS : XP
Points Points : 21028
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Internet Security Essentials et al

Post by Crush on Sat 23 Apr - 10:39

Hi,

Nope. F_D is legit. If you turn off your AV it will allow the download. We need to disinfect the flash drive or the infection will just keep coming back

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-28
Gender Gender : Male
Points Points : 42088
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum