Need help with setup.exe/autorun.inf virus - HJT log included

Status
Not open for further replies.

jenz

Posts: 9   +0
Hello

First i have to say mine english is poor so i hope u under stand me, i have copy paste a bit from a other tread.



I have a problem with setup.exe and autorun.inf (probably trojans?), which have infected all my shared folders. I have four networked PCs and 3 of them give a warning with nod32 at the same time(evry few hours) evry sharded folder makes a setup.exe and a autorun.inf..(the setup.exe's get deleted by nod32) i've disconnected them from the network and the problem came back on 1 pc.i've tried almost ervy program to get rid of it, i have found a lot but the problem stays.

I hope that u understand the problem and can help me.

I have uploaded the ewido log and the HJT log.

Hope you can help me. Thanks.

Grtz Jenz
 
Hello and welcome to Techspot.

Your HJT log is clean.

First, make sure your Protected system files are hidden.

Do the reverse of This.

If that doesn`t help, try this.

Go to C:\Documents and Settings\All Users\Documents delete setup.exe and autorun.inf if present.

Regards Howard :wave: :wave:

This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
First thanx for the quick answer, i've did it.

But i've make a big mistake(i think) when i've disconnected the pc's i only disconnected 3 pc's(because i tought the 4th one disconnect auto this way).

The fourth pc is the pc i have loged(the virus lookes active at this one), just before i made the log i put on my firewall(this was off when i get the messages from nod32)

I put new firmware in my router and have a problem with ftp, 3 pc's had no firewall because i put them down, this are the 3 with the problem.

with 1 pc(another then the log) i tried to go back online and the message was there again.

I've set all firewalls on, and now is the problem gone?

Is it possible the virus did not come from my network but from"the net"?

Sorry again for the bad english(i hope u understand me) and that i have not told about the firewall(that just was enabled before the log)

Regards Jenz
 
It`s entirely possible you got the infection from the net. Never connect to the net, without your firewall being active.

Post a fresh HJT log as an attachment from each pc.

Regards Howard :)

This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Pc1 is infected with a variety of nasties.

Disconnect it from the network, then go HERE and follow all the instructions exactly.

Do not reconnect it to the network, until I advise you it`s clean.

Post fresh HJT and Ewido logs, only after doing the above.

Regards Howard :)
 
Pc`s 2/3/4 are all clean. You can continue to use these pc`s networked. Don`t reconnect pc1 to the network until it`s clean.

Regards Howard :)
 
Done, i only sleep 3 hours but it is done ;-)

Ewido had a problem with removing Adware.Cnsmin i've tried 3 times but no go..

Here are the log's it is the first Ewido log

Regards Jenz
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\cnshook.dll

O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)

O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.c om/ (file missing)

O16 - DPF: {1F83CD9E-505E-4F87-BECE-0832A763E36F} (Image Uploader 3.0 Control) - http://www.mypixmania.com/nl/nl/importer/MypixUploader.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.extrafilm.nl/import/ImageUploader3.cab

O18 - Protocol: koboo - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - (no file)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\downlo~1\cnshook.dll

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard :)

This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
oke, did dit too,

a map called 3721 inprogram files keep turning up after deleting after ewido find it.

Here is the new log.

Grtz Jenz

Forgotten, i can't find the file: cnshook.dll
 
Download the pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windo
ws Explorer, turn on "Show all files and folders, including hidden and system".
See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\cnshook.dll

O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32

O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)

O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1& sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara= 816 (file missing)

O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)

O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)

O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)

O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\downlo~1\cnshook.dll or whatever the full path is.

Once you system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Tnx again for the fast reply Howard.

I follow it again, i post the new log.

Thanks for the time.

Regards Jenz

Forgotten before a reboot all the ticked things in HJT are gone exept the cnshook.dll, after reboot they are back in the log(if i see it good)
 
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

when it reboots and post a fresh HJT log.

Regards Howard :)

This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
oke, tnx again, i let avenger do his work and it looks that the cnshook file is deleted,

new logs attached

Regards Jenz
 
That`s excellent news. Your HJT log is now clean.

Have HJT fix these inactive enties.

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\cnshook.dll (file missing)

O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)

O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1& sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara= 816 (file missing)

O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)

O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)

O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

O11 - Options group: [!CNS] Chinese keywords

Click the fix checked button and reboot your computer.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
oke, many thanks!!!!

in the HJTlog is one thing back after reboot.

log O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\cnshook.dll (file missing)

and 2 questions:

Helper.dll was first found as a trreath in c:/program files/3721

Must i fixe these 2?(they reapear to)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.3721.com/srchcust.htm

second question: the pc looks slower en keeps on working all the time, is this correct?


Grtz Jens
 
See HERE for info.

This is all part of the Chinese keywords programme.

It`s upto you what you wish to do about this. Personally I`d uninstall it from add remove programmes.

As far as I can tell, apart from the above, your HJT log is clean.

Regards Howard :)
 
That`s good news.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.
Back