TechSpot

Need help with setup.exe/autorun.inf virus - HJT log included

By jenz
Sep 18, 2006
  1. Hello

    First i have to say mine english is poor so i hope u under stand me, i have copy paste a bit from a other tread.



    I have a problem with setup.exe and autorun.inf (probably trojans?), which have infected all my shared folders. I have four networked PCs and 3 of them give a warning with nod32 at the same time(evry few hours) evry sharded folder makes a setup.exe and a autorun.inf..(the setup.exe's get deleted by nod32) i've disconnected them from the network and the problem came back on 1 pc.i've tried almost ervy program to get rid of it, i have found a lot but the problem stays.

    I hope that u understand the problem and can help me.

    I have uploaded the ewido log and the HJT log.

    Hope you can help me. Thanks.

    Grtz Jenz
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your HJT log is clean.

    First, make sure your Protected system files are hidden.

    Do the reverse of This.

    If that doesn`t help, try this.

    Go to C:\Documents and Settings\All Users\Documents delete setup.exe and autorun.inf if present.

    Regards Howard :wave: :wave:

    This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. jenz

    jenz TS Rookie Topic Starter

    First thanx for the quick answer, i've did it.

    But i've make a big mistake(i think) when i've disconnected the pc's i only disconnected 3 pc's(because i tought the 4th one disconnect auto this way).

    The fourth pc is the pc i have loged(the virus lookes active at this one), just before i made the log i put on my firewall(this was off when i get the messages from nod32)

    I put new firmware in my router and have a problem with ftp, 3 pc's had no firewall because i put them down, this are the 3 with the problem.

    with 1 pc(another then the log) i tried to go back online and the message was there again.

    I've set all firewalls on, and now is the problem gone?

    Is it possible the virus did not come from my network but from"the net"?

    Sorry again for the bad english(i hope u understand me) and that i have not told about the firewall(that just was enabled before the log)

    Regards Jenz
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s entirely possible you got the infection from the net. Never connect to the net, without your firewall being active.

    Post a fresh HJT log as an attachment from each pc.

    Regards Howard :)

    This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. jenz

    jenz TS Rookie Topic Starter

    Tnx again for the quick answer.

    4 HJT logs uploaded.

    Regards Jenz
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Pc1 is infected with a variety of nasties.

    Disconnect it from the network, then go HERE and follow all the instructions exactly.

    Do not reconnect it to the network, until I advise you it`s clean.

    Post fresh HJT and Ewido logs, only after doing the above.

    Regards Howard :)
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Pc`s 2/3/4 are all clean. You can continue to use these pc`s networked. Don`t reconnect pc1 to the network until it`s clean.

    Regards Howard :)
     
  8. jenz

    jenz TS Rookie Topic Starter

    Done, i only sleep 3 hours but it is done ;-)

    Ewido had a problem with removing Adware.Cnsmin i've tried 3 times but no go..

    Here are the log's it is the first Ewido log

    Regards Jenz
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

    O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\cnshook.dll

    O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)

    O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.c om/ (file missing)

    O16 - DPF: {1F83CD9E-505E-4F87-BECE-0832A763E36F} (Image Uploader 3.0 Control) - http://www.mypixmania.com/nl/nl/importer/MypixUploader.cab

    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.extrafilm.nl/import/ImageUploader3.cab

    O18 - Protocol: koboo - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - (no file)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\downlo~1\cnshook.dll

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. jenz

    jenz TS Rookie Topic Starter

    oke, did dit too,

    a map called 3721 inprogram files keep turning up after deleting after ewido find it.

    Here is the new log.

    Grtz Jenz

    Forgotten, i can't find the file: cnshook.dll
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windo
    ws Explorer, turn on "Show all files and folders, including hidden and system".
    See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\cnshook.dll

    O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32

    O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)

    O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1& sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara= 816 (file missing)

    O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)

    O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)

    O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)

    O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

    O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

    O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

    O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\downlo~1\cnshook.dll or whatever the full path is.

    Once you system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. jenz

    jenz TS Rookie Topic Starter

    Tnx again for the fast reply Howard.

    I follow it again, i post the new log.

    Thanks for the time.

    Regards Jenz

    Forgotten before a reboot all the ticked things in HJT are gone exept the cnshook.dll, after reboot they are back in the log(if i see it good)
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please copy/paste the content of c:\avenger.txt into your reply.

    when it reboots and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. jenz

    jenz TS Rookie Topic Starter

    oke, tnx again, i let avenger do his work and it looks that the cnshook file is deleted,

    new logs attached

    Regards Jenz
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s excellent news. Your HJT log is now clean.

    Have HJT fix these inactive enties.

    O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\cnshook.dll (file missing)

    O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)

    O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1& sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara= 816 (file missing)

    O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)

    O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)

    O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

    O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

    O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

    O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

    O11 - Options group: [!CNS] Chinese keywords

    Click the fix checked button and reboot your computer.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. jenz

    jenz TS Rookie Topic Starter

    oke, many thanks!!!!

    in the HJTlog is one thing back after reboot.

    log O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\cnshook.dll (file missing)

    and 2 questions:

    Helper.dll was first found as a trreath in c:/program files/3721

    Must i fixe these 2?(they reapear to)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.3721.com/srchcust.htm

    second question: the pc looks slower en keeps on working all the time, is this correct?


    Grtz Jens
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    See HERE for info.

    This is all part of the Chinese keywords programme.

    It`s upto you what you wish to do about this. Personally I`d uninstall it from add remove programmes.

    As far as I can tell, apart from the above, your HJT log is clean.

    Regards Howard :)
     
  18. jenz

    jenz TS Rookie Topic Starter

    Hi Howard

    It is all gone

    Thanks a lot!!!!!!!

    Regards Jenz
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s good news.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of jenz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. jenz_reboot

    jenz_reboot TS Rookie

    Thanks

    Thanks for this discussion! j.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...