Hard drive autoplay virus?

[Vandersen]

My hard drives have an autoplay feature, that runs when i double click.

I have windows xp 32bit

this appears to be a symptom of the godzilla virus however i have not found any traces of ms32dll anywhere on my drives. I didn't find the "hacked by godzilla" title on IE either.

However I did find an "autorun.inf" and a "DiskAutoRun.exe" file on both my drives.
I deleted them, and restarted, but some program puts them back when I restart.

The program is called "Octo", and the process is "Snet.exe" 2 copies of the program run at the same time when I log in to my account.

I could not find Snet.exe or Octo anwhere on my computer.
When I start in safe mode, the disks no longer have the autoplay feature.

help me get rid of this pest.
I am scanning with mcaffee right now but so far nothing has been found.

 

[fw2004]

Is this your boot drive(s) or removable drive?
I have never found an autorun file on a boot drive, but have seen them on removable media.

You don't have another OS on the system, do you?


FW

 

[Vandersen]

There is a "DiskAutoRun.exe" and an "autorun.inf" file in both my local disk drives. local disk C and the E partition. they are my boot drives indeed.

Yes I have 2 Operating systems.

First os is Win xp 32 installed on one hard drive.
Second OS is windows vista ultimate 64 on another hard drive.

However, the hard drive containing the OTHER operating system is disabled in each operating system.
I only occasionally enable the other drive for file transferring. Other than that, the 2 OSes aren't supposed to be able to communicate.

 

[kimsland]

My hard drives have an autoplay feature, that runs when i double click.

There is a "DiskAutoRun.exe" and an "autorun.inf" file in both my local disk drives. local disk C and the E partition. they are my boot drives indeed.

So you are saying when you go to My Computer
And open (Double click) on your C drive or E Partition, it then opens?
What opens? Just the drive (which is normal) or does something (a program) start running?

Looks as though you just need to delete: "DiskAutoRun.exe" and "autorun.inf"
Then download Startup Control Panel: http://www.mlin.net/StartupCPL.shtml
And see what you can disable (untick; or uncheck; or de-select) from starting with Windows

As a guide I have 1 thing starting with Windows and that's my Antivirus software
Generally most Users have about ~20 things, all slowing down Windows
Disable anything not wanted to start with Windows, then Restart

 

[Vandersen]

ok heres what happens when I boot up:

1. Slow login, I press ctrl-alt-del.
2. I find 2 applications running, they are both called "Octo"
3. I right click and select "go to process"
4. Both "Octo" applications are linked to 2 identical processes, both called "Snet.exe"
5. after 30 seconds both applications read "not responding"
6. I terminate both of the applications "Snet.exe" processes and then open my computer.
7. I right click on "local disk C".
8. First option displayed is "autoplay" I select it.
9. Nothing happens.
10. I open task manager again and I find the application "Octo" is back, but the process is called "DiskAutoRun.exe" this time.
11. The application appears to do nothing. It just sits there running and not doing anything.
same thing happens if I double click.

I will get some pictures uploaded if that will help.

Oh yeah and I found hidden DiskAutoRun.exe and autorun.inf files on both my partitions

but when I delete them, there is still an autoplay option on my local disk, except it gives me an error saying it cannot find "DiskAutoRun.exe" when i click

so to answer your question, no, the disk does not open when i double click, a program called "Octo" starts running.

 

[kimsland]

Download and Run >> OTM by Old Timer
Copy the lines below (highlight all > Right Click > Copy)

:Files
C:\WINDOWS\Snet.exe
C:\WINDOWS\system32\SNet.dll
C:\DiskAutoRun.exe
C:\Autorun.inf
E:\DiskAutoRun.exe
E:\Autorun.inf

:Reg
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Snet"=-

:Commands
[resethosts]
[emptytemp]
[purity]

In OTM under Instructions for Items to be Moved window (under the yellow bar) Right Click > Paste.
Click the red Moveit! button.
Close OTM

Restart

------------------

Then follow this guide if you want to find and remove any further Malwares: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[Vandersen]

It didn't work, its still there, alive and kicking.

here are the results:



All processes killed
========== FILES ==========
File/Folder C:\WINDOWS\Snet.exe not found.
File/Folder C:\WINDOWS\system32\SNet.dll not found.
C:\DiskAutoRun.exe moved successfully.
C:\Autorun.inf moved successfully.
E:\DiskAutoRun.exe moved successfully.
E:\Autorun.inf moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Snet not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 641738 bytes
->Temporary Internet Files folder emptied: 33408 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 4373522 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 110025 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 4.95 mb


OTM by OldTimer - Version 3.1.1.0 log created on 11112009_184238

Files moved on Reboot...

Registry entries deleted on Reboot...


only change is that the virus takes longer to start up in the beginning when I log in.

 

[kimsland]

I took a guess at the location of Snet.exe (and Snet.dll)
Obviously I didn't get it right (you could just do a search, find the location and put that in OTM

But here's another idea
Download HijackThis from here: https://www.techspot.com/downloads/317-hijackthis.html
Run a scan and logfile
Then Attach (using the Attach button >>

Which is located in the New Reply Toolbar) Attach the HJT log (then submit the message - but you'll need to type something in the message too)

 

[Vandersen]

yeah k here it is.

Actually after I used OTM i found SNet.exe it was where u thought it was.
It was strange cuz I thought I had looked there before. I deleted it and restarted but the virus was the same as usual and the snet.exe file is nowhere to be seen. but It is still in processes.

 

[Vandersen]

OMG THANK YOU the HJthis log told me where it was its in C:\Documents and Settings\Administrator(or whatever user name)\Application Data\Snet.exe

I found and deleted the little ****-er everything is back to normal now.
thanks for all the help.

 

[kimsland]

Startup HJT Scan only

Place a check (tick) the following boxes:

O1 - Hosts: ÿþ127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKLM\..\Policies\Explorer\Run: [Snet] C:\Documents and Settings\Administrator\Application Data\Snet.exe
O4 - HKCU\..\Policies\Explorer\Run: [Snet] C:\Documents and Settings\Administrator\Application Data\Snet.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

These ones I don't know if you want or not (starting with Windows):

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.oracle.com
O15 - Trusted Zone: *.oracleads.com

My personal opinion, is if you are unsure, also tick them


Then close all/any Internet browsers and select FIX
Close HJT
Then Restart

Then download Norton Removal Tool: ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
And run it
By the way you went from Norton to McAfee ? (like jumping out of the frying pan into the fire (IMO) I hate both of them
I use free Avira (and find it much much better Of which it is)

Restart

You are also running P2P software
I suggest you go through this guide as I earlier stated: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Removing P2P horrible software