Hard drive autoplay virus?

By Vandersen · 10 replies
Nov 11, 2009
  1. My hard drives have an autoplay feature, that runs when i double click.

    I have windows xp 32bit

    this appears to be a symptom of the godzilla virus however i have not found any traces of ms32dll anywhere on my drives. I didn't find the "hacked by godzilla" title on IE either.

    However I did find an "autorun.inf" and a "DiskAutoRun.exe" file on both my drives.
    I deleted them, and restarted, but some program puts them back when I restart.

    The program is called "Octo", and the process is "Snet.exe" 2 copies of the program run at the same time when I log in to my account.

    I could not find Snet.exe or Octo anwhere on my computer.
    When I start in safe mode, the disks no longer have the autoplay feature.

    help me get rid of this pest.
    I am scanning with mcaffee right now but so far nothing has been found.
  2. fw2004

    fw2004 TS Booster Posts: 152

    Is this your boot drive(s) or removable drive?
    I have never found an autorun file on a boot drive, but have seen them on removable media.

    You don't have another OS on the system, do you?

  3. Vandersen

    Vandersen TS Rookie Topic Starter

    There is a "DiskAutoRun.exe" and an "autorun.inf" file in both my local disk drives. local disk C and the E partition. they are my boot drives indeed.

    Yes I have 2 Operating systems.

    First os is Win xp 32 installed on one hard drive.
    Second OS is windows vista ultimate 64 on another hard drive.

    However, the hard drive containing the OTHER operating system is disabled in each operating system.
    I only occasionally enable the other drive for file transferring. Other than that, the 2 OSes aren't supposed to be able to communicate.
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    So you are saying when you go to My Computer
    And open (Double click) on your C drive or E Partition, it then opens?
    What opens? Just the drive (which is normal) or does something (a program) start running?

    Looks as though you just need to delete: "DiskAutoRun.exe" and "autorun.inf"
    Then download Startup Control Panel: http://www.mlin.net/StartupCPL.shtml
    And see what you can disable (untick; or uncheck; or de-select) from starting with Windows

    As a guide I have 1 thing starting with Windows and that's my Antivirus software
    Generally most Users have about ~20 things, all slowing down Windows
    Disable anything not wanted to start with Windows, then Restart
  5. Vandersen

    Vandersen TS Rookie Topic Starter

    ok heres what happens when I boot up:

    1. Slow login, I press ctrl-alt-del.
    2. I find 2 applications running, they are both called "Octo"
    3. I right click and select "go to process"
    4. Both "Octo" applications are linked to 2 identical processes, both called "Snet.exe"
    5. after 30 seconds both applications read "not responding"
    6. I terminate both of the applications "Snet.exe" processes and then open my computer.
    7. I right click on "local disk C".
    8. First option displayed is "autoplay" I select it.
    9. Nothing happens.
    10. I open task manager again and I find the application "Octo" is back, but the process is called "DiskAutoRun.exe" this time.
    11. The application appears to do nothing. It just sits there running and not doing anything.
    same thing happens if I double click.

    I will get some pictures uploaded if that will help.

    Oh yeah and I found hidden DiskAutoRun.exe and autorun.inf files on both my partitions

    but when I delete them, there is still an autoplay option on my local disk, except it gives me an error saying it cannot find "DiskAutoRun.exe" when i click

    so to answer your question, no, the disk does not open when i double click, a program called "Octo" starts running.
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Download and Run >> OTM by Old Timer
    Copy the lines below (highlight all > Right Click > Copy)
    In OTM under Instructions for Items to be Moved window (under the yellow bar) Right Click > Paste.
    Click the red Moveit! button.
    Close OTM



    Then follow this guide if you want to find and remove any further Malwares: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
  7. Vandersen

    Vandersen TS Rookie Topic Starter

    It didn't work, its still there, alive and kicking.

    here are the results:

    All processes killed
    ========== FILES ==========
    File/Folder C:\WINDOWS\Snet.exe not found.
    File/Folder C:\WINDOWS\system32\SNet.dll not found.
    C:\DiskAutoRun.exe moved successfully.
    C:\Autorun.inf moved successfully.
    E:\DiskAutoRun.exe moved successfully.
    E:\Autorun.inf moved successfully.
    ========== REGISTRY ==========
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Snet not found.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully


    User: Administrator
    ->Temp folder emptied: 641738 bytes
    ->Temporary Internet Files folder emptied: 33408 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 4373522 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    Windows Temp folder emptied: 110025 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 4.95 mb

    OTM by OldTimer - Version log created on 11112009_184238

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    only change is that the virus takes longer to start up in the beginning when I log in.
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    I took a guess at the location of Snet.exe (and Snet.dll)
    Obviously I didn't get it right (you could just do a search, find the location and put that in OTM

    But here's another idea ;)
    Download HijackThis from here: https://www.techspot.com/downloads/317-hijackthis.html
    Run a scan and logfile
    Then Attach (using the Attach button >> [​IMG] Which is located in the New Reply Toolbar) Attach the HJT log (then submit the message - but you'll need to type something in the message too)
  9. Vandersen

    Vandersen TS Rookie Topic Starter

    yeah k here it is.

    Actually after I used OTM i found SNet.exe it was where u thought it was.
    It was strange cuz I thought I had looked there before. I deleted it and restarted but the virus was the same as usual and the snet.exe file is nowhere to be seen. but It is still in processes.
  10. Vandersen

    Vandersen TS Rookie Topic Starter

    OMG THANK YOU the HJthis log told me where it was its in C:\Documents and Settings\Administrator(or whatever user name)\Application Data\Snet.exe

    I found and deleted the little ****-er everything is back to normal now.
    thanks for all the help.
  11. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Startup HJT Scan only

    Place a check (tick) the following boxes:
    These ones I don't know if you want or not (starting with Windows):
    My personal opinion, is if you are unsure, also tick them

    Then close all/any Internet browsers and select FIX
    Close HJT
    Then Restart

    Then download Norton Removal Tool: ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
    And run it
    By the way you went from Norton to McAfee ? (like jumping out of the frying pan into the fire (IMO) I hate both of them
    I use free Avira (and find it much much better ;) Of which it is)


    You are also running P2P software
    I suggest you go through this guide as I earlier stated: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
    Removing P2P horrible software
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...