| View previous topic :: View next topic |
| Author |
Message |
Saxenhauser
Cadet
Joined: Jan 03, 2008
Posts: 8
|
 Posted: Sun Feb 17, 2008 5:15 am Post subject: autorun.inf, x.com, u.bat awda2.exe? |
|
|
I have malicious software that spreads to every external memory. My PC got infected from a USB memory stick.
It consists of 2 files: autorun.inf (525 bytes) and x.com ( 102.211 bytes). These files are HRS (hidden, read only, system) and cannot be deleted, edited or renamed and the attributes cannot be altered.
The content of autorun.inf is like this:
;
[AutoRun]
;
open=x.com
;
shell\open\Command=x.com
;
shell\open\Default=1
;
shell\explore\Command=x.com
;
Behind the semicolons there is some code but I will not publish it here because I fear it contents sensible information.
On some memory sticks there is also u.bat and awda2.exe.
What does it do? How can I get rid of it?
|
|
| Back to top |
|
 |
Saxenhauser
Cadet
Joined: Jan 03, 2008
Posts: 8
|
| Posted: Sun Feb 17, 2008 5:20 am Post subject: more info |
|
|
The file x.com contains this line:
KERNEL32.DLL LoadLibraryA ExitProcess GetProcAddress
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5879
|
|
| Back to top |
|
|
Saxenhauser
Cadet
Joined: Jan 03, 2008
Posts: 8
|
| Posted: Sun Feb 17, 2008 5:55 pm Post subject: ZIP is not possible |
|
|
I cannot zip them because WinZIP does not "see" or recognize the 2 files because they are HRS. I can only see them in the DOS shell with dir/a. There is no attribute change possible neither in in the DOS shell nor with Windows XP. I guess this malware does key logging.
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5879
|
| Posted: Sun Feb 17, 2008 8:08 pm Post subject: |
|
|
Try opening My Computer, click on Tools -> Folder Options -> View -> Show hidden files and folders -> Ok.
You may now be able to see the files.
_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.
Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
|
|
| Back to top |
|
|
Saxenhauser
Cadet
Joined: Jan 03, 2008
Posts: 8
|
| Posted: Wed Mar 12, 2008 9:44 pm Post subject: |
|
|
Thanks for help!
MicroSoft defender is downloaded, installed and running, and it reported 1 problem to the MS-center.
| Quote: | | Try opening My Computer, click on Tools -> Folder Options -> View -> Show hidden files and folders -> Ok. |
There is no way to change the attribute setting. I cannot add the 2 files to .zip. WINZIP does not detect these HSR files. Only NeroBurningRom shows them. If they are deleted with NeroBurningRom about 20s later they reappear. Last time I had this kind of malware I had to edit the registry while in Windows safemode.
Do you know how to edit the registry do get rid of this malware?
I posted my HJT-log there:
autorun.inf, x.com. Infected by USB memory stick.
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5879
|
| Posted: Wed Mar 12, 2008 9:56 pm Post subject: |
|
|
A 1st responder or security expert will reply in your other post with instructions that should help you.
_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.
Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
