PDA

View Full Version : Win32.Autorun.tmp



ZomgGuitarz1234
2010-07-25, 02:26
This thing just wont die! I mean I tried removing it with spybot and malware bytes but it keeps coming back :sad:

Its also is attacking my drivers. I know this because it ruined my sound driver, and internet driver (I was lucky because I keep a copy of my driver installer devicer on my flashdrives incase of crap like this) and its bring its little friend this fake anti-virus program called 'antivirus doctor'

I'd like to post that one log you guys always ask for BUT IT SCREWS WITH MY DOWNLOADS! Basically what it does is, the download cancels the first time, so then I try to download it again and it downloads like part of the file so it doesn't work.

idk how long I got before it decides to screw with my startup stuff, so I can't even turn my computer on (happened before to me, spookily similar scenario)

Updated malware bytes and it picked up a ****ton of virus' i didn't see before

Heres the log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org (http://www.malwarebytes.org)

Database version: 3944

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/1/2010 11:44:11 AM
mbam-log-2010-04-01 (11-44-11).txt

Scan type: Quick scan
Objects scanned: 103850
Time elapsed: 12 minute(s), 34 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

--

Alright I've found the file which is
C:\Documents and Settings\<name>\Application data\ogix.exe

And the registry value which is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\TaskMan

HOWEVER
I can't delete both because THEY KEEP COMMING BACK (I only can see ogix.exe through Malware Bytes, if I look in the folder itself with hidden folders enabled, I can't see it)

Blade81
2010-07-29, 10:50
Hi,

Please read BEFORE you POST (READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) topic. Post back dds.txt & attach.txt of DDS run.

Blade81
2010-08-04, 09:43
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.