Chess.exe, autorun.inf virus/spyware
I've got a virus hopping all around my domain. I'm still not sure where it's hiding, but any removable devices or mapped betwork shares will be infected by a chess.exe file and an autorun.inf file in their root directoies if they come in contact with an infected pc. After this, two files appear in %windir%\system32: aj32.dll, and kcc1.dll. Running avg in safe mode by the command line will seemingly remove the infections. However, on reboot, when the profile is loading, the dcom dialog box pops up, and the message "aj32.dll could not be found. Upon a nother reboot, this message goes away, but any new profile created will display this message. After the profile is completely loaded, task manager and regedit will be disabled, and any install fails out since it cant access the reg. This eventually spreads to all users, including the local administrator profile. superantispyware's repair function will restore all rights, but any flash drive or network share will eventually become reinfected. I've tried scanning with avg, malwarebytes, superantispyware, combodix, and trend micro...none of the seem to clear the cause of this infection. Has anyone seen anything this.
Last Comment
ASKER
Treid that already, it just keeps regenerating
ASKER
And yes, I know it's worm...I'm leaning towards w32.ogid or w32.oror-B
ASKER
autorun.inf and chess.exe are on the removable and shared drives, the files that are controlling the infection are somewhere on the local drive.
Hi there,
Did you disable system restore for all the PCs? Else, the AV will regenerate itself most of the time... Try disable system restore for now... When everything is stable, then turn it back on...
Hope it helps...
Did you disable system restore for all the PCs? Else, the AV will regenerate itself most of the time... Try disable system restore for now... When everything is stable, then turn it back on...
Hope it helps...
Please attach the Combofix log so we can make a script for any bad files that weren't removed during CF first run.
ASKER
Combofix log attached. Thanks in advance to anyone who can shed some light on this issue.
I've also found the loader point in the reg. However, even if I delete it, it regenerates on reboot.
[HKEY_LOCAL_MACHINE\SOFTWA
@="DCOM service"
"Locale"="EN"
"StubPath"="rundll32 kcc1.dll,InitO"
"IsInstalled"=dword:000000
"Version"="4,3,6,3"
combofix-log.txt
I've also found the loader point in the reg. However, even if I delete it, it regenerates on reboot.
[HKEY_LOCAL_MACHINE\SOFTWA
@="DCOM service"
"Locale"="EN"
"StubPath"="rundll32 kcc1.dll,InitO"
"IsInstalled"=dword:000000
"Version"="4,3,6,3"
combofix-log.txt
First disable system restore as stated above. Then boot in safe mode with networking and download this tool, extract to C:\ drive so you have a C:\rogueremoval tool, then follow all the steps in the help file. It will clean your problem for sure.
http://www.elitekiller.com/files/rogueremoval.zip
Cheers
http://www.elitekiller.com/files/rogueremoval.zip
Cheers
ASKER
zip file is corrupted
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Thanks!
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
Microsoft Legacy OS
The Microsoft Legacy Operating System topic includes legacy versions of Microsoft operating systems prior to Windows 2000: All versions of MS-DOS and other versions developed for specific manufacturers and Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions, and Windows Mobile.
55K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Surely its a worm virus.
Boot in safe-mode.
Delete autorun.inf, chess.exe.
Go to regedit, then aj32.dll string, delete it.
Great is our GOD.
:)
rionroc