Avatar of hindsight
hindsightFlag for United States of America asked on

Chess.exe, autorun.inf virus/spyware

I've got a virus hopping all around my domain.  I'm still not sure where it's hiding, but any removable devices or mapped betwork shares will be infected by a chess.exe file and an autorun.inf file in their root directoies if they come in contact with an infected pc.  After this, two files appear in %windir%\system32: aj32.dll, and kcc1.dll.  Running avg in safe mode by the command line will seemingly remove the infections.  However, on reboot, when the profile is loading, the dcom dialog box pops up, and the message "aj32.dll could not be found.  Upon a nother reboot, this message goes away, but any new profile created will display this message.  After the profile is completely loaded, task manager and regedit will be disabled, and any install fails out since it cant access the reg.  This eventually spreads to all users, including the local administrator profile.  superantispyware's repair function will restore all rights, but any flash drive or network share will eventually become reinfected.  I've tried scanning with avg, malwarebytes, superantispyware, combodix, and trend micro...none of the seem to clear the cause of this infection.  Has anyone seen anything this.
Anti-Virus AppsAnti-SpywareMicrosoft Legacy OS

Avatar of undefined
Last Comment

8/22/2022 - Mon


Surely its a worm virus.

Boot in safe-mode.
Delete autorun.inf, chess.exe.
Go to regedit, then aj32.dll string, delete it.

Great is our GOD.

Treid that already, it just keeps regenerating

And yes, I know it's worm...I'm leaning towards w32.ogid or w32.oror-B
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

autorun.inf and chess.exe are on the removable and shared drives, the files that are controlling the infection are somewhere on the local drive.

Hi there,
Did you disable system restore for all the PCs? Else, the AV will regenerate itself most of the time... Try disable system restore for now... When everything is stable, then turn it back on...
Hope it helps...

Please attach the Combofix log so we can make a script for any bad files that weren't removed during CF first run.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Combofix log attached.  Thanks in advance to anyone who can shed some light on this issue.

I've also found the loader point in the reg.  However, even if I delete it, it regenerates on reboot.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0EA88F0F-B698-4ab1-8DBC-EBE2CD00927F}]
@="DCOM service"
"StubPath"="rundll32 kcc1.dll,InitO"

First disable system restore as stated above. Then boot in safe mode with networking and download this tool, extract to C:\ drive so you have a C:\rogueremoval tool, then follow all the steps in the help file. It will clean your problem for sure.



zip file is corrupted
Your help has saved me hundreds of hours of internet surfing.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u