NSAnti and AutoRun.Y Problems

My sister's laptop (Windows XP Home Edition SP2) got infected with some worms and things as such.

The first AVG alert came in as the following.



However, AVG couldn't really move the infected files and solve the problem.

Trying to access the files(infected) came to no avail for the fact that I was not able to view hidden files and folders!

Also at the same time, Windows file system is corrupted that all the drives (including removable drives and camera) are not capable of opening up for exploration except when you open file explorer first. It looks like the following.



So, I checked on this forum which offers a lot of help.

I ran the SDFix tool and it help to take away the autorun.inf from the c drive. However, it is not able to do that for other drives (you have to run it from the other drives) and as for removable drives, SDFix is not able to remove anything from it.

It is a good tool but no perfect, nevertheless, it is not able to remove hidden files as the following (extract from report).

Files with Hidden Attributes:

Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sat 8 Sep 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sat 19 Jan 2008 96,768 ..SHR --- "C:\WINDOWS\system32\kavo0.dll"
Thu 17 Jan 2008 96,768 ..SHR --- "C:\WINDOWS\system32\kavo1.dll"
Thu 28 Dec 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 28 Dec 2006 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv11.bak"
Sat 30 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT1F4.tmp"
Thu 20 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT185.tmp"
Thu 28 Dec 2006 4,348 A..H. --- "C:\Documents and Settings\Teoh Yi Chin\My Documents\My Music\License Backup\drmv1key.bak"
Thu 28 Dec 2006 401 A..H. --- "C:\Documents and Settings\Teoh Yi Chin\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 28 Dec 2006 312 A.SH. --- "C:\Documents and Settings\Teoh Yi Chin\My Documents\My Music\License Backup\drmv2key.bak"
Tue 20 Mar 2007 581,632 A.SH. --- "C:\Documents and Settings\Teoh Yi Chin\My Documents\My Pictures\My meal\9th mArCh 2007\SIV1E.tmp"
Tue 20 Mar 2007 626,688 A.SH. --- "C:\Documents and Settings\Teoh Yi Chin\My Documents\My Pictures\My meal\9th mArCh 2007\SIV1F.tmp"
Tue 20 Mar 2007 581,632 A.SH. --- "C:\Documents and Settings\Teoh Yi Chin\My Documents\My Pictures\NZ\9th mArCh 2007\SIV1E.tmp"
Tue 20 Mar 2007 626,688 A.SH. --- "C:\Documents and Settings\Teoh Yi Chin\My Documents\My Pictures\NZ\9th mArCh 2007\SIV1F.tmp"


So, what does this mean ? --> Still not good enough.

Anyway, I decided to backup all data to a removal drive and had the laptop reformatted. However, as soon as I was ready to have a brand new installation of Windows XP, I found that the removal drive is infected as well.

Thus, this time I switched to Spyware Doctor provided by Google Pack. It is a good tool, except that since it is free, it doesn't cater for real-time detection and shield. (I still think that AVG has the best shield for a free product). The problem with no having real-time protection is that you will have to schedule manual scanning process from time to time and this may not be attractive because consider that you have a large hard disk, it may take a long time.

Same goes for Norton Security Scan (from Google Pack) which doesn't offer real-time detection and it is impossible to scan on specific location (which is a hell thing!).

Now only I understood why Norton and Spyware Doctor consented to offer free tools under Google Pack. Nevertheless, I give Spyware Doctor a thumb up, for the fact that it scans pretty quick and it is capable of fixing the problems, except for the autorun.inf problem. And to get a full version of Spyware Doctor, the cost is only RM 120+ per annum.

And to solve the problem of autorun.inf, check out this video.

And finally, based on the analysis given by SDFix, I traced the source of the problem as a worm called W32.Gammima.AG.

And I believe that it all got started from emails infected with such worm.

Conclusion, use Spyware Doctor from Google Pack, if you like it, proceed to upgrade to full version. Otherwise, I still recommend to reformat your computer because such troubleshooting activity consume more time than usual. It is not worth it.

And also, please contribute to blogs and forum to help others to resolve their problems quickly.

And finally, the worm doesn't infect Windows Vista.

Comments