BV:AutoRun-E [Wrm]...need help or at least some ideas!

I use windows XP service pk3 and its fully updated currently have avast version 4.8 professional build sept 2009 (4.8.1368) with definitions File version 100315-3 compilation date 15/03/2010.

My problem is strange during a screensaver scan i get reports of the following:-
Process 1056, memory block 0x060D0000, block size 262144
BV:AutoRun-E [Wrm]
Virus/Worm

I have run boot scans and full systems scans and it finds nothing but each time the screensaver scan runs within a few minutes it finds this again often the process#### is different but it still has the same BV:AutoRun-E [Wrm]Virus/Worm found.The Screensaver Scan warning suggests a boot scan but does not offer quarantine options or deletion options?

I have used malwarebytes, superantispyware, full system scan in both normal and safe mode I have also used Dr Web Cureit.Trogan Remover and Unhackme although they have found some minor irregularities nothing serious was found.
This has been going on for a few weeks now, it does not seem to be causing any real harm but I am concerned that its being found and worry that I may be passing it to others ?

if anyone has any ideas i would be anxious to here them.

Thanks in advance

Bruce D.

One moore try… :wink:

Hitman Pro 3 - Second Opinion Malware Scanner
http://www.surfright.nl/en/hitmanpro

did it work…?

May because you have windows defender or MSE"or other residents",if you have on of those please tell us,anyway if the boot time scan dont catch any thing you are infected free in high percentage

well I tried second opinion and it has identified two suspicious files
30.tdelmemp and Kcoesca.dll however it didn’t remove them only identified them as suspicious.
I will have to investigate those files further before removing them will do that tomorrow and report back (its bed time now:))

I do have windows defender as for MSE or other residents I am not sure what MSE is? and “infected free in high percentage” I’m sorry i don’t understand the meaning?

(its bed time now:))
what...bed time.....must be something wrong with your clock...... ;D
"infected free in high percentage"
I think he means that he is almost sure that you are not infected

MSE = microsoft security essentials

Hi Guys.
Results of action taken so far .
After quarantining the two files Second Opinion found to be suspicious (Kcoesca.dll and 30.tdelmemp) I rescanned the system using S.O. and it then found the following
SEP5.tmp & TMP00000011d3AFEC508C21744D S.O. then set these files to be deleted on reboot
after rebooting S.O. found no further threats. I followed this with a boot scan using avast.It also showed no infections.However
allowing the computer to idle and screen saver scanning to begin again resulted again in a virus warning .

File Name Process 1176, memory block 0x06190000, block size 262144

Malware Name BV:AutoRun-E [Wrm]

Malware Type Virus/Worm

VPS version 100316-1, 16/03/2010

The only suggestion offered at this stage is to schedule a boot scan!
It does not tell me where the file was found or offer to Quarantine or delete it !
This is really beginning to frustrate me

Thanks Again
Bruce

Follow this guide from Essexboy and post the logs HERE
http://forum.avast.com/index.php?topic=53253.0

if the log is big, see down left corner: additional options > attach

Ok will follow the guide and post back logs soon:)

Results of malwarebytes scan
Malwarebytes’ Anti-Malware 1.44
Database version: 3875
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17/03/2010 9:29:53 PM
mbam-log-2010-03-17 (21-29-53).txt

Scan type: Quick Scan
Objects scanned: 128853
Time elapsed: 10 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL logfiles

attached

and OTL “extras” log file

Hi there is one suspicious file I would like to check out

But first …

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O32 - AutoRun File - [2010/03/11 11:29:46 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/03/11 11:29:46 | 000,000,000 | R--D | M] - G:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/03/11 11:29:46 | 000,000,000 | R--D | M] - L:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/03/11 11:29:47 | 000,000,000 | R--D | M] - M:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/03/11 11:29:47 | 000,000,000 | R--D | M] - N:\autorun.inf -- [ NTFS ]
[2010/03/11 11:29:46 | 000,000,000 | R--D | C] -- C:\autorun.inf
[2008/12/21 02:04:15 | 000,000,087 | ---- | M] () -- C:\a.ini
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Jotti File Submission:

[*]Please go to Jotti’s malware scan

[*]Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

[*]C:\WINDOWS\System32\System32.sys

[*] Click on the submit button

[*] Please post the results in your next reply.

Hi results of Jotti are as follows:-
Filename: System32.sys
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 18 Mar 2010 05:57:55 (CET) Permalink

Additional info
File size: 14 bytes
Filetype: ASCII text, with CRLF line terminators
MD5: 58d904a2fa970bc23b636c47cb60e649
SHA1: 480556e9f81dbeec70c59cd54a21303bcf232d33

results of OTL after running the runfix scan as requested followed by a quick scan
attached.

Once again Thank You

That looks better now - what problems are you having /

My problem is strange during a screensaver scan i get reports of the following:-
Process 1056, memory block 0x060D0000, block size 262144
BV:AutoRun-E [Wrm]
Virus/Worm

I have run boot scans and full systems scans and it finds nothing but each time the screensaver scan runs within a few minutes it finds this again often the process#### is different but it still has the same BV:AutoRun-E [Wrm]Virus/Worm found.The Screensaver Scan warning suggests a boot scan but does not offer quarantine options or deletion options?

I have attached a screen shot of the warning
the problem still continues the screen saver scan still finds the problem but the process## changes

OK lets see if there is something I am missing

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Ok I have used combo fix before and as it didn’t ask this time to install recovery console i assume i have it already.
attached is the log from the scan just completed.

Thank You
Bruce.

So far non of the scans have shown any malware components that would account for that - I will have a look around to see what I can find out

The problem still happens each time I run the screensaver avast scanner…just a thought could it possibly be a damaged memory chip? Although it appears ok.