My PC Infected by an AutoIT script

  • 28 February 2015
  • 14 replies
  • 161 views

I used KIS before and I moved(I removed KIS from the system and installed WSA complete) to WSA because of the Resource lightness of it but after few days, now my  two computers got infected.

known Symptoms:
It creating shortcuts when an USB drive inserted and creating a folder for itself on the drive.
Also I noticed  that there is an autoit3.exe process on the task manager. When I see it's(autoit3.exe) location, I found that it is c:Google
I am attaching few screen shots here.

Please guide me.
Images

https://dl.dropboxusercontent.com/u/30615903/Images/cap1.jpg
https://dl.dropboxusercontent.com/u/30615903/Images/cap2.jpg
 
**. I scanned those folder and files with webroot but no infection found.
 
 

14 replies

Userlevel 7
Badge +52
Hello  and Welcome to the Webroot Community Forums!
 
The best thing to do is to Open a Support Ticketand ask Webroot Support to take a look and remove this for you.  There is no charge for this if you are a WSA license holder, with a current subscription.
+
Virus Removal Options
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Virus-Removal-Options/ta-p/54074
So lets say I removed  this somehow (easily I can format the whole pc),  but there is a chance of a attack again right? I want to solved that . ok I will try to contact support. Is there a chatline ?
Tried to contact support by given url,
it says to enter my email , So i insert and it say
We have already had contact with: xxxxxxxx@gmail.com

Please enter your password below if you wish to continue with your previous conversation. Your password will have been previously emailed to you.

when I insert the password and press continue it does nothing.
So still no help.
Userlevel 7
Badge +52
@ wrote:
 ok I will try to contact support. Is there a chatline ?
http://www.webroot.com/us/en/support/contact
Still unable to contact support! 😞
Userlevel 7
Badge +62
Hello and Welcome to the Webroot Community,

May I intervene here and just ask if you saved that email from support with the password and did you disable cookies in your browser. Just making sure we don't overlook the obvious. ;)

Also I don't believe support by phone are available on the weekends?

Regards,
Userlevel 7
Badge +52
 
https://www.webrootanywhere.com/servicewelcome.asp
 


 

I am using firefox with cookies enabled. What do you mean by save? I contacted the webroot support very long time ago I think in 2012 , If you asking about save  that support  email, Please note that this is a new PC 🙂.
OK got it , Thank you!  last time I contacted support Nov 7, 2013 not 2012 :D

Now I can post a support ticket!
I am just curious , may I stay  untill contact by support or may I run a on demand scanner like MBAM
Userlevel 7
Badge +62
Hi,
 
Support will take a little longer because of the weekend. But they should be able to contact you through email by Monday or so..don't quote me but they usually are pretty fast.
 
It's up to you if you want to use MBAM. What do you think @ ?
 
EDIT: It's usually best not to mess around until Webroot checks your logs and what not.
 
 
 
Regards,
Userlevel 7
Badge +52
@ wrote:
 
 
It's up to you if you want to use MBAM. What do you think @ ?
 
EDIT: It's usually best not to mess around until Webroot checks your logs and what not.
 
 
 
Regards,
I think you can use MBAM Free
&
You can also try to scan in safe mode
 
Can you run a deep scan in Safe Mode with Networking the instructions on how to do so are shown below. 
 
1. Start your computer in Safe Mode with Networking. For instructions on starting in Safe Mode with Networking
http://www5.nohold.net/Webroot/Loginr.aspx?pid=12&login=1&app=vw&solutionid=68
2. Open Webroot SecureAnywhere from the tray, start menu or desktop icon.
3. Click on the cog icon next to 'PC Security'. http://www.webroot.com/En_US/SecureAnywhere/PC/WSA?_PC_Help.htm#C2_Scanning/CH2e_Defining_Custom_Sca...
4. Open the 'Scan & Shields' tab.
5. Click the 'Custom Scan' button.
6. The default scan option is 'Deep'. Click Scan.
I am running MBAM now.. lets see..
Userlevel 7
Badge +52
+
Using Control Active Processes, advanced users can adjust the threat-detection settings for all programs and processes running on your computer. It also includes a function for terminating any untrusted processes, which might be necessary if a regular scan did not remove all traces of a malware program.
http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C10_SystemControl/CH10b_ControllingProcesses.htm
 
@ Yes I just did that to control the spreding, and installing ICS for control the future behaviour.
It is FUD for MBAM and  Avast  too.

Reply