Expert: Lorry - 4/3/2009

Question
QUESTION: My computer is infected by win32.autoit.
Can you please tell me all about it (like will it send my information to others?)and how to remove it.
And i will be directed to strange websites when i am browsing the internet. is it because of trojans?

ANSWER: Hi Keiko,

Each anti-virus has different names for the same threat, using Internet Explorer go to:

http://security.symantec.com/sscv6/WelcomePage.asp

Click "Continue to Symantec Security Check", in the next window click No when asked if you want to close this window, that will bring you to a window where you should click Virus Detection.

Write down exactly anything it finds, then go to: http://www.symantec.com/search/  and do a search for what was found. Symantec usually has a removal tool and/or directions for removing manually. Make sure that you follow the instructions for removal, step by step, especially the part regarding disabling System Restore.

I would also suggest downloading Malwarebytes Anti-Malware 1.35 from:

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

What you are explaining could be due to a virus and/or spyware.

Hope this helps!
Lorry

---------- FOLLOW-UP ----------

QUESTION: Hello,

But please tell me about Win32.autoit.
Will it reveal my information to others?

Answer
Hi Keiko,

If you ran the scan from Symantec that I mentioned, it would give you the information you are looking for plus how to remove it.

This worm creates copies of itself on local disks and write-accessible removable disks. It is a Windows PE EXE file. It is packed using UPX. The size of infected files may vary from 220KB to 275KB.
Installation

When launching, the worm copies its executable file to the Windows system and root directories:

%WinDir%\RVHOST.exe
%System%\RVHOST.exe

In order to ensure that the worm is launched automatically when the system is rebooted, the worm adds a link to its executable file to the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messengger" = "%System%\RVHOST.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = "Explorer.exe RVHOST.exe"

Propagation

The worm copies its executable file to the root of all write-accessible removable disks under the following name:
New Folder.exe

The worm also recursively copies its executable file to all folders on removable disks. The copies of the worm will have the same name as the folder they have been copied to with an “.exe” extension.
Payload

The worm creates the following system registry key parameters:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableRegistryTools = 1
DisableTaskMgr = 1

By doing so, it prevents the registry editing tool and Task Manager from being launched.

The worm also terminates processes relating to some antivirus and firewall solutions.

From: http://www.viruslist.com/en/viruses/encyclopedia?virusid=143342

Hope this helps!
Lorry