Getting AutoCAD message with unknown script showing while opening any drawings

All,

Could you anyone help me to sort my problems, whenever I am open to any drawings, which getting autocad message with unknown script showing, In the drawing folder there was one LSP file creating automatically, the name was the lsp file was "acaddoc" screen shot attached for your reference, anyone have any experienced this before, I am working in a network shared drive, this is happened before yesterday,

It would be great if someone would give the solution to sort-out this issue,

Many thanks

Shan

I'm afraid that seems that you got an AutoCAD virus; but please don't worry, it can be fixed quite easily. Just check on the Forum on this mater and follow the instructions. Since you are talking of a shared folder will have to apply the treatment an each and every workstation that accessed drawings from that location. You may however ignore the stations with AutoCAD LT, if any, since this version isn't able to run/propagate the virus.

Sorry for delay; please check this previous discusion.

I'm afraid that seems that you got an AutoCAD virus; but please don't worry, it can be fixed quite easily. Just check on the Forum on this mater and follow the instructions. Since you are talking of a shared folder will have to apply the treatment an each and every workstation that accessed drawings from that location. You may however ignore the stations with AutoCAD LT, if any, since this version isn't able to run/propagate the virus.

Thanks Msasu for your quick reply, I have go through the link given by you in your second post, I had download the zip file from one of member are advised to do in that thread, KW, I am followed what they are instated, but still my problem is persist, could you give any alternative solution on this regard,

Many thanks,

Shaan

Here is some background information on the nature and behaviour of the ACADDOC.lsp file, so that you and anyone else who happens to read this thread can be aware when confronted with such files in the future.

The Dangers of the ACADDOC.lsp

When opening a drawing, AutoCAD will search the Working Directory (that is, the directory in which the active drawing resides), and all Support Paths (those listed in the Files tab of the Options dialog) for a file with the filename ACADDOC.lsp.

When such a file is found, AutoCAD will cease searching and will proceed to load the ACADDOC.lsp file into the active drawing namespace.

The act of loading a LISP file simply means that the contents of the file are read and any LISP expressions found therein are evaluated by the LISP interpreter.

In this way, most users will utilise the ACADDOC.lsp to automatically load custom programs when a drawing is opened, so that such programs are available during the drawing session. This is a more reliable and migratable method than using the Startup Suite for the same purpose.

However, with the knowledge that AutoCAD will search the Working Directory before any other path, it becomes very simple to include malicious code within an ACADDOC.lsp file sent with a drawing, so that, when the drawing is opened by an unsuspecting user, the ACADDOC.lsp file will be automatically loaded and the malicious code will be evaluated.

Such code could perform any number of operations: AutoLISP can very easily modify the registry, deleting or writing new registry keys; delete files from the system (bypassing the recycle bin), or writing new files to the system.

Most commonly included within this malicious code is the simple operation for the ACADDOC.lsp to copy itself to various (often hidden) locations on the user's system, complete with all malicious code, so that the file can continue to wreak havoc even after the user has deleted the original file.

Similar Autoloading Files

The ACADDOC.lsp is not the only file that is automatically sought and loaded into the drawing.

When the AutoCAD application is opened, a number of files are automatically loaded and others are reloaded again when every drawing is opened thereafter.

Most of these files are part of the application itself and hence should not be modified, others however are reserved for user customisation and can be modified and created if they don't already exist.

Below is the loading order of the various files that are automatically loaded into AutoCAD, with a brief description about each item:

• acad.rx
  
  

• acad
  20##
  .lsp
  
  

• acad.lsp
  
  

• acad20##doc.lsp
  
  

• acaddoc.lsp
  
  

• acad.dvb
  
  

• Main CUI/CUIX and related files
  
  
  

• Enterprise CUI/CUIX and related files
  
  
  

• acetmain.mnl
  
  

• Express Tools LISP & MNL files
  
  

• Startup Suite programs
  
  

• (S::STARTUP)
  
  

• acad.exe command line switch /b
  
  

Removing AutoCAD 'Viruses'

AutoCAD 'viruses' mostly occur in the form of a hijacking of the ACADDOC.lsp file, causing this file to change users' settings, potentially corrupting the users' system and causing irrevocable damage, and most commonly multiplying this file to spread across the users' file system.

However, should the CAD environment be successfully reset, this file can only continue to cause harm if it can be found by AutoCAD and loaded into a drawing, resulting in the malicious code being evaluated and file replication to occur once again.

Hence, the solution to removing the 'virus' is to simply remove all instances of the malicious ACADDOC.lsp file from the system so that it can no longer replicate itself or alter the system in any way.

To check whether all instances of this file have been removed, simply type at the AutoCAD command line:

(findfile "ACADDOC.lsp")

If the above returns a valid filepath, navigate to the filepath and remove the file, then re-type the above expression to test for the existence of any other ACADDOC.lsp files.

This process could also be automated using a LISP program:

(defun c:delacaddoc ( / file )
   (while (setq file (findfile "ACADDOC.lsp"))
       (if (vl-file-delete file)
           (princ (strcat "\nDeleted file: " file))
           (princ (strcat "\nUnable to delete file: " file))
       )
   )
   (princ)
)

The above program will delete all ACADDOC.lsp files found in either the current Working Directory or all AutoCAD Support Paths.

However, be aware that due to the autoloading nature of the acad.lsp, acad20##.lsp & acad20##doc.lsp, these files also have the potential to contain malicious code and should be monitored.

Other AutoCAD 'Viruses'

AutoCAD 'viruses' can use files other than those noted above to infect users' systems.

A well-known AutoCAD 'virus' is permeated via a file named: acad.vlx

The naming of such file intentionally misleads users into thinking that this file is part of the program files for the application and hence should not be deleted, however, this file can cause considerable damage to a users' system if not removed.

For more information about the acad.vlx virus, and how to remove it, see here.

Got to give it to Lee Mac One of the finest provider of information

Cheers

It is great pleasure to have a great mentor like Lee, pBe.

I've learned a lot again. Thanks to Lee.

Thank you very much Lee mac, It has worked very well, I do not have any words to describe, how you helped me, I was searching this since yesterday and posted another forum, but they can't give the proper answer to my problems, you hit my nail, Thank you very much lee mac, I am new in this forum, I hope you may extent in your kindness in future as well,

Thanks again Lee mac

Regards,

Shaan

Got to give it to Lee Mac One of the finest provider of information

 

Cheers

It is great pleasure to have a great mentor like Lee, pBe.

I've learned a lot again. Thanks to Lee.

Thanks guys, your kind gratitude means a lot and makes the time that I put in all the more worthwhile

Thank you very much Lee mac, It has worked very well, I do not have any words to describe, how you helped me, I was searching this since yesterday and posted another forum, but they can't give the proper answer to my problems, you hit my nail, Thank you very much lee mac, I am new in this forum, I hope you may extent in your kindness in future as well,

 

Thanks again Lee mac

 

Regards,

Shaan

You're very welcome Shaan - this particular topic surrounding the ACADDOC.lsp hadn't been discussed conclusively in any thread as far as I have witnessed, and so I figured that it was a good opportunity to put together some information on the topic for you and those who happen to visit this thread experiencing the same issues in future.

I'm delighted to have solved your problem.

All the best,

Lee

Typically comprehensive and stellar post, would we, as students of history, expect anything less from Lee?

When I read it last night I found it most informative and immediately added a couple of tags to the thread

to help folks who might need it down the road find it. I could only add two tags, but wanted to add VIRUS too, but had

reached my add tag limit with the first two.

I think that this would be a good candidate for the TIPS & TRICKS forum, as it has such an important message to

the autocad community as a whole, those who are having, and those who might one day experience this problem.

Thanks Lee!

Many thanks Dadgad - I have also just added two extra tags to the thread: 'autocad', 'virus' to help others find it. I am also considering adding the contents of my above post to the Tutorials section of my site, so that the information can be found and accessed easily.

Cheers,

Lee

At Lee's suggestion here, I read through this thread, and thought I'd share that my office recently experienced an Acad.fas / AcadDoc.fas / BakDwg.fas virus.

My initial thought as well (once the servers, and computers were cleaned up), was to write a LISP function to 'kill' this virus, but how to ensure that my function is loaded first (before those within the project directories), and my limited testing showed that simply registering a .NET assembly does the trick.

Sample command line output at startup:

Loading AEC Base...
Loading AEC Base Extended...
Loading AEC Base UI...
Loading AEC Project Base...
Loading AEC Base GUI...
Loading AEC Schedule Data...
Loading AEC Project UI...
Loading AEC Utilities...

Customization file loaded successfully. Customization Group: DONTYOUWANTTOKNOW
Customization file loaded successfully. Customization Group: CIVIL
Customization file loaded successfully. Customization Group: ACAD
Customization file loaded successfully. Customization Group: TOOLBASEDRIBBON
Customization file loaded successfully. Customization Group: TASKBASEDRIBBON
Customization file loaded successfully. Customization Group: AUTODESKSEEK
Customization file loaded successfully. Customization Group: AUTOCADRASTERDESIGN
Customization file loaded successfully. Customization Group: EXPRESS
Customization file loaded successfully. Customization Group: AUTOTURN
Loading AECC Base...

Initializing....
There are no valid MS Jet providers installed......Done.
Loading AECC Land...
Loading AECC Subentity Selection...

Loading Modeler DLLs.
Loading AECC Pipe Part...
Loading AECC QTO......
Loading AECC Pipe Network...
Loading AECC Roadway...
Loading AECC Survey...
Loading AEC Schedule...
Loading AECC Plan Production...
Loading AEC Architectural Base...
Loading AEC Structural Base...
Loading AEC Area Base...
Loading AEC Dimensions Base...
Loading AecCivilBase...
Loading AECC Building Site...
Loading AECC Point Cloud...
Regenerating model.
Loading AECC Hydrology...
Loading AECC Base UI...
Loading AECC Event Viewer...
Loading AECC Land UI...
Loading AECC QTO UI...
Loading AECC Pipe Network UI...
Loading AECC Roadway UI...
Loading AECC Survey UI...
Loading AECC Plan Production UI...
Loading AECC Publish UI...
Loading AECC AeccUiHydrology...
Loading AECC Mapcheck...
Loading AECC Mapcheck UI...
Loading AECC Building Site UI...
Loading AECC Point Cloud UI...
Loading AECC Management UI...
Loading AECC Model UI...

[color=red]** Bow ties are cool **[/color]

... Acad.lsp loaded.
AutoCAD menu utilities loaded.
Regenerating model.

... AcadDoc.lsp loaded.
AutoCAD menu utilities loaded.

... CUIx *.mnl files loaded

Command: _RIBBON

Command: COMMANDLINE

Pseudo code used to test this theory:

using Autodesk.AutoCAD.Runtime;
using System;

[assembly: ExtensionApplication(typeof(TheDoctorSays.BowTiesAreCool))]

namespace TheDoctorSays
{
   public class BowTiesAreCool : IExtensionApplication
   {
       void IExtensionApplication.Initialize()
       {
           Autodesk.AutoCAD.ApplicationServices.Application.
               DocumentManager.MdiActiveDocument.Editor.WriteMessage(
               "\n** Bow ties are cool ** "
               );
       }

       void IExtensionApplication.Terminate()
       {
       }
   }
}

Sample .REG file to register an autoloading .NET assembly:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Autodesk\AutoCAD\[color=red]<YourVersion>[/color]\Applications\[color=red]<YourKey>[/color]]

"DESCRIPTION"=[color=red]"Your description"[/color]

"LOADCTRLS"=dword:00000002

"LOADER"="[color=red]<DriveLetter>[/color]\\[color=red]<YourFilePath>[/color]\\[color=red]<YourAssemblyName[/color]>.dll"

"MANAGED"=dword:00000001

... More on LOADCTRLS.

HTH