Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB virus autorun.inf


  • This topic is locked This topic is locked
5 replies to this topic

#1 insideout33

insideout33

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 07 June 2010 - 05:28 PM

I've recently been infected with an "autorun.inf" virus, brought it from my school with an USB stick, not sure if it was the only one that I brought, but that thing wasn't detected by AVG, so my guesses were that it already infected my computer, as different windows in IE started opening from time to time, a few suspicious processes in task manager, computer slowed down.

I decided to use Combofix. All the software I used before found nothing. Now my computer is smooth again, even faster than before, thanks to that great tool!
But the problem remains in my USB.

How do I prevent my computer from being infected when i plug the USB again? Any tips on how to clean it from all the "bad things" without doing a format? I've read that CF disables autorun, but is it a fix? Or is the virus still executed no matter what? Wouldn't want to mess up my system again, expecially when AVG can't do anything against it, that's one heck of a virus. If anyone happen to know how to deal with it, would appreciate the help.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:17 PM

Posted 07 June 2010 - 07:26 PM

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Then download and scan your flash drive with "ClamWin Portable Antivirus".


Formatting a Flash Drive
How to Fix Errors and Format USB Flash Drives
Format a USB Drive (scroll down)

Note: If you are having trouble formatting your usb drive, hold down the Shift key when inserting the drive into your computer until Windows detects it. This should keep autorun.inf from executing automatically which may interfere especially if its related to a malware infection. Normally the autorun.inf commands are harmless but when this file has been modified (infected) it can cause problems. Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.


Let me quote our Quietman7 on this item:

Flash_Disinfector.exe creates a hidden folder named autorun.inf in each partition and every external drive connected which helps protect all drives from future infection.

Flash (usb, pen, thumb, jump) drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

"Autorun" is the feature built into Windows that automatically runs a program specified by an "autorun.inf" file whenever a CD-ROM, DVD or USB drive is plugged into a Windows-based computer. Autorun is intended as a convenience to automatically start an installer when removable media is inserted into the computer.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read Danger USB! Worm targets removable memory sticks.

You can hold down the Shift key when inserting the drive into your computer until Windows detects it to keep autorun.inf from executing automatically. However, I recommend disabling the Autorun feature on USB and removable drives as a method of prevention. This should keep the malicious file from automatically running upon insertion and infecting your system while allowing you to safely perform a scan.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.

  • After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
  • Uncheck the drives you want to disable AutoPlay on and click on Apply.
  • Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
  • Uncheck the box to disable Autoplay for a particular type of drive.
  • Click Apply.
If needed, see Disable Autorun/AutoPlay in XP with Tweak UI" for instructions with screenshots.

Note 1: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Note 2: Disabling autorun/autoplay does not prevent you from accessing your media sources. They are still available by opening My Computer and accessing the source drive (CD, DVD, usb/flash drive or external hard drive). Pictures on a camera can still be accessed through My Pictures and selecting "Get Pictures" from a scanner or camera. Media can also be accessed via the program you normally use it with such as music CDs accessed via Media Player, blank CDs via burning software, image handling software provided with the camera, etc. I strongly recommend you leave the autorun feature disabled and get into the habit of accessing your media devices manually.


Edited by boopme, 07 June 2010 - 07:32 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 insideout33

insideout33
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 16 June 2010 - 02:05 PM

Ok, I think my USB is clean but now I'm starting to think that my computer still has malware after running combofix...Its been a week or so.

The main thing is I am using internet explorer 8 and it just hogs up all my memory, the more websites I go through the more PF is used. Also, when I have a few tabs opened my cpu is like ~60% or more all the time (sometimes its jumping from low to high), page file usage even reaches max at some times which makes the computer unusable. Then after I close all the windows everything returns to normal.
My comp is quite old, 2,2ghz 512ram but i dont think an internet browser would consume that much...

Its been a week since I used CF and I once got that "internet explorer cannot open the page" thing, some pages opened, some didnt (google.com, mail.google.com didnt) though it could have been my router, not sure.

Lastly I checked my internet status. The session was on for 2 days and there were more sent packages than received (I didnt upload anything nor I ran any applications that would need a lot to upload). So basically its always more sent packages than received.
I'm saying this because I always had sent packages 2x times or more lower than received ones so thats odd for me.

Could it be malware, viruses that is doing this?

Thanks for helping me.

Edited by insideout33, 16 June 2010 - 02:09 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:17 PM

Posted 16 June 2010 - 02:30 PM

Now we'll need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Include the CombFix log.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 insideout33

insideout33
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 17 June 2010 - 01:16 PM

Posted the logs in this topic http://www.bleepingcomputer.com/forums/t/325178/infections-from-usb-stick/

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:17 PM

Posted 17 June 2010 - 02:33 PM

Thank you !!

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users