Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hard drive affected with autorun.inf virus


  • Please log in to reply
5 replies to this topic

#1 ChrissyToph

ChrissyToph

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 09 May 2016 - 04:06 AM

Hi there,

 

It appears my hard drive has been affected by the autorun.inf virus. I've read up about this online and the file has some of the typcial tell-tale signs - being blocked by my antivirus from running, the file size is 215kb instead of being 0, etc. Weirdly, I've also found that an SGPortable shortcut pops up next to it as well which I've not been able to find any information on via Google.

 

I've tried to follow some solutions I've Googled to tackle this but even though I'm admin on the computer it tells me access is denied when I try to delete it via a command prompt. It will delete if I just manually click on it and delete it to the recycling bin but this doesn't get rid of it permanently as it just comes back. 

 

It would be much appreciated if someone could assist me through this and also suggest how I ensure my computer hasn't been affected either.

 

Many thanks,

Chrissy



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:51 PM

Posted 09 May 2016 - 02:10 PM

ChrissyToph:

:welcome: to the Bleeping Computer Am I Infected? - What Do I Do? Forum. My name is Phil, and I would like to address you by your first name, if that is alright with you, since we will be working together.

I am sorry to hear of the issues you are having with your computer.  I suggest that we run a few preliminary scans to determine how seriously your computer might be compromised.



:step1: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

*Click this link to open ESET OnlineScan.
* Place a checkmark next to "Yes, I accept the Terms of Use", then click the greenstart.png button.
* When prompted allow the Add-On/Active X to install.
* In the new window that opens, tic the radio button next to Enable detection of potentially unwanted applications.
* Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):

  • Remove found threats
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

*Then click the shieldstart.png button and ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
*When the scan completes, click List Found Threats (only if anything is found).
*Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
*Click back.png, then click finish.png to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished!



:step2: Download and install Malwarebytes Anti-Malware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup-2.2.*.****.exe and follow the prompts to install the program ( * = program version numbers may vary - always get the latest version).
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard
  • Paste the contents of the clipboard into your next reply.

 

 

I would like you to paste the logs from both scans into your next reply. I will examine those and determine what our next step should be. If there is evidence of serious infection, you might have to open a new thread in the Virus, Trojan, Spyware and Malware Removal Logs Forum, but let's not get ahead of ourselves yet.

If I haven't responded to your reply in 24 hours, please send me a personal message.

Have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#3 ChrissyToph

ChrissyToph
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 10 May 2016 - 02:58 AM

Hello Phil, thanks for taking this on!

 

So before I saw your post, I was running scans (I ran one for the computer and one specific to the hard drive) using Malwarebytes which didn't return any suspicious content. I then used the ESET Online Scan (I hope it doesn't matter too much if I've kinda done it the other way round but if it does I'm happy to run the Malwarebytes scan again) which also didn't find anything. Strangely, I've noticed that the troubling 'autorun.inf' and 'SGPortable' files don't pop up now on my home computer but when I plugged it into a work computer (not deliberately, I thought the problem had perhaps gone), it pops up again (see attached print screen). Am I thinking too much and the files are actually genuine/not malicious... ? My only concern was the first time it popped up my Avira antivirus blocked it (on the home computer) and it's showing some of the apparent tell-tale signs like autoplay not actually working and the file size being 215kb...

 

Anyway, here are the logs from Malwarebytes (none applicable on ESET):

 

Scan 1 = Computer
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 09/05/2016
Scan Time: 18:20
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.05.09.04
Rootkit Database: v2016.05.06.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Win
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 299282
Time Elapsed: 31 min, 29 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
 
Scan 2 = hard drive
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 09/05/2016
Scan Time: 18:58
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.05.09.04
Rootkit Database: v2016.05.06.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Win
 
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 335271
Time Elapsed: 1 hr, 40 min, 23 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
Print screen of autorun.inf and SGPortable shortcut
 
Autorun.jpg
 
 
Many thanks,
Chrissy

Edited by ChrissyToph, 10 May 2016 - 03:02 AM.


#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:51 PM

Posted 10 May 2016 - 12:07 PM

Chrissy:
 
Thank you for the MBAM logs.  I don't think you have any reason to be concerned.  If you want to double-check that autorun.inf file, upload it to VirusTotal, here.  The file is 215 bytes, not kilobytes, which is a normal file size for a legitimate autorun.inf file.  Those files can be opened with Notepad, so you could have a look and see what it is doing.  It is most likely a remnant from an installer package and it is safe to delete.  Autorun capability can be configured from the Control Panel.  I have mine turned off, to prevent anything executing that I don't want executing.
 
The SGPortable file is just a shortcut link.  You can delete that as well, or move it to the Desktop if you want it to show, which you might if you are using the Sophos SafeGuard product or deal with files encrypted with Sophos Safeguard.  See this link for more information.
 
I think that you are good to go.  A word of advice.  Be careful what you believe when Googling files.  Many sites are trying to sell snake oil and they will indicate that pretty much every file known to Windows is a threat or a potential threat.  If there is a sales pitch on the site, find another site.  One of the key components of Bleeping Computer Study Hall training is teaching trainees how to assess the reliability and accuracy of the information on the web when working with logs that may contain malware.
 
Have a great day, Chrissy.
 
Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#5 ChrissyToph

ChrissyToph
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 11 May 2016 - 02:51 AM

Hi Phil, Thank you for the information and explaining everything, it's really reassured me. Thanks also for the advice, it's very useful and I'll definitely keep it in mind. When I get home I'll make sure to double-check using VirusTotal but from what you've said I'm confident that the file is fine, I think I just got a bit concerned when it popped up again after I had deleted it. Thanks again for everything and have a brilliant week ahead. All the best, Chrissy

#6 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:51 PM

Posted 11 May 2016 - 06:22 AM

Chrissy:

 

Thank you for your post.  I am glad that your issues are resolved.

 

Thank you for choosing Bleeping Computer to help you with your issues.  It has been my pleasure to be of assistance.

 

Have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users