autorun.inf spreading on network..HELP!!
Hey guys,
It seems that somehow my network is infected with the autorun.inf trojan. When I open it in notepad it reads:
[autorun]
open=RECYCLER\recycld.exe
icon=%SystemRoot%\system32
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLE
shell\open\default=1
I have tried running my TrendMicro against it and it states unable to clean only able to quarantine...What I am also noticing is that some of those workstations are being infected with this also whihc I assume is as a result of the above:
Mal OtorunD
TROJ AMBLER.SMZ
which is being located in there C:\Windows\CSC folder...
ANY AND ALL HELP PLEASE!!!!!!!!
It seems that somehow my network is infected with the autorun.inf trojan. When I open it in notepad it reads:
[autorun]
open=RECYCLER\recycld.exe
icon=%SystemRoot%\system32
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLE
shell\open\default=1
I have tried running my TrendMicro against it and it states unable to clean only able to quarantine...What I am also noticing is that some of those workstations are being infected with this also whihc I assume is as a result of the above:
Mal OtorunD
TROJ AMBLER.SMZ
which is being located in there C:\Windows\CSC folder...
ANY AND ALL HELP PLEASE!!!!!!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
notacomputergeek:
I really am horrible at writing bat files. Can you give me a better idea of how to write the necessary script to disable autorun on users pcs?
I really am horrible at writing bat files. Can you give me a better idea of how to write the necessary script to disable autorun on users pcs?
Use notepad, copy and paste the line above and save it as autorun.bat.
Use notepad, copy paste the 3 reg lines and save it as autorun.reg.
Make sure you change the line in the autorun.bat file to match the file location where autorun.reg is stored. You may want to try this on a local machine first before deploying it as a GPO.
Also you can just create the autorun.reg file, then right-click and merge it onto whichever computer your on. I've used this approach on XP/Vista/Server 2003.
Use notepad, copy paste the 3 reg lines and save it as autorun.reg.
Make sure you change the line in the autorun.bat file to match the file location where autorun.reg is stored. You may want to try this on a local machine first before deploying it as a GPO.
Also you can just create the autorun.reg file, then right-click and merge it onto whichever computer your on. I've used this approach on XP/Vista/Server 2003.
Download Flash_Disinfector.exe by sUBs and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.
Also run ComboFix as already suggested and show us the log to make sure it's clean.
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.
Also run ComboFix as already suggested and show us the log to make sure it's clean.
This is a complex threat , one tool will not remove it , however , following the same advise as per below link should solve it
http://forum.kaspersky.com/lofiversion/index.php/t106727.html
download avz http://www.z-oleg.com/avz.exe
from File->Custom Scripts
paste the below script & run it
http://forum.kaspersky.com/lofiversion/index.php/t106727.html
download avz http://www.z-oleg.com/avz.exe
from File->Custom Scripts
paste the below script & run it
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
DelCLSID('{0EA88F0F-B698-4ab1-8DBC-EBE2CD00927F}');
QuarantineFile('E:\autorun.inf','');
QuarantineFile('ipv6sc.dll','');
QuarantineFile('C:\WINDOWS\system32\ipv6sc.dll','');
DelBHO('{92780B25-18CC-41C8-B9BE-3C9C571A8263}');
DelBHO('{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}');
DelBHO('{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}');
DelBHO('{7E853D72-626A-48EC-A868-BA8D5E23E045}');
DelBHO('{5CC2F638-99FF-45d2-97C7-E30E83CF04D2}');
DeleteFile('ipv6sc.dll');
DeleteFile('C:\WINDOWS\system32\ipv6sc.dll');
DeleteFile('E:\autorun.inf');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
Here's another thread to look at from a Kaspersky forum:
http://forum.kaspersky.com/lofiversion/index.php/t106727.html