autorun.inf spreading on network..HELP!!

Hey guys,

It seems that somehow my network is infected with the autorun.inf trojan. When I open it in notepad it reads:

[autorun]
 open=RECYCLER\recycld.exe
 icon=%SystemRoot%\system32\SHELL32.dll,4
 action=Open folder to view files
 shell\open=Open
 shell\open\command=RECYCLER\recycld.exe
 shell\open\default=1

I have tried running my TrendMicro against it and it states unable to clean only able to quarantine...What I am also noticing is that some of those workstations are being infected with this also whihc I assume is as a result of the above:

Mal OtorunD
TROJ AMBLER.SMZ

which is being located in there C:\Windows\CSC folder...

ANY AND ALL HELP PLEASE!!!!!!!!
sbodnarAsked:
Who is Participating?
 
notacomputergeekConnect With a Mentor Commented:
What I use to stop the spread of a virus using autorun files, is to turn autorun off. The user's CDs and DVDs won't automatically run when they put it in the drive, but it's a small price to pay for a network infection. Usually these things will get copied to network shares and then anyone accessing the share gets infected.

I create a bat file that includes somthing like:
regedit /s "\\server\disable autorun\autorun.reg"

This bat file is run as a computer group policy when the user logs on.

The reg file includes:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Try running malwarebytes: http://www.malwarebytes.org/mbam.php
Then combofix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
notacomputergeekCommented:
One other thing, turn on viewing hidden files and search for autorun.inf and recycld.exe on the computer and network drives to see where the autorun.inf file resides.

Here's another thread to look at from a Kaspersky forum:
http://forum.kaspersky.com/lofiversion/index.php/t106727.html
0
 
sbodnarAuthor Commented:
notacomputergeek:

I really am horrible at writing bat files. Can you give me a better idea of how to write the necessary script to disable autorun on users pcs?
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
notacomputergeekCommented:
Use notepad, copy and paste the line above and save it as autorun.bat.
Use notepad, copy paste the 3 reg lines and save it as autorun.reg.

Make sure you change the line in the autorun.bat file to match the file location where autorun.reg is stored. You may want to try this on a local machine first before deploying it as a GPO.

Also you can just create the autorun.reg file, then right-click and merge it onto whichever computer your on. I've used this approach on XP/Vista/Server 2003.
0
 
rpggamergirlCommented:
Download Flash_Disinfector.exe by sUBs and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

Also run ComboFix as already suggested and show us the log to make sure it's clean.
0
 
Mohamed OsamaSenior IT ConsultantCommented:
This is a complex threat , one tool will not remove it , however , following the same advise as per below link should solve it 
http://forum.kaspersky.com/lofiversion/index.php/t106727.html
download avz http://www.z-oleg.com/avz.exe
from File->Custom Scripts
paste the below script & run it 



begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
DelCLSID('{0EA88F0F-B698-4ab1-8DBC-EBE2CD00927F}');
QuarantineFile('E:\autorun.inf','');
QuarantineFile('ipv6sc.dll','');
QuarantineFile('C:\WINDOWS\system32\ipv6sc.dll','');
DelBHO('{92780B25-18CC-41C8-B9BE-3C9C571A8263}');
DelBHO('{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}');
DelBHO('{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}');
DelBHO('{7E853D72-626A-48EC-A868-BA8D5E23E045}');
DelBHO('{5CC2F638-99FF-45d2-97C7-E30E83CF04D2}');
DeleteFile('ipv6sc.dll');
DeleteFile('C:\WINDOWS\system32\ipv6sc.dll');
DeleteFile('E:\autorun.inf');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Open in new window

0
All Courses

From novice to tech pro — start learning today.