Unknown Autorun.inf infection (Desktop.dll type)

hanzo2001 · Dec 2, 2008

Hello to any who read this, my first post and thread. I'm sorry if the problem I have has already been taken care of, but I'm tired of searching through the web and doing numerous steps, just to find out the infection I have still spreads to USBs.

I have run into other autorun.inf buggers in the past and I have been able to remove them but this one has me baffled. I'm not precisely sure when it started but I'm almost certain the vector was a USB memory stick.

About the files autorun.inf and desktop.dll
-autorun.inf has the following text:
open=
shell\open=Explore
shell\open\Command=rundll32.exe .\desktop.dll,InstallM
shell\open\Default=1

-desktop.dll is described as follows:
File Version: 5.0.3805.0
Description: Java Virtual Mashine
Copyright: Copyright (C) Microsoft Corp. 1997-2000

I personally tweaked my WindowsXP SP3 Home Edition to increase performance, as well as removed any software which I seldom or never use. I run ProcessExplorer, Autoruns and CCleaner regularly, as well as other tools I have found on this incredible forum. I edit the registry without falter and I search the web but I still have'nt the foggiest as to why this problem persists. My noDriveTypeAutorun settings in the registry are set to absolutely-no-autorun what-so-ever on any drive (hex: ff). I redumped the mountpoints2 entry by erasing all memory of all drives by searching the entire registry, which means, all my USBs have to be reinstalled (the removal was not just in HKCU but some other places as well).

I have completed the malware guide in this forum and have the logs and I will attach them.

PD: I do have an antiwpa.dll because I had a problem with my PC and I don't want to call the windows hotline every time I do something to my PC just to reactivate the friggin' thing

hanzo2001 · Dec 3, 2008

PD: I forgot to add that I changed the IniFileMappings in the registry so that autorun.inf files cannot be procesed and are identified as old files with no handlers. I don't know if that made any sense but it's 6AM and I haven't slept

hanzo2001 · Dec 3, 2008

PD: just trying to add my MGlogs.zip file and, before I forget, I tweaked the IniFileMapping entry in the registry so it treats autorun.inf files as pre winNT and force to a non existing handler. I hope that made sense

chaslang · Dec 5, 2008

Welcome to Major Geeks!

Why are your runnig this PC without protection?

Did you put the below into your hosts file?
Code:
O1 - Hosts: 207.83.205.237 [URL="http://www.bancomer.com.mx"]www.bancomer.com.mx[/URL]
O1 - Hosts: 207.83.205.237 [URL="http://www.bancomer.com"]www.bancomer.com[/URL]
O1 - Hosts: 207.83.205.237 bancomer.com
O1 - Hosts: 207.83.205.237 bancomer.com.mx
O1 - Hosts: 192.193.206.100 banamex.com
O1 - Hosts: 192.193.206.100 [URL="http://www.banamex.com"]www.banamex.com[/URL]
O1 - Hosts: 192.193.206.100 banamex.com.mx
O1 - Hosts: 192.193.206.100 bancanetempresarial.banamex.com.mx
O1 - Hosts: 192.193.206.100 boveda.banamex.com
O1 - Hosts: 192.193.206.100 [URL="http://www.banamex.com.mx"]www.banamex.com.mx[/URL]
O1 - Hosts: 192.193.206.100 [URL="http://www.bancanetempresarial.banamex.com.mx"]www.bancanetempresarial.banamex.com.mx[/URL]
O1 - Hosts: 192.193.206.100 [URL="http://www.boveda.banamex.com"]www.boveda.banamex.com[/URL]
O1 - Hosts: 201.149.185.162 [URL="http://www.e-galicia.com"]www.e-galicia.com[/URL]
O1 - Hosts: 201.149.185.162 e-galicia.com
O1 - Hosts: 200.76.36.117 [URL="http://www.bb.com.mx"]www.bb.com.mx[/URL]
O1 - Hosts: 200.76.36.117 bb.com.mx
O1 - Hosts: 168.165.2.39 scotiabank.com.mx
O1 - Hosts: 168.165.2.39 scotiabankinverlat.com
O1 - Hosts: 168.165.2.39 scotiabankinverlat.com.mx
O1 - Hosts: 168.165.2.39 [URL="http://www.scotiabank.com"]www.scotiabank.com[/URL]
O1 - Hosts: 168.165.2.39 [URL="http://www.scotiabank.com.mx"]www.scotiabank.com.mx[/URL]
O1 - Hosts: 168.165.2.39 [URL="http://www.scotiabankinverlat.com"]www.scotiabankinverlat.com[/URL]
O1 - Hosts: 168.165.2.39 [URL="http://www.scotiabankinverlat.com.mx"]www.scotiabankinverlat.com.mx[/URL]
Uninstall the below old versions of software:
Java(TM) 6 Update 7

Now we need to use ComboFix.

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Open Notepad and copy/paste the text in the below quote box into it:

KILLALL::
File::
c:\windows\system32\mstmdm.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"QuickTime Task"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UpdateCheck"=-
[-HKEY_CLASSES_ROOT\CLSID\{2386AC86-4A4C-4275-952A-6A2F3F297E35}]
Click to expand...

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

C:\ComboFix.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

hanzo2001 · Dec 5, 2008

What are those hosts doing in my PC?????
They are all from Mexico also. Pretty strange...
I don't run with any antivirus for the moment. I was using the latest AVG until I noticed the autorun spreading; I uninstalled it after some recomendations but only after I detected that the Autorun was spreading exclusively to my USBs and not through my registry or my local HardDrives.

About JRE6 Upd 7, I don't know why but the latest OpenOffice installer carries it bundled. Can I safely remove it and still use OpenO? I'll uninstall it and see and post back.

Thanks, I'll have it done in a jiffy...

PS: I was so tired I didn't realize I had already attached my MGlogs.zip. Sorry for dumb bumping. And I have the original .inf and .dll files in a zip can with names change, do you suppose I should send it to AVG or some other lab?

hanzo2001 · Dec 5, 2008

I'm sending the new ComboFixLog and MGLog

Lots of weird tools you guys use. I wish one day I could understand what they really do ^^

HOOOOOOORRAAAAAAAAAAYYYYYY!!!!!!!!!
No more spreading!!!!!!!!

Thanks a lot. You guys are magnificent!!!!

PS: is it normal that my sound card admin panel is disabled now, I can't access it, although it will probably boot up normally next time^^

chaslang · Dec 6, 2008

Your logs are clean.

hanzo2001 said: ↑

PS: is it normal that my sound card admin panel is disabled now, I can't access it, although it will probably boot up normally next time^^
Click to expand...

No it is not normal if you always had it. It also does not appear to be related to anything in our procedures since nothing was removed except malware. Perhaps you need to reinstall some software.

If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

hanzo2001 · Dec 7, 2008

OK, I'll do some cleaning up then.

As follow up, my OOffice works fine without the bundled old java update and my Soundcard "drivers and stuff" did restart correctly and are working fine.

Again, you guys are magnificent

This was hanzo2001, signing out ^^

chaslang · Dec 9, 2008

You're welcome. Surf Safely!

Log in or Sign up

Unknown Autorun.inf infection (Desktop.dll type)

hanzo2001 Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 12-03-2008 - 04-12-25.log

mbam-log-2008-12-03 (04-43-57).txt

Combofix log.txt

hanzo2001 Private E-2

Attached Files:

MGlogs.zip

hanzo2001 Private E-2

Attached Files:

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

hanzo2001 Private E-2

hanzo2001 Private E-2

Attached Files:

Combofix log.txt

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

hanzo2001 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member