Unable to delete autorun.inf and .vbs malware from my usb

rajjs · 04 Oct 2013

Hi
I am trying to delete the autorun.inf and .vbs file from my usb. but i am unable to delete it.
whenever i transfer any file to usb it is converted into shortcut file. whenever i delete .lnk file they again generate. I have refer this forum post in which it is suggested to use rkill but it is not useful to me. It gives no malware present.
I also use attrib command as follows
H:\>attrib
SH H:\qjmavtlxpm..vbs
H H:\AUTORUN.INF

H:\>attrib -s -r -h *.* /s /d /l
Access denied - H:\AUTORUN.INf

H:\>attrib -h -r -s /s /d H:/*.*
Access denied - H:\AUTORUN.INF

H:\>del qjmavtlxpm..vbs
Could Not Find H:\qjmavtlxpm..vbs

but still as you see in command I am unable to delete it.
I also run my system in safe mode and try this but still unable to delete it. In safe mode when I delete .vbs file It is again generated.
I am attaching that .vbs file, i am trying to edit in safe mode but it doeson't work.
please help.

cottonball · 04 Oct 2013

rajjs,

Please do the following...

To stop the Autorun feature, download and run the following:
Microsoft Fix It 50471:
http://support.microsoft.com/kb/967715

Scroll down to: How to disable or enable all Autorun features in Windows 7 and other operating systems
Click Run in the File Download dialog box, and follow the steps of the wizard.

Note: There is an option to enable Autorun automatically. You can do so later, if you wish.

Reboot the system after applying the Microsoft FixIt.

Please click on the Windows 7 Start button and then on Control Panel
In Control Panel, select: Folder Options
Click on the View tab in the Folder Options window.

In the Advanced settings: area, locate the Hidden files and folders category.

Check: Show hidden files, folders, and drives
Uncheck: Hide protected operating system files (Recommended)
Click Apply and OK at the bottom of the Folder Options window.

Next, download UsbFix:
http://www.infospyware.com/utiles/usbfix/
It is a Spanish language website, but the program is in English.
To download. press the button that says: Descagar (It means: Download)
Also save to the Desktop.

Next, right-click the downloaded USBFix file and select: Run as Administrator
Connect the problem USB drive.

Press: Research

When done, the program closes on its own, and a report appears.
(The report file is also found at C:\UsbFix.txt)

Please post the UsbFix.txt (Research Mode) report in your reply.

Once again, run USBFix as Administrator, but, this time, press: Listing

Also post the UsbFix.txt (Listing Mode) report in your reply.

Note 1: If USBFix does not run in normal Windows, please run in Safe Mode:
Restart your computer.
When the computer starts, tap the F8 key on the keyboard repeatedly until presented with the Advanced Boot Options menu
Using the arrow keys, select: Safe Mode
Press the Enter key on your keyboard to boot into the selected mode.

Note 2: If your AntiVirus program detects USB as malware, either let the AV program allow USBFix to run, or, temporarily disable your AntiVirus program:
Info - How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

When done with USBFix, re-enable your AV!

Last, please download the Farbar Recovery Scan Tool
Download: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
Select the version that applies to your system.
Save it to your Desktop.

Double-click the downloaded file to run it.

When the tool opens click Yes to the disclaimer.

Press the Scan button.

The tool makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

Please provide the FRST.txt in your reply.

The first time the tool is run, it also makes another log: Addition.txt

Also post the Addition.txt in your reply.

rajjs · 05 Oct 2013

I am atteching your required file. After uncheck Hide protected operating system files (Recommended)
my antivirus detected .vbs file but still autorun file is there and I can't delete it. It's access denied also I can't take it's ownership. when i right click file there is no security tab option. please give solution for that autorun.inf

Alejandro85 · 05 Oct 2013

Look at task manager to see if there is something unusual, or even this autorun.inf is running there. You may be able to kill the process that blocks the file from being deleted.
Generally, if the USB don't has important information, I would simply reformat it to get rid of everything.

rajjs · 05 Oct 2013

Thank you for your suggestion Alejandro85, it works.

cottonball · 05 Oct 2013

rajjs,

Thanks for the reports.

The USB drive needs attention, as well as your computer. Have no clue where you are at with this issue, however, in your case, there is more to do after killing a process and deleting a file.

Let's start with FRST...

Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below
Save it to the Desktop, and name it: fixlist.txt

Code:

start
HKLM\...\Run: [qjmavtlxpm] - wscript.exe //B "C:\Users\RAJ\AppData\Local\Temp\qjmavtlxpm..vbs" 
HKLM-x32\...\Runonce: [] -  [x]
HKCU\...\Run: [] - [x]
HKCU\...\Run: [qjmavtlxpm] - wscript.exe //B "C:\Users\RAJ\AppData\Local\Temp\qjmavtlxpm..vbs" 
Toolbar: HKLM-x32 -  No Name - {10EDB994-47F8-43F7-AE96-F2EA63E9F90F} -  No File
Toolbar: HKCU -  No Name - {8567A644-E36C-470C-86CF-9C5B4F37DB81} -  No File
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction 
C:\ProgramData\win_mpwd_sys.dat
end

Once again, double-click FRST to run it.
When the tool opens click Yes to disclaimer.
Press the Fix button.
When done, FRST produces Fixlog.txt on the Desktop.

Please provide the Fixlog.txt on your reply.

Now, connect the USB drive and press the Windows key and the R key at the same time for the Run prompt to appear.
In the Run prompt, type the following in the Open area, and press Enter: cmd

When the Command Prompt opens, copy/paste (with the mouse) the following, and press: Enter

Code:

attrib -h -s -r -a /s /d X:\*.*

(Change the drive letter X to the letter corresponding to the problem USB removable drive.)

Regardless of what action you have taken so far, make sure the USB drive is connected, and please run USBFix once again to see if the USB drive is really clean.
Press: Research
When done, the program closes on its own, and a report appears.
The report file is also found at C:\UsbFix.txt

Please post the UsbFix.txt (Research Mode) report in your reply.

Note: As before, if your AntiVirus program detects USB as malware, either let the AV program allow USBFix to run, or, temporarily disable your AntiVirus program.

Please run Malwarebytes Anti-Malware:
http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

Save to the Desktop
Double-click the downloaded MBAM file to run it.

When the installation begins, follow the prompts in the setup process.
DO NOT make any changes to default settings and when the program has finished installing, make sure only the following options are checked:
>Update Malwarebytes’ Anti-Malware
>Launch Malwarebytes’ Anti-Malware

Uncheck:
>Enable free trial of Malwarebytes Anti-Malware PRO
Click on the Finish button.

If an update is found, the program automatically updates itself.

At the program console, on the Scanner tab, and select:Perform Full Scan

When the Select the Drives to scan prompt appears, make sure the USB drive is also selected.

Next, click on: Scan

When the Malwarebytes scan is completed, click on: Show Results
When presented with a screen showing the malware detected, make sure everything is Checked, and click on:Remove Selected

When removal is completed, a report opens in Notepad.

Please copy/paste the entire contents of the MBAM report in your reply.

Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.

Also, download RogueKiller:
http://tigzy.geekstogo.com/roguekiller.php

Select the version that applies to the system.
Save to the Desktop.

After closing all windows and browsers, right-click the downloaded RogueKiller file and select: Run as Administrator
At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished.)

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.