Jump to content

Autorun.inf installing malwares

Recommended Posts

Ever since I plugged in an Flash Drive (H:/) I have all my folder items in it being disappeared and shortcuts being appearing instead.
I have installed MC Shield and here is the report:


MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v / DB: 2016.2.21.1 / Windows 8.1 <<<

7/5/2016 6:20:38 PM > Drive H: - scan started (no label ~14934 MB, FAT32 flash drive )...


---> Executing generic S&D routine... Searching for files hidden by malware...

---> Items to process: 2

---> H:\dri.txt > unhidden.

---> H:\autorun.inf.vir > unhidden.


---> Note: paranoid mode is enabled.

>>> H:\autorun.inf.vir - Malware > Deleted. (16.07.05. 18.20 autorun.inf.vir.4757; MD5: 82fe5c18db34e2d6e544d4d63751d4f6)

>>> H:\dri.lnk - Malware > Deleted. (16.07.05. 18.20 dri.lnk.453056; MD5: ceb3ea6178c1e22f85deddba137f3e94)

>>> H:\autorun.lnk - Malware > Deleted. (16.07.05. 18.20 autorun.lnk.357427; MD5: 8dd8a40f84b0c8d36cc419703f4a4d31)

>>> H:\gh.js - Malware > Deleted. (16.07.05. 18.20 gh.js.470745; MD5: 428a897a2d7926a6908d7129bb4b52d2)

=> Malicious files   : 4/4 deleted.
=> Hidden files      : 2/2 unhidden.


::::: Scan duration: 1sec ::::::::::::::::::


I have also installed PANDA USBVaccine but to no avail. I tried formatting the Flash Drive but it keeps coming back.



Link to post
Share on other sites

Ok it seems I have found a solution.  At least i think i inactivated the malware.

Since "gh.js" keeps showing up in MCShield.  I knew this was the one causing all the pain. There was initially  no way to delete it. I tried Safe Mode too. I was getting Denied Access issues.
So each time what MCShield did was to rename it. And that would make the flash drive usable.
If I plugged in again, same thing would happen. This time it was making MOVIE.EXE and other few EXEs which MCShield deleted right away.  As before the Flash Drive would be healed.
So I thought  I would use FRST to get a better insight.  And lo... There it (gh.vs) was  in AppData>Roaming and AppData>Roaming>Microsoft.
But the folders were set to show Hidden Files and yet strangely this file was hidden.
So I typed in the location in notepad and opened it.
It was all Java script and being a layman I had no clue what it said. The best thing to do was erase few lines from the start and see what happens.
So i did that and saved it (in notepad).
Restarted my system,  inserted Flash Drives and I can say no more shortcuts appear and MCShield says its all fine. Great.
But the thing is, something is still calling out to "gh.js" to load each time Windows starts as it's still shown in FRST.
At least there is no teeth left.

I have attached the file in .txt format. I scanned the .js file both with Malwarebytes Anti-Malware and Spybot Search and Destroy and they gave it green. I wonder why.
Hope this would help someone out there. Thanks for the tools without which i would be left in the dark.



Link to post
Share on other sites


Hello Hellbraker9 & welcome aboard.
Thanks for your patience and thanks for your latest information.  Please keep on simply attaching logs/reports as we go along.

Firstly, you can press and hold the ALT-key when inserting that flash drive so that all autorun off of it is suppressed.

Thanks for the information on that script file.  It is some sort of obscure script.  It was burrowed in as a task in windows.

I am sending a custom Fix script which is going to be used by the FRST tool. They will both work together as a pair.
on Desktop in the mb folder  ( same folder as FRST64)

Please close all open work documents ( if any) before running this;  it will do a reboot at the end.

Please RIGHT-click the FIXLIST and select SAVE AS   and save it directly ( as is) in the same general location as where you have FRST64

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Double click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.


If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please attach the Fixlog.txt in your reply.




Edited by AdvancedSetup
Link to post
Share on other sites

Thanks for the report.  That is a good run.  How is the situation today ?  Lets do a new scan next chance you get.

Start the program by doing a RIGHT-click on the Taskbar icon for Malwarebytes and select *Open Malwarebytes Anti-Malware*.
on the Dashboard, click the Update ( blue link ).
click the *Scan Now >>* ( link)  button.

Click on the first column Threat scan*

A Threat Scan will begin.
When the scan is complete, Make sure to Review the results.   Look over the list please.

if there have been detections, if there have been detections, look over the list and insure all lines have  check-marks so that they can be removed

click **Remove selected** to allow MBAM to clean what was detected.
In some cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.

Click on the *History* tab > *Application Logs*.
Double click on the scan log which shows the Date and time of the last SCAN performed. Please make sure the word SCAN is shown and also that you grab the very latest Date. the most recent Scan run.
You can double click the line to get it on screen. Then use the menu at bottom of the window.

Click the EXPORT button at the bottom left.
Click *TEXT file*

Be very aware as to what folder and what NAME you give this report.  You have to make a note so you can send it.

Then attach that file with your next reply.


Link to post
Share on other sites

I would like you to do one more scan; this one from ESET security.  This is for a second opinion.

To be certain all traces of malware & viruses are gone, I'd suggest you run this  scan to help look for a virus or possible P U P or rogue that may be lurking. This scan can easily take upwards of an hour, so be run the scan when you don't need to use the computer for a while.
{ If you need help on this, then see this page http://www.eset.com/us/online-scanner/help/

You may use the stand-alone-eset installer.
Use this link to get and SAVE esetsmartinstaller_enu.exe _the ESET Smart Installer. Save it to your desktop.

"(this link)":http://download.eset.com/special/eos/esetsmartinstaller_enu.exe

You need to first SAVE the file to your system.  Save to the Downloads folder or the DESKTOP  ( for ease of use).

2.Double click on the esetsmartinstaller  icon on your desktop.

4.Check "YES, I accept the Terms of Use."
5.Click the *Start* button.

and proceed just as outlined before.   Reply ( click ) YES when prompted to allow the run by Windows U A C ( user account control).
Have patience while it downloads antivirus database definitions.

Click on *Enable detection of potentially unwanted applications*
Click on the blue line *Adanced Settings*
Choose the following settings in scan settings:

Select (check) Enable detection of potentially unwanted applications.

in advanced settings:
clear ( leave un-checked) Remove found threats

Select ( check-mark) Scan for potentially unsafe applications

Click on Start. The virus signature database will begin to download. This may take some time.
When completed the Online Scan will begin automatically.
Note: This scan might take a long time! Please be patient.
When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
Now click on Finish

A logfile is created and located at C:\Program Files (x86)\Eset\EsetOnlineScanner\log.txt.

Note: Do not forget to re-enable your antivirus application after running the above scan!

I will advise you more after I have had a chance to review that log file.

You will find a log-file for the results of the ESET scan that is named LOG.txt
It will be located under the Program Files structure of Windows in one of the folders listed below.  The report file is named *LOG.txt*
The folder constaining that report is this for 64-bit Windows.
C:\Program Files (x86)\ESET\ESET Online Scanner   

Thanks for the Scan report.  That is a good result, obviously.



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.