Jump to content
iroc9555

Me too, autorun.inf

Recommended Posts

Hello,

I just checked with the latest update.

Malwarebytes' Anti-Malware 1.41

Database version: 3284

Windows 5.1.2600 Service Pack 3

12/2/2009 10:32:25 PM

mbam-log-2009-12-02 (22-32-12).txt

Scan type: Quick Scan

Objects scanned: 118116

Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\autorun.inf (Malware.Trace) -> No action taken. [3857535134304666778866837015538366687013010652585237425106616686858083867915747

971]

Share this post


Link to post
Share on other sites

This may be a trace from a log ago removed infection , either way it is same to remove and I cant verify any legit reason for it to be there .

Share this post


Link to post
Share on other sites
This may be a trace from a log ago removed infection , either way it is same to remove and I cant verify any legit reason for it to be there .

A couple of people here http://www.malwarebytes.org/forums/index.php?showtopic=32463 seem to have found some kind of association with hp printers (which I also have). This thing wasn't picked up on my computer until yesterday's scan and I haven't had a malware infection for almost a year (and even that may have been a false positive - I didn't know about the existence of this forum at the time). Neither Malwarebytes, Avast Antivirus, Windows Defender or Comodo Defence plus seem to be picking up anything else untoward going on, so I seem to be otherwise clear. It's very peculiar.

Share this post


Link to post
Share on other sites
This may be a trace from a log ago removed infection , either way it is same to remove and I cant verify any legit reason for it to be there .

Hi nosirrah.

Thank you for answering my post. I just reinstalled my OS back in October, and to my knowledge, I have not been infected since, or in the past year or so to that matter. I have scanned my sys. with Spy Sweeper, SAS, and Avast. I also sent the file to Virus Total, and from 49 scans only McAfee detected it as aGeneric ! atr.b. Like DCross my file is just about my HP printer, most of it, and like DCross the autorun.inf file was detected after data base v.3280 was updated and not the day before. I am still reading the context to see if I find something that does not belong.

Thank you again.

Share this post


Link to post
Share on other sites

Hello,

I too have a HP printer and the file appears to be associated with the install.

I ran a quick scan with version 1.42 and get the same results.

I went ahead and had MB take care of the file and rebooted. The next scan was clear and my printer appears to be working fine. I will keep this in quarantine until this is confirmed a false positive or not.

Should I send you the file to examine?

Thank you.

(my system has been clean up until the above mentioned DB also)

Malwarebytes' Anti-Malware 1.42

Database version: 3289

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/3/2009 4:05:50 PM

mbam-log-2009-12-03 (16-05-34).txt

Scan type: Quick Scan

Objects scanned: 118190

Time elapsed: 5 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\autorun.inf (Malware.Trace) -> No action taken.

Share this post


Link to post
Share on other sites
Hello,

I too have a HP printer and the file appears to be associated with the install.

I ran a quick scan with version 1.42 and get the same results.

I went ahead and had MB take care of the file and rebooted. The next scan was clear and my printer appears to be working fine. I will keep this in quarantine until this is confirmed a false positive or not.

Should I send you the file to examine?

Thank you.

Hi rriso.

Installed new 1.42 data base v. 3291 did not find autorun.inf in my sys. Did quick and full scan and came out clean. I thought you wanted to know.

Share this post


Link to post
Share on other sites
I pulled it while looking into claims that HP may be adding this file .

Thank you nosirrah, much appreciated.

Share this post


Link to post
Share on other sites

Thank you iroc9555 and nosirrah for the replys.

The quick action/responses from this forum is the primary reason I recommend this product.

Share this post


Link to post
Share on other sites
Thank you iroc9555 and nosirrah for the replys.

The quick action/responses from this forum is the primary reason I recommend this product.

Rriso be advised, norissah is just researching into the fact that the file might be used for and by HP. It is not cleared yet.

Other members in these Forums are asking the same question about autorun.inf.

http://www.malwarebytes.org/forums/index.php?showtopic=32463

Waiting for a yes, may be, no. :)

Share this post


Link to post
Share on other sites

Hello,

Below is a small part of the autorun.ini file in question.

I am not that knowledgeable with computers, but to me this appears (?) to be a standard install procedure .

The file is 475 KB. It appears to repeat itself in different languages, hence the larger size.

Hope this does not muddy the waters; I was just trying to shed some light on this issue.

Thank you.

[autorun]

open=setup.exe

icon=setup.exe,0

[Version]

CDGuid={F5936267-D467-4e7b-8940-A7D9F0398EF3}

SoftwareGuid=

InfrastructureDatabaseList=hphmdl15.dat

LanguagesInthisCD=ENU,FRA,ITA,DEU,ELL,ESN,PTB,NLD,RUS,NOB,DAN,CHS,CHT,JPN,KOR,CS

Y,DAN,FIN,HUN,NOB,PLK,SVE,TRK,ARA,HEB

DefaultLanguageInThisRelease=ENU

DIVISION=HPH

ICE_REV=15

FIRST_IO_REVISION=18

LAST_IO_REVISION=18

VCD_FILEVER=0

Manufacturer=HP

RegistryManufacturer=Hewlett-Packard

ProductSeries=Deskjet Printer Series

Pre-Install=%ProgramFilesx86%%Manufacturer%

SilentInstall=No

InvalidPathCharacters=#$&,%

ConnectivityPlugin=%sourcepath%setup\hpzdui%ICE_SUFFIX%.exe

PreloadICEEngineToGUIDFolder=%sourcepath%hpzprl01.dat

PreloadRecoveryMechanism=%sourcepath%hpzprl02.dat

PreloadRestingPad=%sourcepath%hpzprl03.dat

UI_03=No

UI_20=Yes

UI_21=No

UI_25=No

UI_30=Yes

UI_50=No

UI_80=No,NoDeviceConnected,SWReinstall,NoDeviceDiscovery

UI_250=No

UI_260=Yes

UI_40=Yes

UI_60=Yes

UI_70=Yes

UI_110=Yes

UI_100=Yes

RegistryRebootLocation=DigitalImaging\Install

qualifier=%OS%

DriverLanguages=ENU,FRA,ITA,DEU,ELL,ESN,PTB,NLD,RUS,NOB,DAN,CHS,CHT,JPN,KOR,CSY,

DAN,FIN,HUN,NOB,PLK,SVE,TRK,ARA,HEB

ProductFinishEvent=somestring

UsingDeviceDiscovery=Yes

DeviceDiscoveryBucket=DeviceManagement_PSE

Share this post


Link to post
Share on other sites

It is an installer and is safe. That is not what is in question though. The fact that it CANNOT normally run from that folder because C:\WINDOWS\SYSTEM32 is not a ROOT folder. So the file though safe is useless there as well. It is highly unlikely that any Malware would even try such a dumb method of attempting to infect you, but it is possible thus I think it should be part of our detection and it should be removed. If however you wish to leave it there then that's okay too as it is harmless currently.

Share this post


Link to post
Share on other sites

Thank you AdvancedSetup for the explanation.

I misunderstood what the question on this file was. Upon re-reading the other threads and this one, I understand more fully what the issues are.

I have removed this file from my two systems.

Thanks again.

Share this post


Link to post
Share on other sites

Many thanks AdvancedSetup for your explanation here and on the other thread. My only query now is that when autorun.inf is removed from sysyem2 and quarantined it requires restart after which an MBAM entry arrives in the startup list and also in HijackThis in the 04 section as:

04- HKLM\..\Run [Malwarebytes Anti-Malware (reboot)] "C\Program Files\Malwarebytes' Anti-Malware\mbam.exe\ runcleanupscript

and stays there - do you know why?

Share this post


Link to post
Share on other sites

It shouldn't do that with version 1.42 of Malwarebytes' as that was one of the issues corrected between 1.41 and the latest version. If you are having that issue then please follow the instructions in #7 of the FAQ located here to see if that corrects it.

Share this post


Link to post
Share on other sites
it's a hiccup from HP's programming probably

Thank you for your explanation in this thread and the other posted by Imbart. It is well known that HP printer

Share this post


Link to post
Share on other sites

Autorun.inf files in these locations as said should in most cases pose no threat. To be safe though you can rename them to .txt or some other extension or delete the file if you like.

Share this post


Link to post
Share on other sites
Autorun.inf files in these locations as said should in most cases pose no threat. To be safe though you can rename them to .txt or some other extension or delete the file if you like.

Thank you, much appreciated.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.