Jump to content

Malware.Trace Removal

imbart
 Share

Recommended Posts

imbart

imbart

Posted
Posted

My Matwarebytes Quick Scan turned up "Malware.Trace" in "C/windows/ system32/autorun.inf" during the heuristics part of the scan. I removed it on reboot as directed and it is now in "Quarantine". Since doing that I checked in "system32" and I don't appear to have an "autorun.inf" file there -is the actual malware that file or is the file infected and only part should be removed. Has MBAM removed the whole file. I ran Qiuick Scan again and Malware.Trace was not picked up again. However my HijackThis program shows an additional entry:

04- HKLM\..\Run [Malwarebytes Anti-Malware (reboot) "C\Program Files\Malwarebytes' Anti-Malware\mbam.exe\ runcleanscript

Does that keep coming up now or can I remove it? I'm a bit green about all this.

Link to post
Share on other sites
Underdawg

Underdawg

Posted
Posted

I'm wondering the same thing this morning, as MBAM seems to find it whether the file has anything in it or not.

Knowing that it's the Autorun file for Windows, I renamed it, Autorun.txt, and then re-saved it as Autorun1.txt. Then I edited the original file and removed all the text found within the file. Then I renamed it back to Autorun.inf

I re-scanned and it still found Autorun.inf to be Malware. Now I don't trust the results....

Link to post
Share on other sites
kimsland

kimsland

Posted
Posted
Knowing that it's the Autorun file for Windows

There is no autorun.inf file for Windows

The INF part of the file is the issue, as this can be used by Malwares to autorun any program

MS has even helped users remove these autorun.inf files themselves HERE

Since you changed the INF to TXT, it does not impose a threat any longer

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

It is entirely atypical to have an autorun.inf file at folder C/windows/system32. Kimsland makes good references.

@Imbart & Underdawg,

If you suspect malware is still present and you need guided help, then, please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post, make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Link to post
Share on other sites
imbart

imbart

Posted
  • Author
Posted

Thanks for all the interest. I thought this was the wrong forum so I posted again on the Malwarebytes HijackThis forum as suggested in one of the posts above before I saw any replies. However some answers seem to be here now. I have looked further into this. A full Norton scan brings up nothing on autorun.inf neither does a scan by Norton or by Malwarebytes on autorun.inf on its own. I restored autorun.inf from quarantine and put it in "ignore" because Googling gave me the impression that it was a required system file and I "system restored" my computer back a few days. This got rid of the HijackThis and startup list Malwarebytes "runcleanupscript" entries. I looked at my autorun.inf file properties which showed that it was created 15/5/2007- modified 15/5/2007 and accessed 3/12/2009. So its been there 2 and a half years without Malwarebytes taking any notice and suddenly today the heuristic bit of the scan picked it out. The main scan before the heuristic did not. I also opened autorun.inf with Notepad and a lot of it seems connected with my all-in-one HP printer although a lot was also gobbledegook. Quarantining it takes it out altogether but I think it may recreate on boot which is why the "runcleanupscript " bit runs at boot up. Before I saw some of the answers here I was treating it as a false positive. Is this a required system file or not - does anyone know?

Link to post
Share on other sites
Underdawg

Underdawg

Posted
Posted

I don't know if it's a required file or not. But I noticed it seemed to be connected to the HP printer as well. (Something about these darn USB printers bugs me.. must be the fact that you have to hold your mouth right, stand on one foot, and mutter incantations to get them to work right...) :)

Link to post
Share on other sites
tudor

tudor

Posted
Posted
Found yet two more people with same problem:

http://www.malwarebytes.org/forums/index.php?showtopic=32404

Can MBAM look into this please. It is very sudden and could be a false positive as it seems only the MBAM heuristic scan picks it up since the most recent update - to the free MBAM in my case).

Add me to the list, only picked up after my latest update. At the same time my HP printer went haywire.

Link to post
Share on other sites
imbart

imbart

Posted
  • Author
Posted

Just an update. We've got two threads running on this as you probably know - the other is in the link on tudor's post immediately above this. The latest from the other thread is that nosirrah of MBAM has "pulled" this item as a suspicious object while the claim that the file is an HP installation is looked into so at the moment a scan will not pick it up. I am no expert but I have read through the text in my autorun.inf file and most of it refers to my HP printer and ancillary programs such as HP solutions and HP photo programs. If anything is buried in there it seems to me HP put it there - but I say again I am no expert just my opinion until I hear different. Just one more question to MBAM - when I initially quarantined this file (now restored and in my ignore list) and was directed to restart to do this why thereafter did MBAM's registry entry concerning the "runcleanupscript" appear permanently in my startuplist as I explained in the very first posting in this thread? I hope nosirrah of MBAM is reading this thread too and I thank him for his assistance so far.

Link to post
Share on other sites
iroc9555

iroc9555

Posted
Posted

Hi imbart.

I have not quarantined mine either. I will be waiting for nosirrah`answer though. I ran the file through Virus Total, and McAfee was the only one out of 48 other security softwares that detected autorun.inj as a Generic!atr.b. I have also ran Spy Sweeper, SuperAntispyware, Avast, and HiJack This without finding anything suspicious in my PC, then I ran KIS, Bit Defender, and ESET Nod on-line scanners and none of then detected anything at all.

Like you I have not been infected in a couple of years and my OS was just reinstall back in October from an original clean image. I had just scanned (quick) with MBAM my sys a couple of days earlier without finding anything, and in those two days I did not downloaded, installed, or went to any suspicious web page. Furtheremore my firewall and HIPS programs did not alerted me of anything new running in my PC. So I am kind of confused. Well Like another fellow DELL member adviced me, mind you, he also adviced me to wait for an answer from these Forums.

The following all point to a false positive:

- A malware "trace" (traces alone, by definition, cannot harm you).

- Presence since 2007, previously undetected

- Detection by heuristics, as previously noted by ky

- No system problems, and detection by a routine scan only

- File cleared by VirusTotal (except for McAfee)

Anyway I am waiting for a definitive answer from the experts.

BTW I have others autorun.inf files in my sys.

C:\Program Files\Dell\Chipset Software Installer 1 KB

C:\ " " \HP\Digital Imaging\{B09BCBF6-87EE-4403-A336-3A9510856535} 494 KB

C:\ " " \HP\Temp\{ SAME CLID AS ABOVE } 494 KB

DISK1 1 KB

Let

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Q: Is C:\WINDOWS\SYSTEM32\Autorun.inf a False Positive?

A: In my opinion, no it's not.

  • An autorun.inf file is a text file that can be used by the AutoRun and AutoPlay components of Microsoft Windows Operating systems. For the file to be discovered and used by these components, it must be located in the root directory of a volume. As Windows has a case-insensitive view of filenames, the autorun.inf file can be stored as AutoRun.inf or Autorun.INF or any other case combination.
  • AutoRun and the companion feature, AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted.
  • When a user inserts a disc into a CD-ROM drive on a AutoRun-compatible computer, the system immediately checks to see if the disc has a personal computer file system. If it does, the system searches for a file named Autorun.inf. This file specifies a setup application that will be run, along with a variety of optional settings. The startup application typically installs, uninstalls, configures, and perhaps runs the application.
  • The device must have AutoRun-compatible drivers. To be AutoRun-compatible, a driver must notify the system that a disk has been inserted.
  • The root directory of the inserted media must contain an Autorun.inf file
  • The device must not have AutoRun disabled through the registry
  • The foreground application has not suppressed AutoRun
  • Floppy disk, CompactFlash, USB, CD/DVD, network drives that are mapped to a drive letter, Microsoft Management Console (MMC), ALL allow the use of AutoRun

Based on the information above and the fact that I've also searched numerous desktops and print servers that have dozens of printers installed and none of them have Autorun.inf in this location C:\WINDOWS\SYSTEM32. I have to believe that it is a mistake or failure of an installer to cleanup that file, or the author of the installation created the installer improperly and it dumped the file there. If the installation file is needed by the print software then it's name is invalid for its purpose and should be renamed to something else. You can have hidden shares on your system but none of them point to that loction either and even if they did it would require your own computer or a remote computer to map a drive letter directly to that share point and then double-click or right click and run it like it runs on a CD/DVD drive, or mount, unmount it. That just is not reasonable or practicle so again it leads me to analyze it as a mistake that it's there in the first place. Could Malware use a file with this same name and location - C:\WINDOWS\SYSTEM32\Autorun.inf - yes it could but there are far easier methods to infect the system then to try some arcane method of manipulation.

In conclusion leaving the file there and ignoring it in most cases would be harmless (though as explained above I see no valid reason for HP or anyone else to put that file there), however, considering that there is a very small potential to have one that is Malware related put there is possible and based on that I would recommend that you do remove that file.

Link to post
Share on other sites
DCross

DCross

Posted
Posted

Thanks for looking into this. I've deleted the file and will keep an eye out for any suspicious activity going on on my PC (though none of the other security programs I use are picking anything else up). I quarantined the file without thinking to first look at the properties so I've no idea how long it's been there, but it sounds like it's been present on at least one person's computer for a very long time without incident, so hopefully it's just a relatively harmless anomaly. If it is indicative of some kind of mishap having occurred during the installation of the drivers for my printer it might explain why I've had so many problems with the printer in question.

Link to post
Share on other sites
noknojon

noknojon

Posted
Posted

@ imbart - DCross - iroc9555 - et al -

You are chasing your own tail - The posting has been answered above and in the other areas you mentioned -

They refer to here and then here refers to there - No sense to follow it -

You should not post this further unless you wish to have your system checked in the HiJack This Section of the forum -

Link to post
Share on other sites
imbart

imbart

Posted
  • Author
Posted
@ imbart - DCross - iroc9555 - et al -

You are chasing your own tail - The posting has been answered above and in the other areas you mentioned -

They refer to here and then here refers to there - No sense to follow it -

You should not post this further unless you wish to have your system checked in the HiJack This Section of the forum -

Apologies - I was trying to collate the various answers as many pertinent to this thread are on the other thread and might have been missed.

Link to post
Share on other sites
  • 2 weeks later...
xela

xela

Posted
Posted
Q: Is C:\WINDOWS\SYSTEM32\Autorun.inf a False Positive?

A: In my opinion, no it's not.

*]The root directory of the inserted media must contain an Autorun.inf file

I have to believe that it is a mistake or failure of an installer to cleanup that file, or the author of the installation created the installer improperly and it dumped the file there. If the installation file is needed by the print software then it's name is invalid for its purpose and should be renamed to something else.

it leads me to analyze it as a mistake that it's there in the first place.

In conclusion leaving the file there and ignoring it in most cases would be harmless (though as explained above I see no valid reason for HP or anyone else to put that file there), however, considering that there is a very small potential to have one that is Malware related put there is possible and based on that I would recommend that you do remove that file.

I installed a second HP scanner a year ago, and quite recently I started experiencing the annoyance of an endless loop of attempted installations of the HP photo management program.

Manifestly the root of my problem is the autorun script. I suppose it was just run on installation since the date of last modification is over a year ago, or does the autorun not update the access date?

I will rename the file and see if it cures my problem.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.