**Suspicious noteped.exe and AutoRun.inf files**

Just a week ago, 2 files popped out from nowhere on my local disk drives.
I found a noteped.exe file (the file's icon resembles a pixelated Notepad icon) and an AutoRun.inf file (I don't know what this is for, but it seems to be linked with noteped.exe).

Both of these files, once deleted, somehow re-copies themselves on one of my local drives.
ie. If I delete them on C:/, they transfer to D:/ or E:/ and vice-versa.

I ran a couple of AS programs (SAS Free and HijackThis were not able to identify them as malware). Only A-squared detected that Noteped.exe is actually a variant of Backdoor.Win32.Hupigon! I deleted them w/ A-squared, but they still re-copy themselves.

Anyone know how to permanently delete these files? How it came to my system? And how do you prevent them to reoccur once removed?

BTW I use Avast Home, Sygate Firewall, Winpatrol, SnoopFree, SAS Free, A-squared, SpywareBlaster and Firefox

 

Perform scan with removal option here:

www.eset.com/onlinescan

If this doesn't help , post for help in AumHa forums

 

it can name it's self many things
calc.exe
cmd.exe
mmc.exe
mspaint.exe
mstsc.exe
notepad.exe
osk.exe
sndrec.exe
sndvol32.exe
svchost.exe
winchat.exe
you can try and disable sys restore and do your scan with Dr.Web cureit or kaspersky removal tool in safe mode that should remove it from your sys than after you are satisfied it's safe turn sys restore back on.

 

Delete autorun.inf and noteped.exe in all your harddrives (c:\, d:\, e:\). The files may be hidden, so you may need to enable showing hidden files and folders when doing this.

Click Start>Run... type in regedit
Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 and delete the folders in that tree.

This infection most likely came from a removable drive/USB/Floppy disc, so be careful with any you recently used. They may host the malicious files and automatically infect you when you insert them.
To prevent this from happening in the future, disable Autoruns from your computer or hold the "Shift" key when inserting removable drives into your computer. (Disableing Autoruns is the easiest option). Then if you find a hidden autorun.inf and notepad.exe in any removable drives, delete them.

 

Try a scan with any good AV like Antivir free.

 

I hate to go down this road, but sounds like you are saying Avast! is not a good AV? As someone who likes to keep up with what's going on and what to recommend, I am curious now.

 

I did not say that Avast is not good but Antivir,s detection is far more superior so I suggested it. Very simple. I don,t want to start any such discussion infact.

He sure has a malware on his system that bypassed Avast so he needs to try another scanner to get rid of it.

 

I'm afraid that the microsoft default of "Do Not Show Hidden Files & Folders" & "Hide Extentions of Known File Types" blinds many users from detecting certain stealth infections (this is one) and a shame it almost always takes a serious malware hit before users learn/discover to "UnHide" these settings in Folder Options/View in XP.


dawgg is spot on of course because this looks like a removable drive/USB/Floppy disc entry type infection.

 

HyperFlow
I was able to find most of the applications you stated, like mstsc.exe and cmd.exe. It seems to be an integral part of Windows. For what purpose they are for, I do not know.




Frankly, I'm surprised that SAS Free and Avast were not able to detect these malware, considering that these products are top-tier anti-malware programs.

IMO they should do something to improve their programs' heuristics ASAP..

 

Have you done what I instructed in Post 4?
You know the drill... no AV is 100% effective and if any AV misses a sample, it shouldn't be surprising.

Yes, those filenames HyperFlow stated are part of Windows, but it depends on what directory they are in.. Do not go and delete all of them (because removal of them is likely to not be required)

 

Yes, I have deleted all autorun.inf and noteped.exe files on my hard disks.
The MountPoints2 registry item is non-existent on my system.

 

Please note that holding down the Shift key will prevent the executable file from running, but will not prevent Windows from reading the .inf file and writing to the Registry, whereupon when the user clicks on the drive in My Computer to search for those files, same executable will be launched automatically. This indeed is a case of remote code execution. See:

http://www.urs2.net/rsj/computing/tests/digiframe/InfFile.html


----
rich

 

For your infected flash, if that is the case, you can use this prog:
FlashDisinfector by subs
I had an unknown driver infection That liked to attach to everything. After my computer was cleaned this tool was recommended for my infected USB drive.
If all of the AV stuff doesn't catch it then you may need to go in the direction of Combofix, Smitfraudfix, Deckards System Scanner, etc.,forum assistance. Excellent helpers from all of the Wilders Peeps.

 

Searching___
The FDM community says that it is a malicious program. Sorry, but it would be better safe than sorry, so I won't download it.

 

Good news:
I have finally found the culprit:
C:\Program Files\Common Files\Microsoft Shared\MSInfo\noteped.exe


Bad news:
Right after deleting it using command prompt, it immediately recopies itself unto the hard drive. It definitely is a backdoor threat, as detected by A-squared. The only problem left now is how do you remove such a file.

BTW I was only able to delete the file after 'unlocking' the process using Unlocker. But afterwards, it keeps regenerating.

 

Flash Disinfector is recommended by Malware Experts @ GeeksToGo. Click on link and read post#4. Use the search feature at that site to locate forums with FD. Read for yourself.
You must be using a download manager, maybe free one that classifies FD as malware.
Virus progs detect Smitfraudfix as malware, but is similar techniques used for good, see.
Also, Their is nothing wrong with researching before committing to a choice.

 

It's been 10 days already! Does anyone know how to completely remove this malware out of my PC

I've tried Antivir, Comodo AV, even NOD32, but they weren't able to completely remove the noteped file.
This is getting really annoying

 

nomarjr3,

Since you use SAS and it didn't catch the malware, you might consider submitting a support ticket to SAS. Nick has advised several other SAS free users here at Wilders to do so to clean up infections SAS either initially didn't detect or fully clean up.

Quoting Nick from another thread:

If SUPERAntiSpyware Free Edition doesn't fully remove it, submit a support request here and we will run our custom diagnostic on your system and update our definitions to remove the threat completely:
http://www.superantispyware.com/support.html

 

Sorry for bumping but I encountered the same problem some time last year. The culprit as far as I have found out is when autorun is enabled on the computer which then autoplays an inserted removable drive which may or may not be infected (I cannot confirm if noteped.exe is really a malware since no scanners have detected it at the time although from what I can deduce noteped.exe and autorun.inf seems to be a simple batchfile).

Symtoms of the infection? were:
a) instead of having an Open default command when right clicking on a partition/ harddrive, it would show AutoPlay or something to that effect.

b) WebClient service description shows jumbled letters/symbols although I have turned off this service prior to infection

What I did to get rid of the two files were to turn off autoplay system wide via gpedit.msc, reboot then delete the files from my two partitions. That promptly solved them from recurring although WebClient service still was left unfixed. Had a reformat planned anyways so I simply just did it earlier than was planned. Never turned on Autoplay eversince