**Suspicious noteped.exe and AutoRun.inf files**

Discussion in 'malware problems & news' started by nomarjr3, May 5, 2008.

Thread Status:
Not open for further replies.
  1. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Just a week ago, 2 files popped out from nowhere on my local disk drives.
    I found a noteped.exe file (the file's icon resembles a pixelated Notepad icon) and an AutoRun.inf file (I don't know what this is for, but it seems to be linked with noteped.exe).

    Both of these files, once deleted, somehow re-copies themselves on one of my local drives.
    ie. If I delete them on C:/, they transfer to D:/ or E:/ and vice-versa.

    I ran a couple of AS programs (SAS Free and HijackThis were not able to identify them as malware). Only A-squared detected that Noteped.exe is actually a variant of Backdoor.Win32.Hupigon! I deleted them w/ A-squared, but they still re-copy themselves.

    Anyone know how to permanently delete these files? How it came to my system? And how do you prevent them to reoccur once removed?

    BTW I use Avast Home, Sygate Firewall, Winpatrol, SnoopFree, SAS Free, A-squared, SpywareBlaster and Firefox
     
  2. ASpace

    ASpace Guest

  3. HyperFlow

    HyperFlow Registered Member

    Joined:
    Mar 21, 2008
    Posts:
    115
    it can name it's self many things
    calc.exe
    cmd.exe
    mmc.exe
    mspaint.exe
    mstsc.exe
    notepad.exe
    osk.exe
    sndrec.exe
    sndvol32.exe
    svchost.exe
    winchat.exe
    you can try and disable sys restore and do your scan with Dr.Web cureit or kaspersky removal tool in safe mode that should remove it from your sys than after you are satisfied it's safe turn sys restore back on.
     
  4. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Delete autorun.inf and noteped.exe in all your harddrives (c:\, d:\, e:\). The files may be hidden, so you may need to enable showing hidden files and folders when doing this.

    Click Start>Run... type in regedit
    Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 and delete the folders in that tree.

    This infection most likely came from a removable drive/USB/Floppy disc, so be careful with any you recently used. They may host the malicious files and automatically infect you when you insert them.
    To prevent this from happening in the future, disable Autoruns from your computer or hold the "Shift" key when inserting removable drives into your computer. (Disableing Autoruns is the easiest option). Then if you find a hidden autorun.inf and notepad.exe in any removable drives, delete them.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Try a scan with any good AV like Antivir free.
     
  6. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    I hate to go down this road, but sounds like you are saying Avast! is not a good AV? As someone who likes to keep up with what's going on and what to recommend, I am curious now.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I did not say that Avast is not good but Antivir,s detection is far more superior so I suggested it. Very simple. I don,t want to start any such discussion infact. :)

    He sure has a malware on his system that bypassed Avast so he needs to try another scanner to get rid of it.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I'm afraid that the microsoft default of "Do Not Show Hidden Files & Folders" & "Hide Extentions of Known File Types" blinds many users from detecting certain stealth infections (this is one) and a shame it almost always takes a serious malware hit before users learn/discover to "UnHide" these settings in Folder Options/View in XP.


    dawgg is spot on of course because this looks like a removable drive/USB/Floppy disc entry type infection.
     
  9. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    HyperFlow
    I was able to find most of the applications you stated, like mstsc.exe and cmd.exe. It seems to be an integral part of Windows. For what purpose they are for, I do not know.




    Frankly, I'm surprised that SAS Free and Avast were not able to detect these malware, considering that these products are top-tier anti-malware programs.

    IMO they should do something to improve their programs' heuristics ASAP..
     
  10. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Have you done what I instructed in Post 4?
    You know the drill... no AV is 100% effective and if any AV misses a sample, it shouldn't be surprising.

    Yes, those filenames HyperFlow stated are part of Windows, but it depends on what directory they are in.. Do not go and delete all of them (because removal of them is likely to not be required)
     
  11. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Yes, I have deleted all autorun.inf and noteped.exe files on my hard disks.
    The MountPoints2 registry item is non-existent on my system.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Please note that holding down the Shift key will prevent the executable file from running, but will not prevent Windows from reading the .inf file and writing to the Registry, whereupon when the user clicks on the drive in My Computer to search for those files, same executable will be launched automatically. This indeed is a case of remote code execution. See:

    http://www.urs2.net/rsj/computing/tests/digiframe/InfFile.html


    ----
    rich
     
  13. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    For your infected flash, if that is the case, you can use this prog:
    FlashDisinfector by subs
    I had an unknown driver infection That liked to attach to everything. After my computer was cleaned this tool was recommended for my infected USB drive.
    If all of the AV stuff doesn't catch it then you may need to go in the direction of Combofix, Smitfraudfix, Deckards System Scanner, etc.,forum assistance. Excellent helpers from all of the Wilders Peeps.
     
  14. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Searching___
    The FDM community says that it is a malicious program. Sorry, but it would be better safe than sorry, so I won't download it.
     
  15. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Good news:
    I have finally found the culprit:
    C:\Program Files\Common Files\Microsoft Shared\MSInfo\noteped.exe


    Bad news:
    Right after deleting it using command prompt, it immediately recopies itself unto the hard drive. It definitely is a backdoor threat, as detected by A-squared. The only problem left now is how do you remove such a file.

    BTW I was only able to delete the file after 'unlocking' the process using Unlocker. But afterwards, it keeps regenerating.

    o_O
     
  16. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Flash Disinfector is recommended by Malware Experts @ GeeksToGo. Click on link and read post#4. Use the search feature at that site to locate forums with FD. Read for yourself.
    You must be using a download manager, maybe free one that classifies FD as malware.
    Virus progs detect Smitfraudfix as malware, but is similar techniques used for good, see.
    Also, Their is nothing wrong with researching before committing to a choice.
     
  17. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    It's been 10 days already! Does anyone know how to completely remove this malware out of my PC o_O

    I've tried Antivir, Comodo AV, even NOD32, but they weren't able to completely remove the noteped file.
    This is getting really annoying :mad: :mad:
     
  18. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    nomarjr3,

    Since you use SAS and it didn't catch the malware, you might consider submitting a support ticket to SAS. Nick has advised several other SAS free users here at Wilders to do so to clean up infections SAS either initially didn't detect or fully clean up.

    Quoting Nick from another thread:

    If SUPERAntiSpyware Free Edition doesn't fully remove it, submit a support request here and we will run our custom diagnostic on your system and update our definitions to remove the threat completely:
    http://www.superantispyware.com/support.html
     
  19. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Sorry for bumping but I encountered the same problem some time last year. The culprit as far as I have found out is when autorun is enabled on the computer which then autoplays an inserted removable drive which may or may not be infected (I cannot confirm if noteped.exe is really a malware since no scanners have detected it at the time although from what I can deduce noteped.exe and autorun.inf seems to be a simple batchfile).

    Symtoms of the infection? were:
    a) instead of having an Open default command when right clicking on a partition/ harddrive, it would show AutoPlay or something to that effect.

    b) WebClient service description shows jumbled letters/symbols although I have turned off this service prior to infection

    What I did to get rid of the two files were to turn off autoplay system wide via gpedit.msc, reboot then delete the files from my two partitions. That promptly solved them from recurring although WebClient service still was left unfixed. Had a reformat planned anyways so I simply just did it earlier than was planned. Never turned on Autoplay eversince :D
     
Loading...
Thread Status:
Not open for further replies.