Jump to content

autorun.inf on infected flash drive (fat32)

alphaomega

By alphaomega
in All Things Windows

 Share

Recommended Posts

alphaomega

alphaomega

Posted
Posted (edited)

my dad got his flash drive infected with something.he cleaned off the infection with avg/superantispyware.but left behind was an autorun.inf file.the system will not let me delete it, rename it, move it, read it, nothing.is there an easy fix?I told him to just format the drive and start fresh anew.searching google for what he said he was infected with (duazuu.exe) pulls up only 1 link.ideas?thank in advance...

Edited by alphaomega
Link to comment
Share on other sites
Urmas

Urmas

Posted
Posted
the system will not let me delete it, rename it, move it, read it, nothing.
Um... have you plugged it into a penguin box?
Link to comment
Share on other sites
zlim

zlim

Posted
Posted

I've used the Hp format tool on a 4GB stick that I managed to break trying to put too much on it. :P I couldn't move, erase, delete anything on it. The stick is now usable.

http://file.walagata.com/w/perk/Assorted/SP27608.exe

I've uploaded it to my paid storage. It is about 2MB.

Link to comment
Share on other sites
alphaomega

alphaomega

Posted
  • Author
Posted

@urmas, he does not have a linux live cd..and I'm several hundred miles away...plus he is not comfortable using linux. so no luck there.@striker, LOL :P@zlim, thanks, but I do not think he will need that tool...but who knows...his machines are a mess at this point from what he is telling me.several trojans (including dns-changer).as for the autorun.inf file that he can not delete off the flash drive...I told him to just format it clean. he said he could do that.and I told him if he was going to keep any files to be sure and check them.thanksI'm just curious to know...is formatting the drive the only way to delete this one file?I've never encountered a file that could not be deleted.I've come across a few that you have to jump through hoops to delete...but I've never come across one quite like this on a fat32 drive (one that I cannot do anything with).

Link to comment
Share on other sites
goretsky

goretsky

Posted
Posted

Hello,The FAT and FAT32 file systems do not support the types of security descriptors used with more recent file systems like NTFS to assign (or revoke) permissions from files , so, off the top of my head, here are a couple of possible reasons for this problem:

  1. The AUTORUN.INF file is flagged with Hidden, System and/or Read-Only file attributes.
  2. The AUTORUN.INF file is being held open by another program or process.

In the case of the former, the solution is to open a Command Prompt (filename: CMD.EXE), and issue an "ATTRIB -R -S -H X:\AUTORUN.INF" command, where X is the drive letter assigned to the USB flash drive, to remote the attribute fromt he file. After the attributes have been removed, it should be possible to delete the AUTORUN.INF file in a normal manner.In the case of the file being held open, the most likely culprit is that the AutoRun-borne worm actually infected the computer from the USB flash drive, and is preventing access to it. If this is the case, I would recommend contacting the technical support department for the anti-malware software which is currently installed on the computer, and have them work on removing this piece of malware which sneaked past their software.Regards,Aryeh Goretsky

Link to comment
Share on other sites
alphaomega

alphaomega

Posted
  • Author
Posted (edited)
Hello,The FAT and FAT32 file systems do not support the types of security descriptors used with more recent file systems like NTFS to assign (or revoke) permissions from files , so, off the top of my head, here are a couple of possible reasons for this problem:
  1. The AUTORUN.INF file is flagged with Hidden, System and/or Read-Only file attributes.
  2. The AUTORUN.INF file is being held open by another program or process.

In the case of the former, the solution is to open a Command Prompt (filename: CMD.EXE), and issue an "ATTRIB -R -S -H X:\AUTORUN.INF" command, where X is the drive letter assigned to the USB flash drive, to remote the attribute fromt he file. After the attributes have been removed, it should be possible to delete the AUTORUN.INF file in a normal manner.In the case of the file being held open, the most likely culprit is that the AutoRun-borne worm actually infected the computer from the USB flash drive, and is preventing access to it. If this is the case, I would recommend contacting the technical support department for the anti-malware software which is currently installed on the computer, and have them work on removing this piece of malware which sneaked past their software.Regards,Aryeh Goretsky

I already tried the attrib thing but the autorun.inf file did not lose the read only attribute.But I was able to access the files that the bug had hidden. And I'm not sure if the file was being held open by the OS.It's possible since he has the autorun stuff turned on.We did manage to get malwarebytes' anti-malware to clean out the trojan dns-changer.Now he just needs to figure out how to administer the router and make sure the trojan did not get in and change his dns settings there.Thanks for all the help...Cheers Edited by alphaomega
Link to comment
Share on other sites
Ed_P

Ed_P

Posted
Posted

FWIW If your dad's USB stick is a SanDisk brand it may have U3 installed on it and if so the USB stick, in addition to the writable drive, has a CD drive on it which has an autorun.inf on it. In that the CD drive is a read only drive the autorun.inf could not possibly have been infected by something. And the file can't be deleted or changed and the drive can't be formated.hth

Link to comment
Share on other sites
alphaomega

alphaomega

Posted
  • Author
Posted
FWIW If your dad's USB stick is a SanDisk brand it may have U3 installed on it and if so the USB stick, in addition to the writable drive, has a CD drive on it which has an autorun.inf on it. In that the CD drive is a read only drive the autorun.inf could not possibly have been infected by something. And the file can't be deleted or changed and the drive can't be formated.hth
Thanks for the information. I was not aware of U3.I don't think it's a sandisk with U3 though since it shows up in disk management only once as a fat32 drive and not twice as mentioned in the U3 wikiCheers
Link to comment
Share on other sites
sunrat

sunrat

Posted
Posted

If the autorun.inf is a malware file, and he has plugged it in to his PC, it has probably already done it's dirty work and infected the PC. I once found the same thing on a flash drive after plugging it in to a Windows PC, then noticed it subsequently when it was plugged in to a Linux system. It was simple to delete from the Linux system but would have infected any Win PC. A command prompt flashed up for a fraction of a second when plugged in to a Win PC and the system was infected. Several virus scanners didn't detect it but it was loaded on to any future flash drives or cameras that were plugged in. This was on a shared computer in a Saigon hotel.

Link to comment
Share on other sites
alphaomega

alphaomega

Posted
  • Author
Posted
If the autorun.inf is a malware file, and he has plugged it in to his PC, it has probably already done it's dirty work and infected the PC. I once found the same thing on a flash drive after plugging it in to a Windows PC, then noticed it subsequently when it was plugged in to a Linux system. It was simple to delete from the Linux system but would have infected any Win PC. A command prompt flashed up for a fraction of a second when plugged in to a Win PC and the system was infected. Several virus scanners didn't detect it but it was loaded on to any future flash drives or cameras that were plugged in. This was on a shared computer in a Saigon hotel.
Yep...he got all his home machines infected and his machine at work.He thinks he initially got infected when he used the usb flash drive in a computer at the local library.He did manage to get things cleaned up (fingers crossed) by using a couple of anti-malware tools:superantispyware and malwarebytes anti malware.Neither cleaned everything. Each found bugs that the other did not.Cheers
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...