Autorun.inf on C drive

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
I'm cursed.

This PC from hell has an Autorun.inf file in the root of C drive.

It's 8 freaking gigabytes in size.

And I absolutely, positively, cannot delete it. I've tried:
  • Deleting it - it says it's in use
  • Changing the attributes (it's system and hidden) - they refuse to change.
  • Booting in safe mode - no difference
  • Running ComboFix - it tried and failed
  • Booting from a Linux CD, mounting the drive and deleting the file. As soon as I reboot in Windows, it's back, all f*cking 8371632 KB of it, and with a new timestamp every time.

I ran the MS Tech Tool Handle.exe, it said the owner was PID 4 - that's System.

I'm thinking that it's not exactly normal to have a hidden 8GB file owned by System, of a type that happens to be a known malware vector.

H E L P ! ! ! :cry:
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
I think it's Linux LiveCD time. IIRC, there is also a tool that will move files on reboot, but that would be less reliable I suspect.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
As I said, I ran Handle and it said System (PID 4).

I just ran Process Explorer and it's confirming it:

Process: System
PID: 4
File: C:\autorun.inf
References: 3
Handles: 1

When I try to close the handle, I get "Error opening process: The handle is invalid."
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,303
Location
I am omnipresent
When I try to close the handle, I get "Error opening process: The handle is invalid."

Process Explorer should give you the chain of programs that is involved in creating the file. If you search for the file handle you should find a nested set of executables. "System" is essentially a user account, not a process, so there's something else involved.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
For what it's worth, NOD32 thinks it's "INF/autorun.SZ".

I can even boot from another Windows drive and delete it, for all the good that it does me.

So far, I can't work out how to disable Autorun for sure in Windows 7 - according to Microsoft, it's already a done deal. Perhaps it is, but I'd still like to know what's creating it.

Merc, if you look in Task Manager, you'll see a process called System, that is owned by the user SYSTEM.

C:\autorun.inf is listed directly under System in Process Explorer, there are no child levels in between. What did you mean?
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
The Security tab of the file's context menu:

"The requested security information is either unavailable or can't be displayed."

I can't take ownership because it's in use. This is completely nuts.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,303
Location
I am omnipresent
OK, OK. The way things should look is this:

There is a System process, which I had forgotten about. It basically does one thing, which is kick off user sessions. Most stuff that runs at system authorization should be spawned by wininit.exe. I was expecting to find out that you had a dummy service or something causing your problem. Now I suspect something more rootkit-y.
 

Bozo

Storage? I am Storage!
Joined
Feb 12, 2002
Messages
4,396
Location
Twilight Zone
More help:

ymantec Detects IOSTREAM.exe as w32.imaut.

W32.Imaut / W32.Imaut.A is a worm that spreads via Yahoo! Instant Messenger and Microsoft Windows Live Messenger. The worm may attempt to download remote files on the compromised computer and disable Windows Task Manager and Registry tools.



Here you have a AutoRun.inf issue and probably a Threat for sure.

Try the following,

1) Open the Autorun.inf in the Notepad. it will show you the name of the file which is infecting the machine.

2) Right click on the bar and zip it. Open the zipped file and check if you see anything inside.

3) Make sure you Disable the Autorun from all the drives with the help of GPO

http://support.microsoft.com/kb/967715

OR FOLLOW the Articles below

Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x

http://www.symantec.com/business/support/index?page=content&id=TECH104909



How to protect a USB Flash Drive from being able to auto-start with an unauthorized Autorun.inf file
http://www.symantec.com/business/support/index?page=content&id=TECH98330

to resolve the issue.



4) Follow the Article to collect and submit all the suspicious files to the Symantec Security Response Team.

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/con...suspicious-files-and-submit-same-symantec-sec
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
Thanks for all the suggestions so far.

I booted from a different copy of Windows and deleted the file. I then
used this brilliant hack to prevent the file from being recreated.

When I restarted, Windows complained about the page file and created a temporary one (pagefile.sys). The size (you guessed it) is 8371632 kB ...

Does this mean that Windows is corrupt or infected? I'm wondering about the former because this is the same PC on which I've been wrestling with partition copies.
 

LiamC

Storage Is My Life
Joined
Feb 7, 2002
Messages
2,016
Location
Canberra
Nuke the disk. Write zeros to it, recreate partitions, reinstall OS of choice.

//the following is a hypothetical conversation between yourself and whoever owns the system...

"But I've got files on the disk that I absolutely need and haven't backed up" <sob, cry>

"Consider this a life lesson young padawan".

Seriously, the whole installation is suspect.

Sorry I can't provide anything helpful. This thread will be interesting though.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
17,497
Location
USA
Nuke the disk. Write zeros to it, recreate partitions, reinstall OS of choice.

//the following is a hypothetical conversation between yourself and whoever owns the system...

"But I've got files on the disk that I absolutely need and haven't backed up" <sob, cry>

"Consider this a life lesson young padawan".

Seriously, the whole installation is suspect.

Sorry I can't provide anything helpful. This thread will be interesting though.

That depends on who the user is. If there are data files and the client pays, then they should be retrieved if possible. The OS is probably hosed.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
I'd agree that pulling data and blowing it away is the prudent move at this point, though trying to figure it out can be fun if you have the time.
 

Bozo

Storage? I am Storage!
Joined
Feb 12, 2002
Messages
4,396
Location
Twilight Zone
Have you tried system restore? Maybe you can get back far enough to get rid of what ever it is.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
So something is recreating the file. And when you hack it so the file can not be created the system complains about pagefile. It is possible to change the name of the file that is used for pagefile? Sorry I don't have more specific help. Did you try running combofix in safemode?
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
I rebooted and got the page file message again, so I removed the 'undeletable' placeholder from the brilliant hack I linked, rebooted, and the autorun.inf was back.

Checked the swap file settings, and they were as expected: NO swap file (SSD and 8GB RAM). Clicked on the Set button anyway, and the autorun.inf file disappeared.

Windows 7 bug?
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
That is neat. I'll have to give it a try.

That is indeed neat, and very fast. I always liked Alvira, but Avast was a lot less hassle to live with. Thanks for that, Stereodude.

NOD32 scanned the boot drive with 50GB used (including runtime packers) in 1.5 hours. This is a 3.1GHz Sandy Bridge 4-core i5 coupled with an SSD. :(

Without runtime packers, Alvira managed it in about 10 minutes.

Of course, a resident Alvira installation will likely use more background resources than a NOD32 installation, and opening up runtime packers ensured that NOD32 had to scan a staggering 2 million objects! Even so, it's an eye opener.

Nothing found, by the way. I certainly didn't imagine it, so I'm sticking to my Windows bug theory.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
OMG! I don't know where that came from. :oops:


Howell: my attitude is that if you have 8GB RAM and still need a swapfile, you need more RAM. What possible advantage can there be from allowing Windows to take up 7% of the precious SSD space with an empty file?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,303
Location
I am omnipresent
Essentially because it's an assumption Microsoft makes about how Windows will operate on a computer. I'm kind of pissed about it. I can run Linux without any swap space if I want, but Windows really expects it to be there. Every time I try to turn the pagefile off I wind up having something or other crash or not work right.
 
Top