Autorun.inf on C drive

[time]

I'm cursed.

This PC from hell has an Autorun.inf file in the root of C drive.

It's 8 freaking gigabytes in size.

And I absolutely, positively, cannot delete it. I've tried:

• Deleting it - it says it's in use
• Changing the attributes (it's system and hidden) - they refuse to change.
• Booting in safe mode - no difference
• Running ComboFix - it tried and failed
• Booting from a Linux CD, mounting the drive and deleting the file. As soon as I reboot in Windows, it's back, all f*cking 8371632 KB of it, and with a new timestamp every time.

I ran the MS Tech Tool Handle.exe, it said the owner was PID 4 - that's System.

I'm thinking that it's not exactly normal to have a hidden 8GB file owned by System, of a type that happens to be a known malware vector.

H E L P ! ! !

 

[ddrueding]

I think it's Linux LiveCD time. IIRC, there is also a tool that will move files on reboot, but that would be less reliable I suspect.

 

[time]

Um, isn't that on my list of things that I tried? :scratch:

 

[Mercutio]

What does process explorer have to say about that file? What is creating the open file handle?

 

[ddrueding]

So it is. I guess my brain just didn't wrap around the thought of an 8GB file re-creating itself.

 

[time]

As I said, I ran Handle and it said System (PID 4).

I just ran Process Explorer and it's confirming it:

Process: System
PID: 4
File: C:\autorun.inf
References: 3
Handles: 1

When I try to close the handle, I get "Error opening process: The handle is invalid."

 

[Handruin]

Any chance it may be a virus?

 

[Mercutio]

When I try to close the handle, I get "Error opening process: The handle is invalid."

Process Explorer should give you the chain of programs that is involved in creating the file. If you search for the file handle you should find a nested set of executables. "System" is essentially a user account, not a process, so there's something else involved.

 

[time]

Any chance it may be a virus?

Every chance:

http://www.f-secure.com/weblog/archives/00001575.html

The critical difference with what I have is that the damn file is invincible. I'm going to try disabling Autorun and see what happens, but this looks terrifyingly sophisticated.

 

[Stereodude]

How about booting from a Linux LiveCD / LiveUSB and nuking the file? :scratch:

 

[sdbardwick]

How about booting from a Linux LiveCD / LiveUSB and nuking the file? :scratch:

See post #1, #2, #3

 

[time]

For what it's worth, NOD32 thinks it's "INF/autorun.SZ".

I can even boot from another Windows drive and delete it, for all the good that it does me.

So far, I can't work out how to disable Autorun for sure in Windows 7 - according to Microsoft, it's already a done deal. Perhaps it is, but I'd still like to know what's creating it.

Merc, if you look in Task Manager, you'll see a process called System, that is owned by the user SYSTEM.

C:\autorun.inf is listed directly under System in Process Explorer, there are no child levels in between. What did you mean?

 

[time]

The Security tab of the file's context menu:

"The requested security information is either unavailable or can't be displayed."

I can't take ownership because it's in use. This is completely nuts.

 

[Mercutio]

OK, OK. The way things should look is this:

There is a System process, which I had forgotten about. It basically does one thing, which is kick off user sessions. Most stuff that runs at system authorization should be spawned by wininit.exe. I was expecting to find out that you had a dummy service or something causing your problem. Now I suspect something more rootkit-y.

 

[Bozo]

Maybe this will help.

 

[Bozo]

More help

 

[Bozo]

More help:

ymantec Detects IOSTREAM.exe as w32.imaut.

W32.Imaut / W32.Imaut.A is a worm that spreads via Yahoo! Instant Messenger and Microsoft Windows Live Messenger. The worm may attempt to download remote files on the compromised computer and disable Windows Task Manager and Registry tools.



Here you have a AutoRun.inf issue and probably a Threat for sure.

Try the following,

1) Open the Autorun.inf in the Notepad. it will show you the name of the file which is infecting the machine.

2) Right click on the bar and zip it. Open the zipped file and check if you see anything inside.

3) Make sure you Disable the Autorun from all the drives with the help of GPO

http://support.microsoft.com/kb/967715

OR FOLLOW the Articles below

Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x

http://www.symantec.com/business/support/index?page=content&id=TECH104909



How to protect a USB Flash Drive from being able to auto-start with an unauthorized Autorun.inf file
http://www.symantec.com/business/support/index?page=content&id=TECH98330

to resolve the issue.



4) Follow the Article to collect and submit all the suspicious files to the Symantec Security Response Team.

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/con...suspicious-files-and-submit-same-symantec-sec

 

[time]

Thanks for all the suggestions so far.

I booted from a different copy of Windows and deleted the file. I then
used this brilliant hack to prevent the file from being recreated.

When I restarted, Windows complained about the page file and created a temporary one (pagefile.sys). The size (you guessed it) is 8371632 kB ...

Does this mean that Windows is corrupt or infected? I'm wondering about the former because this is the same PC on which I've been wrestling with partition copies.

 

[LiamC]

Nuke the disk. Write zeros to it, recreate partitions, reinstall OS of choice.

//the following is a hypothetical conversation between yourself and whoever owns the system...

"But I've got files on the disk that I absolutely need and haven't backed up" <sob, cry>

"Consider this a life lesson young padawan".

Seriously, the whole installation is suspect.

Sorry I can't provide anything helpful. This thread will be interesting though.

 

[LunarMist]

Nuke the disk. Write zeros to it, recreate partitions, reinstall OS of choice.

//the following is a hypothetical conversation between yourself and whoever owns the system...

"But I've got files on the disk that I absolutely need and haven't backed up" <sob, cry>

"Consider this a life lesson young padawan".

Seriously, the whole installation is suspect.

Sorry I can't provide anything helpful. This thread will be interesting though.

That depends on who the user is. If there are data files and the client pays, then they should be retrieved if possible. The OS is probably hosed.

 

[ddrueding]

I'd agree that pulling data and blowing it away is the prudent move at this point, though trying to figure it out can be fun if you have the time.

 

[Bozo]

Have you tried system restore? Maybe you can get back far enough to get rid of what ever it is.

 

[Stereodude]

Download, burn, reboot, and scan.

 

[ddrueding]

Download, burn, reboot, and scan.

That is neat. I'll have to give it a try.

 

[Howell]

So something is recreating the file. And when you hack it so the file can not be created the system complains about pagefile. It is possible to change the name of the file that is used for pagefile? Sorry I don't have more specific help. Did you try running combofix in safemode?

 

[time]

I rebooted and got the page file message again, so I removed the 'undeletable' placeholder from the brilliant hack I linked, rebooted, and the autorun.inf was back.

Checked the swap file settings, and they were as expected: NO swap file (SSD and 8GB RAM). Clicked on the Set button anyway, and the autorun.inf file disappeared.

Windows 7 bug?

 

[mubs]

The correlation between 8GB RAM and the 8GB inf file is suspicious, is it not?

 

[Howell]

If it's a bug its one of those nasty Oz death bugs. At least the problem is gone.

 

[Howell]

Even with the new additional keywords google doesnt know anything about it.

 

[time]

That is neat. I'll have to give it a try.

That is indeed neat, and very fast. I always liked Alvira, but Avast was a lot less hassle to live with. Thanks for that, Stereodude.

NOD32 scanned the boot drive with 50GB used (including runtime packers) in 1.5 hours. This is a 3.1GHz Sandy Bridge 4-core i5 coupled with an SSD.

Without runtime packers, Alvira managed it in about 10 minutes.

Of course, a resident Alvira installation will likely use more background resources than a NOD32 installation, and opening up runtime packers ensured that NOD32 had to scan a staggering 2 million objects! Even so, it's an eye opener.

Nothing found, by the way. I certainly didn't imagine it, so I'm sticking to my Windows bug theory.

 

[Howell]

So why are you not running a page file? Microsoft recommends you do.

http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx

 

[Stereodude]

Alvira? Are you turning into LM?

 

[LunarMist]

I remember Elvira, but that was about 30 years ago.

 

[time]

OMG! I don't know where that came from.


Howell: my attitude is that if you have 8GB RAM and still need a swapfile, you need more RAM. What possible advantage can there be from allowing Windows to take up 7% of the precious SSD space with an empty file?

 

[Mercutio]

Essentially because it's an assumption Microsoft makes about how Windows will operate on a computer. I'm kind of pissed about it. I can run Linux without any swap space if I want, but Windows really expects it to be there. Every time I try to turn the pagefile off I wind up having something or other crash or not work right.