View Full Version : Usb autorun.inf file problem!!!

24-12-2007, 08:26 PM
Hi to all, I have a Dell dimmension 8300 running on Windows XP sp2, ok here is the problem. I own a Maxtor 100 GB external hd and a PNY 4GB usb drive. Now, I downloaded a program that works as a menu for them like the U3 for sandisk, called Portableapps. Everything was working ok and the autorun.inf file was doing what it was supposed to do until...

I plugged the HD on my girlfriend laptop (a Dell inspiron 600m also running Windows Xp SP2) and then when I plugged it in on my PC the autorun menu wouldnt display the program icon just a run program option, when I do that the menu doesnt show up but the window with the files in does. Now, the PNY drive was working perfect but I had to use it after the hd started doing the problem and now the PNY has it too.

I tried to make a new autorun.inf file and put it in on the pny or the hd but I noticed that it asks me if I want to replace the old autorun file which is 154KB in size. When I replace it with the 170KB one I want it to use, it automatically dissapears and it returns back to the old 154KB autorun file.

I also noticed that after this, Winrar doesnt work correctly and since some time now the U3 has not worked for my girlfriends laptop either. Anyone know what is the problem here and if it can be fixed?

Thanks in advance!

Speedy Gonzales
24-12-2007, 08:41 PM
Sounds like one of these removable drive viruses / worms.

Some of these install autorun.inf files.

Thats how they spread (thru removable drives).

Do you mean the Lpinstaller.exe file from Sandisk, thats what installs the menu for U3 drives.

Have u scanned the G/F's system and this hdd for viruses recently??

WHAT did the 154k autorun.inf file have in it??

I would get this (http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FxRajump.exe)

From here (http://www.symantec.com/security_response/writeup.jsp?docid=2006-101916-4325-99)

And do a scan

Info on what the worm does here (http://www.symantec.com/security_response/writeup.jsp?docid=2006-062310-0921-99)

24-12-2007, 08:50 PM
Thanks for the reply, interesting this is that I did a system restore and winrar started working again and another usb drive I have worked too, ill try that and see if it works.

Speedy Gonzales
24-12-2007, 08:56 PM
It may not find anything now. Depending on how far back the restore point went.

24-12-2007, 09:03 PM
Yeah I noticed but I think it is on the HD or the pny stick so if I replug them now then the pc will get infected wont it?. Also I assume ill have to plug them anyway so they can get cleanned right?

Speedy Gonzales
24-12-2007, 09:10 PM
The worm if the system has one maybe on the pc you plugged this hdd into.

BUT, you're right, if u plug something into it now, it can transfer this worm if its a worm to the removable drive.

Scan the computer itself first.

BUt if something is on the computer and u scan it now (and before you plug a removable drive into it), whatever AV program may find it, and delete it.

Has this computer got an AV program on it?

Is this Lpinstaller file the file you downloaded?

If it is or was, open the menu (go into my computer, dbl click on the cd icon for the U3), go to its properties, and tick install loader. I had to do this with my U3 drive, because like you I just formatted it but the menu (and the desktop icon for it), wouldnt appear, until I installed the loader for it.

24-12-2007, 09:20 PM
Ok, after I did the restore I plugged in the PNY, formated it and reinstalled the portable menu, it doesnt have the file you say cuz its like U3 but it doesnt load a CD or anything like it, just the menu.

Now well, the pny worked great, I plugged and replugged it a few times and it was ok, but the HD is another story, now the winrar is not working anymore, so I gues it is infected, should I run the prog you gave me with the hd plugged?

Yes I have Avast anti virus instaled.

Speedy Gonzales
24-12-2007, 09:28 PM
A U3 flash drive (well some of them, if its like the one I've got).

After you format it and install the Lpinstaller file (from the Sandisk site).

After you plug it in, if u open my computer, you'll see 2 icons.

One will say removable disk with a letter, the other will say U3 system.

The U3 system icon / partition is treated as a cd in Windows XP.

And if you copy boot files to it (to make it bootable). If u boot from it (change the disk in the BIOS to it), you'll see 2 different boot partitions on it. One is the cd.

24-12-2007, 09:37 PM
Ok, the PNY drive is not U3 cuz its not sandisk, but that one is ok, the problem is in the Maxtor external Hard Drive, now show I run the remover you gave me to fix the pc, wich is infected again and run it with the HD plugged in so it can clean my hd too or should I clean the HD another way?

Speedy Gonzales
24-12-2007, 09:44 PM
I would run that tool on both.

If its on the computer youre plugging this thing into, and it finds something and removes it. You shouldnt have to do it again, after u plug the hdd in.

Altho that depends where this autorun.inf file came from in the first place

U3 doesnt have to be Sandisk, there are other companies who make U3 flash drives as well.

24-12-2007, 09:47 PM
I know that my friend, what im trying to say is that this menu program has an interface like the U3 one but is not U3 nor related to it, but the PNY drive worked fine, the one working wrong is the HD, this happened after I plugged it in my girlfriends laptop wich I assume is infected.

But I will run the prog you gave me, with the HD plugged to see if it works, thanks for it :)

Speedy Gonzales
24-12-2007, 09:55 PM
No prob, that maybe the only reason, why that autorun.inf changed.

25-12-2007, 04:03 AM
Ok, I run the tool you gave me with the HD plugged but it found nothing on the computer, maybe cuz the problem is inside the HD and not the computer. How do I make this tool to scan only the HD or is it not possible, also will I have to erase my hd in order to fix this?

On another note and in oder to not make another thread, Im having a strange problem with a Gateway MX6216, since some time ago, I noticed that on random occasions when I turn it on it will display no backlight at all but after a rebot it starts fine, and also after it has booted and the desktop screen has come up the laptop goes to a black screen like for 2 seconds and then returns to normal, is it a virus or worm? thanks!

25-12-2007, 04:29 AM
Ok, I scan the computer with the fxrajump.exe tool after I plugged in the HD and winrar stoped working, so I assumed it would be infected but the tool found nothing, Is there a way that I can scan only the Maxtor HD cuz I believe the problem is inside it not on the pc, it has to be since after a system restore, everything comes back to normal, winrar works again untill I plug the HD in again...

Speedy Gonzales
25-12-2007, 07:58 AM
Well, the hdd will have to be connected somehow, either with USB or connected to an IDE cable inside the case.

If its an IDE hdd.

25-12-2007, 02:54 PM
right click on the offending autorun.inf choose "open with" select notepad

copy and paste the the text here one of us will be able to see if its one of those pesky inf virus's. I deal with these,sometimes on a daily basis.

Tell me, check running tasks do you have a task called "kill" that may appear as a excell spreed sheet, thats the most common one in my experance

25-12-2007, 06:47 PM
Ok I scanned the HD with avast it found this: win32:Neptunia-BR [trj] and win32:Agent-ONH [trj]. I deleted them cuz avast said I could delete them, but the damn thing is still doing it, thou I didnt scan the pc, maybe it got infected again, this time from PC to HD.

Anything on those trojans my friends?

25-12-2007, 07:15 PM
right click on the offending autorun.inf choose "open with" select notepad

copy and paste the the text here one of us will be able to see if its one of those pesky inf virus's. I deal with these,sometimes on a daily basis.

Tell me, check running tasks do you have a task called "kill" that may appear as a excell spreed sheet, thats the most common one in my experance

Problem with that my friend is that search only comes with 1 autorun.inf file and is not the one with the 154 KB size, the one it has is only 1KB and it says only to run setup.exe.

Avast said that the trojans were on F:\System Volume Information\_restore and some numbers but when I try to search there it says that path is not accesible and acces is denied.

Speedy Gonzales
25-12-2007, 08:13 PM
System Volume Information is the folder, for system restore.

You'll have to disable system restore.

And hopefully it'll remove these trojans

You wont be able to get into this folder, until u boot into safe mode, and add yourself to it.

After disabling system restore.

25-12-2007, 08:28 PM
Ok disable system restore of the PC? How can I do this, and also if I format the HD and then restore my pc to an earlier time, will it fix the prob?

Speedy Gonzales
25-12-2007, 09:00 PM
Right mouse / properties, on my computer on the desktop if its there.

System restore tab. Tick the option

If you want to reformat, the system may have a partition on it to restore it.

You'll have to reinstall all of the updates after.

Or you'll need the XP cd, or whatever cd to reinstall Windows.

Then you'll have to reinstall the updates after.

25-12-2007, 09:53 PM
Ive got some ideas, but rather than confuse the issue Ill let speedy continue.
You're in good hands with Speedy, but if he runs out of ideas Ill tag in and try mine.

26-12-2007, 09:33 AM
Ok, this is what the damnn infiected autorun.inf file has:


Any ideas?

Speedy Gonzales
26-12-2007, 09:43 AM
I would disable system restore first.

Then reboot, then see if its still there.

If you havent disabled SR yet.

26-12-2007, 10:35 AM
Ok, I dissable system restore and reboot but it is turned back on when I reboot. Also, what is AMVO.EXE ??

Speedy Gonzales
26-12-2007, 10:41 AM
Get ccleaner if you havent got it yet. It might be running on startup.

Then go to tools / startup. Highlight and delete the amvo.exe entry.

That amvo.exe looks like it belongs to a trojan (http://www.prevx.com/filenames/1360796256778365074-X1/AMVO.EXE.html)

I would also get trojan remover in my sig, install it, update it, then click on scan. See if that picks whatever up and removes it.

Or post a hijackthis log.

Leave system restore disabled for now.

Speedy Gonzales
26-12-2007, 10:59 AM
If there's an entry in add/remove programs called trojan.covert.sys-exe uninstall it too.

If Trojan.Covert-Sys-Exec is running press ctrl-atl-del and kill its process.

26-12-2007, 09:09 PM
Ok, well looks like I fixed the problem, many thanks to you guys who helped me!

Speedy Gonzales
26-12-2007, 09:13 PM
Good to hear !