DescentBB

Hi everyone

Got a little annoyance on a pc a friend brought me that I need to try and fix. Actually it was two pc's but I nuked the one's OS and just reinstalled it as I did the install of pc way back and felt it was just easier to backup the extra content and reinstall everything clean but the second pc unfortunately isn't that easy - Didn't do the install myself and will need to go digging deep to backup everything and go download the bloody pc's drivers as well as I have no motherboard driver disk of course .

Anyways!

The problem is that when I insert a blank flash drive into the pc it will create two files on it (have to disable hiding hidden files and system files to see them). The two files are an autorun.inf file and a winampxml file with a recycle bin icon and when I did a scan with the antivirus program I spotted the file inside the winampxml \"folder\" winxml.exe but it doesn't show up in the browser nor does the antivirus program detect anything . Oh and the explorer window just pops up by itself when you insert the flash drive going straight to the flash drive (even with autoplay disabled via group policy).

Anyone else have experience with this. I know this is some type of virus/malware but how do I get rid off it without wiping the OS (thou I find that the easy way out most of the time but there is a lot of stuff on the pc that the kid who's pc it is will be ticked off about if I delete it and can't or didn't back it up)

So if there is an easy way to remove this bloody crap I'd consider it but if it will be the same amount of hassles as reinstalling the OS I'll just opt to reinstall the OS then - Will teach the kid too not to let other people mess on his stuff because I know this came from another guys pc who visited him, nice xmas pressy hey

Oh I've googled it a bit but couldn't get a quick fix type of solution myself. The only direct similar result was a site in Spanish other than that I mostly get hits on forum sites that require you to runs some apps post the log files and then the guys help you from there to remove the crap from your pc, but if that's the case a format sounds \"easier\", I'm lazy and impatient

So I thought I'd get a second opinion or alternative advise before I launch another nuke assult

They both sound normal to me.

I have never been able to stop auto play for a removable drive.

How to disable the autoplay for all removable media http://www.howtogeek.com/howto/windows/ ... sb-drives/

The thing is the flash drive is totally empty after I format them and once I put them in the pc they are created and start the explorer window all by itself whereas when I do it in my pc no files are created and nothing opens (that is what its supposed to do...nothing )

FireFox wrote:
The thing is the flash drive is totally empty after I format them and once I put them in the pc they are created and start the explorer window all by itself whereas when I do it in my pc no files are created and nothing opens (that is what its supposed to do...nothing )

Ok, that makes NO sense.

Oh, it makes perfect sense, it just means the two machines are handling the inserted media differently, unfortunately one machine is not doing what he wants.

BTW, thanks for the tip on disabling auto run on removable drives. I’ll have to give it a try, when I next do backup.

autoplay by itself doesn't write files to the media.

can you write protect your flash drive?

I say nasty malware.

Yeah, from the sounds of it the machine has a virus worm that spreads over USB flash drives. You have to get rid of that virus before the files showing up on the flash drive will stop happening.

You need to do a complete virus scan, and try attacking it with different scanners, there are a number of free ones online. Check the first post of the free software thread and start installing and running a complete scan from every anti-virus/spyware/malware program listed (except for combofix). Install ---> update ---> scan ---> uninstall ---> download next program ---> rinse & repeat. Running as much of it as possible from safe mode (with networking) would also be a good idea.

Also posting up a hijack this log would be helpful.

fliptw wrote:autoplay by itself doesn't write files to the media.

can you write protect your flash drive?

I say nasty malware.

Yes, it is indeed "bugged" ... He should clean up the system, starting with running Malwarebyte's anti-malware. It may not get this one, but it's a fine start. You see, there's a new bug out there and it does what he described and perhaps he's got it. Symantec (and all the other anti-virus makers) didn't have anything that would get it until just within the last two weeks. I know because the University where I work fought it for three days while working with Symantec's tech support until Symantec managed to make and definition that cures it. I don't know what they decided to name the bugger, but it's activity is writing autorun files and making hidden/system folders on the root drive and also the USB drives.

Good luck with it.

fliptw wrote:autoplay by itself doesn't write files to the media.

can you write protect your flash drive?

I say nasty malware.

Exactly! And nope the drives can't be write protected.

@ Krom I'll quickly try and give them apps a whirl.

PS By posting up a hijack this log do you mean I should post it up here?

[UPDATE]

Well I did a scan with Malwarebytes and it actually ended up finding some crap on the pc. Told it to remove everything. Some files had to be deleted via a boot schedule and ran it again. Picked up 2 or so files in a recycle/restore folder that is considered bad and asked me what to do with it, promptly told it to delete it. Rebooted again. Rescanned and result was clean. Inserted the flash drive and nothing happens...open up explorer manually go to the flash drive and content empty.

A side note as well this thing also comes with a browser hijack! PC weren't hooked to my internet but once it was connected and before I ran the scan it with randomly open a web page. Had this happen on the other pc I nuked but was a different site but I was informed it would cycle these.

Had the pc hooked up now for about an hour scanning it rebooting it checking what the flash drive does after reboots and it seems to act normal now and I haven't had the page jack again. I'll keep monitoring it for a day or so because I don't want to count my chickens before the hatch but if looks like the bugger got nailed