Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Autorun.inf and Recycler folder on root of network drives


  • This topic is locked This topic is locked
2 replies to this topic

#1 NRV

NRV

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 28 September 2011 - 09:23 AM

Hello,

I am running Windows 2003 DC with shared network drives. We have had computers with the "svchost.exe" virus of some sort. Now I am finding that it created autorun.inf files and a Recycler folder in the root of every shared network drive. The files are marked as hidden and system files. I scanned the files with Endpoint but it did not find them. It doesn't look like the servers are infected but when I deleted them the showed back up the next day. I'm assuming that infected computers are copying the file to the drives. One of my options was to copy a blank file named autorun.inf and a blank folder called "Recycler" and not allowing anyone to read or write to the files. Would that help it from being copied again? I work for a corporation with 30 servers and 2000+ computes so checking each computer is not an easy task at this point. Thanks for your help. I attached the contents of the autorun.inf file.

[autorun]
;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\svchost.exe
icon=shell32.dll,4
shellexecute=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\svchost.exe
label=PENDRIVE
action=Open folder to view files
shell\Open=Open
shell\Open\command=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\svchost.exe
shell\Open\Default=1

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:32 AM

Posted 28 September 2011 - 11:04 AM

On a network of this size you really have only one option: put down the network, reimage all terminals, clean all shared drives (or preferably, restore a clean backup) and only if each and every external drive and terminal is clean, connect everything back.

Furthermore, if this is a business/institution computer, are you the domain administrator? If you are not, have you informed your domain administrator, (business manager, Systems Analyst, or Information Technology (IT) Specialist)?
I ask for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for lawsuits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

The solution you propose will help somewhat, but only as prevention method, not as cure.

Edited by elise025, 28 September 2011 - 11:19 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:32 AM

Posted 09 October 2011 - 03:49 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users