unable to remove autorun.inf (probably infected) from flashdrive

adityavpratap · 10-14-2009, 08:55 AM

Hi,

I have a pendrive that contains a file autorun.inf with the following contents -

Quote:

[AutoRun]
;ntqcyasgw WKekPc
;
sHEll\opEN\Default=1
;
opEn= iyvda.exe
sHELl\oPEN\cOmmaND= iyvda.exe
;ggHCpmEXOmiVNpouKrDHgbrrQky rjCmChrCRuRFUqKtyOmypPslPhaVLkxwBU
sHell\explOrE\COMmaND = iyvda.exe
;
shelL\AUtoplaY\CoMmand= iyvda.exe

clamscan says that this file is infected. So I tried to use the --remove option of clamscan. It complained about the file system being read-only. Then I tried to delete the file manually as root. Still the same message

Quote:

rm: cannot remove `/media/74DE-7E42/autorun.inf': Read-only file system

I tried googling but all solutions I found were Windows-specific.

Any idea how I can remove the file?

P. S. There is no file named iyvda.exe in the pendrive.

Woodsman · 10-14-2009, 09:11 AM

Perhaps you are using a Sandisk Cruzer USB device? Or, more specifically, a USB device using U3 technology? Perhaps then you might want to read a recent discussion about that problem:

Fooling The System That A Read-Only Device Is Read-Write

adityavpratap · 10-14-2009, 09:18 AM

Yes it is a Sandisk pendrive. I'll read up the link you have posted.

willysr · 10-17-2009, 11:36 PM

have you tried to run chmod 777 autorun.inf and then deleting it?

slackd · 10-18-2009, 12:09 AM

i saw this autorun virus many times in pen drives..
i fixed it from windows by going to command prompt

type:

Code:

attrib -s -r -h autorun.inf

then delete the file from the pendrive..its a superhidden file in windows.

edit: i have a cruzer micro myself, never faced this problem myself, however i dont use the worthless U3 system that i comes with.

adityavpratap · 10-18-2009, 02:01 AM

OK, the chmod 777 bit did it. Thanks willysr.

Slackd, I didn't want to enter windows, lest the virus did some harm. But thanks any way. I don't know much about the U3 system. I'll read up on it. :-)

I read somewhere on the net that if I create a autorun.inf folder in the pendrive, it will prevent any future attempts by malicious programs to create a autorun.inf file and hence they will not be able to autorun themselves. Has any one tried it actually?

jedi_sith_fears · 10-18-2009, 03:16 AM

Usually when you face this kind of problem, check once if the Flash Drive is in NTFS, and mounted in read-only mode. If its read-write, then you will be easily able to delete the files.