This is my first post, but I am house trained and can generally communicate in a coherent manner.

I searched the forum to find information on this but I couldn't find anything.

What I want to figure out is how to create an autorun.inf for my USB drive which will start a batch file I created. The batch file removes the autorun.inf and (Random Name).dll the virus on the computer I have to use likes to drop on any USB drive inserted in it.

The reason I have to do this is that the Norton AV on the computer does not seem to think anything is amiss and it is a locked down computer on a domain of which I am not an admin. I have brought this issue to the attention of the head IT guy and his response is "They're all like that, there's nothing I can do." He doesn't have the ability to change the AV suite to something that actually works (AVG) and there are hundreds of machines scattered all over the country... So.

I wrote the following batch and placed it in a folder CALLED 'data' on the root of the USB drive. I run it after the USB drive is inserted and infected before I pull it out:

shell/command=
echo
del /f/a:h ..\*.dll
del /f/a:s ..\*.dll
del /f/a:R ..\*.dll
del /f/a:a ..\*.dll
del /f/a:sh ..\*.dll
del /f/a:rsh ..\*.dll
del /f/a:h ..\autorun.inf
del /f/a:s ..\autorun.inf
del /f/a:r ..\autorun.inf
del /f/a:a ..\autorun.inf
del /f/a:sh ..\autorun.inf
del /f/a:rsh ..\autorun.inf
xcopy/h/r/y ..\data\autorun.inf ..\autorun.inf
echo off

This is some ugly code, I know. What it does is deletes any DLL file on the root of the thumb drive, whether Read Only, SYSTEM or Hidden. Since I have no reason to have a DLL file in the root of my USB drive, and the virus is loaded to the drive as a DLL, this is a good thing.

The second thing it does is copy my autorun.inf out of the folder 'data' where I keep a backup and write it to the root so my custom icon and label show when I insert the drive into a computer.

The only hangup with the batch file is that the dos window asks whether "autorun.inf" is a file or directory during the operation and I have to type 'F' to complete the run.

So, what I would like is some help with:

1) The autorun.inf: I can't seem to come up with the syntax to get it to run the batch file. Does anyone know?
2) The batch file: Is there a switch or different syntax to get it to know that autorun.inf is a file and save me from having to type 'F'?
3) Is there a way to delay the execution of the batch to allow the virus time to do its thing and 'check the block' before the batch fixes it?

Any help or guidance is gratefully accepted.

KyleWelcome to the forum.

Are you trying to move a virus from a flash drive to another PC?Thank you for the welcome.

Actually, I'm trying to keep it away from my computer. I have to use an infected box and the batch file above deletes the virus files from my USB drive. Then I pull out the drive and go on my way knowing that I am not a vector for the infection.

I just need some help cleaning up the code and automating the process. I figured somebody here would be able to assist. The only way you will ever clean the virus is with an Antivirus Program or with information on the virus itself and exactly what it does (what the files it creates are and what registry entries it modifies).

So, is there a virus on your PC or on other PC?The virus is on the computers I use at work. My box is clean and I am diligent about keeping it so.

The virus on the work boxes simply dumps an autorun.inf and a (random name).dll on the root of the USB drive. So I delete the autorun and all dlls on the root before I pull the USB drive out. That keeps me from transmitting the virus to other computers, like mine. That is what that batch file does for me so I don't have to do it manually.

The USB drive is a transport medium, it can only be a carrier. Only an OS can be infected. If the transmission files are deleted they can't be launched, and that is that. Since I know that there should be no dlls on my USB drives root and I wrote my own autorun.inf file, I can IDENTIFY the vector and delete it.

Since I cannot tear into the work boxes and the IT folks have surrendered, I am taking steps to protect my box. I just need a little coding help and I think this may be useful to others who are stuck in the same situation.I like what you are on to and it could indeed be a huge help to others. There is already a tool very similar to what you are trying to do that is available for use (free) by a brilliant malware fighter named sUBs called Flash Disinfector.

That said we aren't a bunch of coders here and we mainly focus on malware removal.

You might want to sign up at Wilders Security Forum. The Wilders forums are frequented by users who take a great interest in exactly what you are doing and I would think they would have some good advice.

Good luck!Evilfantasy, I appreciate your post.

When I went looking for something to help me with this I couldn't find anything. Probably I was using the wrong search terms. I figure that all I really need is someone who has more recent experience with DOS commands, Windows 3.1 was heady stuff a long time AGO, but it was a long time ago...

I will check out the two places you suggested.

If anyone here thinks of something that will help please post it. Try this.

Create a batch file with the following code:
Code: [Select]attrib
pause
Now save it to your flash drive.

Plug it in the infected computer so your flash drive gets infected.
Run the batch file from the Flash Drive and look for any files with an SH attribute.
If you see any files with that attribute, post their filenames here.
This way we may be able to find out what the virus actually is.

Know your enemy before you try to defend against it. Carbon,

Here is the skinny on the viri I am dealing with:

Upon insertion of a USB drive the following are dropped on the root of the USB drive: (Random Name).dll and autorun.inf.

They are always the same except for the name of the .dll.

My last was called “svcpacj.dll” which has attributes: h s r.
The autorun.inf, which has attributes: h s r, is:

[autorun]
open=
shell\open=Explore
shell\open\Command=rundll32.exe .\\svcpacj.dll,InstallM
shell\open\Default=1

I have the dll saved as a txt if you’d like to see the code.

I tried DriveSentry on another USB drive and it failed to start automatically. When I tried to start it manually I got a message that I did not have admin privileges on the machine. So I just deleted the files manually since I did not have that drive set up with my batch file.

I brought the dll back in a sub folder on my USB drive to my box and AVG identified it as Trojan horse Downloader.Generic7.NAI. Which name does not come up in a Google search.

Really, the name and nature of the pest is less important to me than that I can kill it. I’d just like to make the killing less obtrusive.
save as autorun.inf
Code: [Select][autorun]
icon=drive.ico
open=launch.bat
action=Click ok to Run DLL_del.bat
shell\open\command=DLL_del.bat
save as DLL_del.bat
Code: [Select]@echo off
SET odrive=%odrive:~0,2%
attrib -h -s -r -a *.dll
del /f *.dll
attrib -h -s -r -a autorun.inf
del /f autorun.inf
"%drive%\data\autorun.inf"
xcopy "%drive%\data\autorun.inf" "%drive%"
that is as far as i got but it does not want to copy the real autorun it opens it in notepad