I’ll give you the moral at the very beginning: do not share removable drives. Just don’t. Even when it’s necessary.

A friend asked me if they could come over and send a job application by email, saying that they had their CV on a disk. I want to look like a nice guy, so I said yes. As soon as I attached the flash disk, avast (my el cheapo antivirus programme) went haywire, flashing dire warnings about an AUTORUN.INF infection…

Oh NO, I thought, because I’ve heard all about the worm that appeared sometime towards the end of last year, and has cost millions, and Microsoft has even offered a reward to anyone who can give information leading to the apprehension of the perps. I had been counting myself lucky all along, because I didn’t necessarily trust my free antivirus programme (it’s wonderful, but it’s FREE, for crying out loud), and I do a lot of downloading, browsing a lot of graphics sites. However, I did my best with security: I always use a limited Windows profile for everything, rather than an administrator one, and I have Windows firewall up, as well as antivirus. I also generally don’t attach foreign flash disks.

Well, after all the warnings, I immediately disconnected the disk, and did a system scan, which showed- nothing. I breathed a sigh of relief, and went on for a few days. In fact, it was only when I connected my camera to transfer some pictures I’d taken that- you guessed it, AUTORUN.INF showed up again. This time apparently on my camera….

Apparently I HAD infected my machine, and now my camera was also infected. What was worse, this thing not only couldn’t be removed by faithful avast, it seemed to be spreading, because now a new infection showed up in my picture transfer folder. I disconnected my camera, and went online for help.

What transpired was at least 24 hours of battle. I found information initially at Trend Micro, where I downloaded a little script, but that didn’t work- not completely. So I went back and found

http://bleuken.i.ph/blogs/bleuken/2007/06/29/viruses-that-uses-autoruninf/

which told me a bit more about AUTORUN.INF, and possible ways to contain the infection, both on my machine, and infected removable drives. I went to work at the command prompt (making me nostalgic for pre-Windows days), and after maybe five tries (bear in mind that I am not a programmer), I thought I finally had it right. I also checked (as I could) my system files, to see if anything had changed, especially on the day of the original infection, and felt sure that nothing had. (Silly). I just wasn’t sure though, and with reason, because when I went back into my limited profile and attached my camera, autorun came again and there the infection was. So the next day I went online again, and found more information at

Ask Metafilter (XP Filter: I set up a non admin account for safer computing -- Am I safe enough now?)- sorry, lost the link, you’ll have to google it

which was sound advice about disabling autorun, the thing that starts up a flash disk or CD when you put it into your machine. Perfect- except, like I say, I run things as a limited user, which meant that I had to go to

http://nick.brown.free.fr/blog/2007/10/memory-stick-worms

(very good site!) to get information (specifically, a script to edit my registry) that allowed me to disable autorun for the machine, rather than just the user. I had tried to edit the registry as a limited user, and failed (whether because of the infection, or because a limited user cannot, I do not know… Still). Anyway, the second attempt to disable autorun worked. I also uninstalled the SONY software (hmm) that I had installed when I bought my camera, to transfer pictures to the computer. Advice: transfer your pictures the long way. Seriously. The pain is not worth it. After that, my computer even began to smile at me…

Still not quite satisfied, I went online again, and this time found HijackThis (at Trend Micro), which I then ran to see what was going on…. And guess what: apparently, something called sys32.exe was being autorun from my restore folder. Like a good Windows user, I had turned on system restore for all drives… And now when I checked, I found something that looked a lot like a recycle bin sitting in there, except it had been created on the day I got the original infection… AND I could not find any other restore points. Why would my computer create a restore point right then, I wondered? Where were the other restore points, the ones before that? And why was this thing being autorun from such a weird place? I looked up sys32.exe, and found some dodgy sites, but a google search seemed to confirm that this was suspicious software- so I went with my gut, turned off system restore, deleted the folder, and turned on system restore again- and created a restore point. I then used HijackThis (quaking as I did so) to delete the registry key that caused this programme to run (because I still couldn’t edit the registry), and then deleted all the other keys that seemed to have to do with sys32. I did a search, and found a sys32 PF, which I also deleted, hoping al the way that I wasn’t damaging my system. What reassured me a bit was that when I ran regedit as administrator, I couldn’t find the keys to do with sys32- so I assumed they weren’t essential, and had in fact been created by my limited profile. I also checked, and found the same folder in restore of my camera memory stick, so I deleted that as well.

I am sort of calm now, but I will be very vigilant, watching for any other weird things. I am also very aware that I am only a normal Windows user, rather than a tech buff, so I hope I haven’t made a mess of things… And also that I got all of it. So now I know three things:
- No more sharing of removable drives.
- Antivirus may not pick up an infection, especially if it masquerades as a system file.
- There are some evil people out there.