Ok, I've done numerous google searches, and kinda learned it was a virus and malware and such, but I'm not sure what it does in terms of to a flash drive. One of my teachers had a virus like that and when I inserted my drive into her computer, I think I caught it from her. On my computer, I couldn't autorun my PortableApps.com Platform 2.0 Beta 4 because Sophos said 'autorun.inf' and 'winlog.exe' were viruses.
I never had a virus before, so I don't know what the extent of the virus does... whether it just stays hidden in the root directory or if it goes through all the directories.
All I deleted was those two files, and a friend who also used his drive (I'm assuming) has a virus on it. I gonna delete his virus today (at least those two files), and I'm not sure if that's all I got to do.
Thanks!
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on BlueSky
Follow us on Facebook
Follow us on LinkedIn
Follow us on Mastodon
Follow us on Twitter
Those files may, or may not, have been infected.
Autorun.inf is how removable drives automatically run files when inserted into a Windows system. Whether it runs a known good file like PortableApps or some malware one should check before running it.
Winlog.exe is used to set parental controls to protect pcs but is also a common file name for virus writers. Whether your file was infected or not is undecided.
It would seem that your AV program flagged the files based on their names rather than what they actually do. Such actions are known as false positives and ALL AVs are capable of issuing them.
BTW This link may help: http://www.what-is-exe.com/filenames/winlog-exe.html
Ed
It's most likely a virus. Viruses like these are common at schools (including mine) because they go unnoticed, and people still don't realize that the autorun feature is a potential entry point for infection.
It would help if you checked what the detection name was when your virus scan picked it up. That way, you could look it up online and see if it's known to run as "winlog.exe".
SWAG
that was one of the articles I read. I also read this article and a few others.
I told my teacher to remove the program but she is skeptical.
But you know what really caught my attention: when it creates the autorun.inf file (which overwrote the PA platform-made one) uses the folder icon from Shell32.dll, the same icon that accompanies the option to "Open folder to view files." Then, the autorun.inf file launches winlog.exe.
That's REALLY weird.
And whats worse is when you click that option, it doesn't open the drive.
And you go to my computer and try to open the drive from there, but it doesn't open.
Weird.
However, when that windows firsts pops up, and you scroll down, you'll see a second folder, with the same option, except that it says in the subtext "with windows explorer" instead of "With the program on the device"
Weird.
And worse yet, Symantec doesn't pick it up. That's the reason the teachers don't believe me.
And the whole school is doomed...
OK, first off, try uploading it to virustotal.com which will scan it with thirtysomething virus scanners, and tell you what each of them thinks. Assuming that it does in fact set loads of them off, try showing that report to the teachers?
To explain the autorun behaviour, what it is doing is adding a program to the autoplay list that pops up in recent versions of windows that trys to look like the system option of "open the drive in explorer" to fool users into clicking on it. It does this by emulating the text and the icon, as you are seeing.
If you click on it there, or if you click on the drive icon to open it from an explorer pane, then it will actually run the autorun item, the virus, and infect the computer that you are on, most likely copying itself onto the hard drive, installing itself to run at startup, and generally being nasty.
Personally, I've never had good experiences with Symantec Antivirus, it has been known for woeful detection rates in the past, and it is a real pain to deinstall from PCs when it comes preinstalled (not as bad as McAffee has been, but...)
That's a virus. I've seen the same behavior here.
Just download ClamWin Portable. It worked for me.
SWAG
I have to agree with those who say it's likely a virus in the case at hand. I had a similar thing happen when I used my USB drive at a friend's house. When I plugged it back in at home, my AV warned me.
I wasn't sure if it was correct, so I looked up the autorun.inf in the backup I keep of my USB drive. *Something* had changed the autorun.inf to run winlog.exe and had put that file in the root of my USB drive. Before the change, my autorun.inf file had been as follows:
open=StartPortableApps.exe
icon=StartPortableApps.exe
action=Start PortableApps.com
label=Portable Apps
If that's not virus-like activity, I don't know what is.
Anyway, I restored the autorun.inf from the backup and it worked fine again. I also cleaned up my friend's computer.
----------
=^..^=
I found out where the virus is hiding anfter its copied to the drive: %APPDATA%\Microsoft.
And my true intention, was to get enough people saying that it was a virus (I was hoping John would say that, because, you know, he's John) and I was going to print this out and give this to the tech person.
Thanks!
PS: I was using my laptop to get rid of everyone's virus (4 for 4 as of now) and I infected myself...
I wrote a batch file to delete it:
I think winlog is the only thing that goes onto the computer, so thats the only thing it deletes.
I guess whoever has the virus can use that to delete it!