Hi All,
I have a file that’s creating problems with mapped network drives. The File name is windll.exe. does anyone know if this is a legitimate windows file or is it something else.
What’s Happening - on some of our network shares two files are being created
- autorun.ini
- Recycler\ RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\windll.exe
The autorun.ini file contains the below text, and as you can see it points to the recycler folder.
[autorun]
;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\windll.exe
icon=shell32.dll,4
shellexecute=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\windll.exe
label=PENDRIVE
action=Open folder to view files
shell\Open=Open
shell\Open\command=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\windll.exe
shell\Open\Default=1
I have been able to track down the which workstations are creating the two files by looking at the security permissions on the autorun.ini file and then doing a search on the workstations C: generally the windll.exe file will be found in a folder of its own name in either the “C:\windows\windll.exe\windll.exe” or “C:\Documents and Settings\USERNAME\Application Data\windll.exe” and has also been found in prefetch.
The end result is users drive icons change to folders.
Symantec product info:
SEPM Version 11.0.6100.645 with latest definition file.
Actions taken so far:
Updated client AV and run a full system scan.
Tried to delete / rename the windll.exe file but it recreates its self in both the client workstations and on the network shares.
Any ideas?
Thanks in advance.