avast keeps telling me that i have BV:AutoRun-H [wrm] on my usb drive, the file name is autorun.inf
i’ve tried to google a answer but nothing i have tried works and avast cant seem to do anything about it.
anyone have some suggestions?
thanks
Hi!
Try to transfer all data that you need to your HDD & format your flashdrive
Some tools and light reading.
-
USB Virus Scan - http://blog.didierstevens.com/programs/usbvirusscan/
-
“Flash Disinfector” program, see See http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/ - alt download location at http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe - Also see AvastForumVirusGen.txt
-
AutoRun.inf problems, etc. - Download and run Autorun Eater
Hi :
The vast majority of experienced, trained, certified, Volunteer “Malware
Removal Specialists” recommend the FREE “Flash Disinfector” .
reformatting apparently does not work on this autorun virus. i’ve tried a couple flash disinfection programs but they have had no success.
i will try the ones suggested by DavidR and spiritsongs and let you know how that goes.
Does anybody know how to kill/eliminate/terminate/obliterate this bug???
Hi, just found this whilst searching for details on Autorun-H…cos we got it too.
The bug isn’t on the usb - although it may have originated from there, so cleaning and disinfecting the usb will not cure it.
If you have the usb folder open in explorer, each time avast displays the virus alert you can see when the autorun.inf file is being created - and when you choose to move/delete the file, it disappears but leaves the _restore folder as hidden.
It also creates the _Restore folder on the usb
The Autorun.inf file conatins references to a reg key and ‘lusrsh.exe’ (?) which I can find a couple of registry entries to on the c: drive.
Currently I have disabled restore, run avast and superspybot in safe mode, rebooted, and it still shows autorun.inf virus when plugging usb in.
I also managed to use eraser on the usb and disinfected the usb and formatted the usb - no joy - still has autorun.inf virus originating from somewhere on the c:
I also removed all knight.exe references from registry and c: drive.
So far no cure.
Running the tools suggested will also fix the fact that the autorun.inf file is on your hard disk partitions.
EDIT: i take it back. after running flash disinfector for a second time it seems to have stopped. thanks for the help guys,
Sim1 seems to be right about this one
none of the programs stopped it from happening. its coming from my computer somewhere and avast is picking it up as it is moved. we need some suggestions on how to get this off of our hard drives because none of the programs seem to be working.
You’re welcome.
If you are sure that this is recreated (though flash disenfector normally creates a hidden folder called autorun.inf and that should act as a blocker for an autorun.inf file) even if there is no USB flash connected and all partitions on your HDD don’t have an autorun.inf file. Then there could be other elements to this undetected or hidden on your system either restoring it or downloading it again, what is your firewall ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
- SUPERantispyware On-Demand only in free version.
- MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
Am just about to start second long haul on getting rid of it.
Just searched the registry manually and found reference to the lusrsh.exe at:
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\lusrsh.exe
Just got Hijack this and gonna start a separate post with the results, if someone has knowledge…thanks
This lusrsh.exe is a cloaked malware see http://www.prevx.com/filenames/X1278018875349727488-X1/CROWN5Bn5D2EEXE.html.
There would also be an associated registry entry for:
c:\restore\s-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
Upload the file/s to VirusTotal, Send a sample to avast if multiple detections at VT and report the findings here in the topic.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
There is compatibility between Avast and SuperAntiSpyware??
I take it that you mean incompatibility between avast and superantispyware the answer is ‘no’ or we wouldn’t recommend it, see my Reply # 9 above.
Autorun virus… hmmmm… Try what i did. I created autorun.inf on my desktop with the following.
[autorun]
open=c:
Or whatever the drive path =
Copied it into my main logical drive folder.
It fixed the redirect prob with the reg keys also.
Have fun.
is there any solution for this dilemna? please share…