Hi,

just got the message, that the Worm was found when I plugged in the card, which was used last time when I had another virus program on my computer. The card only contains pictures, which suggests that it may be a false positive. Other than that my system was completely set up just a few weeks ago (with avast running from the beginning, no detection found up to now).
Is it a known false positive or should I better restore the system with my backup?

Thanks for your help!

why sould it be a FP ?

have you tested the file detected at virustotal.com ?

Well, it wouldn’t be the first FP detected by a virus program.
Avast reported the file was moved to the container. Is there a way to test it at virustotal.com? Can’t find the folder in explorer…

no…it is not…put pic files can also contain malware

if avast moved it to chest…open avast > chest

Ok, I found the chest folder at: C:\ProgramData\Avast Software\Avast\chest
There is an index.xml file and a file “00000001”. Do I just need to check both files at virustotal?

Is there any chance that my system is infected, since I had the auto-play function deactivated in Win7.

If you actually open the avast Chest you will see the file placed there from the outside of the chest you won’t be able to see what the file name is and the contents of the chest are also encrypted. To access the chest, use the avastUI, Maintenance, Virus Chest.

First there is every likelihood that your SD card was infected when used in the other infected computer, normally there wouldn’t be an autorun.inf file on the SD card. This is how the virus gets from one computer to another by infecting SD/USB sticks.

The autorun.inf tries to run (and execute the payload) when you plug in the SD card, avast has essentially stopped this happening, so it is more likely that the system hasn’t been infected. Plus the fact that you have deactivated autorun, it wouldn’t however stop avast looking/scanning for such exploit attempts.

Thanks David for your comprehensive reply!
Would you advise me to restore the system from a 2weeks old backup if you were me - just to be as safe as possible?

You’re welcome.

I don’t believe that is required, certainly not yet. If you can do as suggested and open the virus chest and right click on the file in there, and select properties; that will tell you its name and original location, etc. If that is the autorun.inf file then you could well have dodged a bullet.

So let us have the information on the file and we can proceed further.

It wouldn’t hurt to do an avast scan on your system Quick or Full System scan on default settings should be fine and report any findings.

You could also run a secondary scan with another tool:
If you haven’t already got this software (freeware), download, install, update and run it (it should produce a log file)and post the contents of the log.
MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

It actually is the autorun file:

http://www.abload.de/img/unbenannt2bm5t.jpg

Since I walked the path of mbam and log posts (incl. editing out personel infos) before on past incidents, I figured out that even those steps leave out a rest of uncertainty despite consuming a lot of time. So I probably use my backup and configure the changes during the last 2 weeks anew. Last question: Does this ensure the max. chance of a healthy system or is it very well possible that the virus already spreaded to other (data) partitions? (Win7-partition is negligible since it’s overwritten by backup anyways)

I can’t speak for the state of your backup or what it actually backs up, if this is using system restore or a dedicated backup software (hard disk imaging, etc.).

Since avast has the autorun.inf in the virus chest, it shouldn’t be on your SD card any longer (?), so you could scan your SD card.

You could also use an image of the MBAM results, easy to edit out (cut/pixelate/blur) and post. It is just a confirmatory scan and in most cases this is likely to come up clean.

Personally I wouldn’t like going back to a two week old backup if I didn’t absolutely need to.

I used the Win7 “Backup and Restore” (translated from german lang.) function. The backup contains the complete Win7 Partition. Thanks again for your advice, yet I’ll probably stick with my decision to restore everything, because it makes me at least feel more comfortable…
Whether the autorun file was still on the SD-card is unsure, since I deep formatted it instantly after the detection.

Well, thank you and best regards

You’re welcome.

The win7 backup and restore is better than the system restore of old. Yes it all depends on what ‘you’ are happy with.