Ok I have no clue what is going on but here is the problem…
Whenever I Burn something… Nero’s settings is set to make a temp file to store it’s transfer data for burning stuff to a CD right? well…
Whenever the program is done burning… a sudden temporary file appears in the tempfolder in my local settings folder on my Windows XP pro account…
It’s soo weird… I don’t understand it.
Here is what it says
[U]C:\DOCUME~1\BRICKS~1\LOCALS~1\Temp\NER33A.tmp
INF:AutoRun-gen2 [Wrm]
Virus/Worm
Here is my 4.8 Avast version it’s the free home version:
101021-1, 10/21/2010
heres more from the alert log:
10/24/2010 4:44:37 PM SYSTEM 2012 Sign of “INF:AutoRun-gen2 [Wrm]” has been found in “C:\DOCUME~1\BRICKS~1\LOCALS~1\Temp\NER32D.tmp” file.
10/25/2010 3:31:39 AM SYSTEM 2012 Sign of “INF:AutoRun-gen2 [Wrm]” has been found in “C:\DOCUME~1\BRICKS~1\LOCALS~1\Temp\NER332.tmp” file.
[/u]
NER Is obviously for NERO temp file… Why is NEro making sudden temp files and making a Worm?.. has anyone had a problem like this with this?
The version of NEro is 6.6.0.17.Bundled.
It also has Lightscribe…
Can someone please help me find out what is going on? … is this a false positive? because it just started doing it after I updated my Avast a few days ago… It didnt do it before… and ive been burning CDs for a while now… why the sudden strange activity?
You are given the option to “vaccinate” your machine, which means to disable autoruns from infecting your machine again (or in this case preventing further damage from the current infection), and you can enable it again (although I wouldn’t). Plus you can “vaccinate” any USB/flash or removable device so that it cannot infect your machine. This type of malware is easily transmittable because many people use USB’s and removable devices.
Check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
· Download free http://www.malwarebytes.org/ for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select “Perform FULL Scan”, then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.
Follow the directions for obtaining the OTL logs. Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). You can do this after posting your MBAM log.
Please let me know if you have any questions. Thank you.
Yes. I do, but if I had some kind of infection Avast would have auto detected it and stoped it’s scanned execution to begin with… I never disable Avast. But no I don’t share CD’s the only kind of possible CD sharing thats even considered close is that I had some data I got from a buddy… Scanned it first with Avast… then moved it to my PC, then Opened Nero and added it into the custom build data disc… then it burnt… but it failed on the other Drive… i dont know why… after it said it failed I clicked next to show me the “Burn project again” thats when Avast alerted me of a tmp file in temp folder that was infected with the malware/virus.
But I always use malwarebytes… this is what i found but
C:\Documents and Settings\Brickstin\x.exe (Trojan.KillAV) → Quarantined and deleted successfully.
Update and run MBAM again (Full Scan). Quarantine (not delete) anything infected. Copy and paste your entire MBAM scan here to the thread; I will need you log for the Certified Malware expert referral as well.
Run the OTL log as I suggested above; attach the log to your next post. I will then have a Certified Malware expert review your log.
It is up to you if you want to install the Panda USB Vaccine. To my knowledge, Avast nor any AV will disable autoruns.inf., but Panda USB Vaccine will. You can always reverse the “vaccine” with a click of a button, and this does not conflict with Avast.
Upgrade your Avast 4.8 to 5.0.677 only after we know that you are malware-free; do not do it now as it may complicate matters.
Please let me know if you have any questions. Thank you.
Hello,
can you sand us that sample (NER33A.tmp)?
sand it as zip with password(write password to email body)and Subject: AutoRun-gen2 on virus@avast . com (without spaces) please and let me know here.
Best Regards
Jan Sirmer
\EDIT
It’s really FP, it will be fixed at tomorrow.
According to Avast, the latest update fixed the problem. Can you confirm for me that your problem is now resolved/fixed after you get your Avast update? Thank you.
Sorry guys x.x I was out dealing with Crap personally in real life. I had to take care of things before I even had time to get on the internet again and mess with my computers… anyways… Yes I will check it out with those updates… For Avast… still I think it had someting to do with that image i was messing with from my friend… one of the files i think where infected somehow… and when all the data was chached into my computer when burning it with any kind of burning software including Nero… it ends up detecting a virus . in the temp cache area of my user docs & settings area in app data.
I am going to have to find the image again… I don’t know what I did with it. But I did burn the CD after I used a different burning software because I was getting errors like hell when I was trying to like… Burn the image to the CD - R it self…
I will get back to you laters… I have to go drop off my GF at work.
OK I will get back to you… IM like barely catching up on my Posts here in this thread x.x I forgot so much about what happened But i just remember the little bit of it.
I was out dealing with stuff but I have to drop off my GF at work so I will be able to get this stuff again later… tonight… I don’t know if you guys get on at night or someting.
because I wouldn’t count that as a false positive just yet… you might want to have waited till I could confirm it was actually a real virus.
I was contacting ITU earlier. and apparenently computer students used a program or created some thing to exploit the COPY rights on the Microsoft 07 office I have from College.
including my friends from itu.
Its indiana University
So yes… Forget that False positive for right now… I have to do more testing to ensure it was just a hiccup by Avast and not a real virus.
NER33A.tmp is the file that contained it and I am going to do some tests again to find out if i can ripp out the files from the TMP file…anyone know of any tools to help open TMP files?
Maybe I can execute the code outside of it and place that code into a file and then scan that file itself.
SO again please this is highly possible a TRUE Virus, not a false positive.
its not a matter if Nero is exporting these Temp files and Avast thinks its a virus…
I have burned many program copies and data recovery stuff using Nero and it has never given me that avast scan error about finding NER33A.tmp as virus contained…
There really was a virus in there because my friend used AVG and found out the same kind of virus was found in that temp file.
x.exe is a execution tracking program that comes with older versions of Visualware company called IP trace or Visial trace… Look it up on Google… The company Got into some trouble because of it… it had a trojan in it… but thats not the problem I am having with. its the Image… I still haven’t had time to work on that I just now got back so I am going to go ahead an do that now… Goes and finds the disc
But I need a techy too take a look at this… When I upload the results of the scan I will let you know… What was it again that you needed?..
I have no other viruses but do you want me to upload the TEMP file for identification?
I also want to upload the image files from the program of Microsoft from ITU version.
