Urgent - bug - inf:autorun-gen [wrm]

I put also my message here because I probably have more success on the French forum. Sorry for the quality of translation …

By editing my simple autorun.inf file now (after updating Avast v6.0.1000 - 110407-1) I get the message inf:autorun-gen [wrm]

PC Windows XP SP3, Avast Update, Spyware Terminator updates, scans with nothing found …

The problem actually comes from the updated today because yesterday I worked my autorun.inf file without any problem:

[autorun]
open = autorun.exe
icon = autorun.exe, 1

I can not create a new autorun.inf and if I save it, Avast reacts and quarantines

Another example:

[autorun]
ShellExecute = index.htm

Avast quarantine …

My autorun.inf file is on my hard drive, not on a USB stick and I was just trying to edit (with Nodepad++ last version) it and save it (not trying to test it) …

Thank you for your quick suggestions ?

René

Hello rpaul,

Have you used a USB still at any time on this machine? If yes, you most likely got the autorun.inf worm from an infected USB stick.

  1. Please download and install the Panda USB Vaccine for USB devices
    http://research.pandasecurity.com/panda-usb-and-autorun-vaccine/ and it can be run on any drive on your machine for removable devices.

You are given the option to “vaccinate” your machine [click “yes/OK”], which means to disable autoruns from infecting your machine again or in your case from the infection spreading. Plus you can “vaccinate” any USB/flash or removable device so that it cannot infect your machine.

  1. Do not insert any removable media devices into your machine, such as anything that would go into the A:/drive, CD/DVD, USB sticks, sync anything with your machine, etc.

  2. Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTS log (save them as ANSI and not Unicode). Post the MBAM log and the OTS log as an attachment (Additional Options > Attach > Post).

I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine after you have provided the logs.

Once your machine is free of the infection, we will need to disinfect your USB sticks. What forms of removable media devices do you use?

Let me know if you have any questions. Thank you.

OK I see what your problem is - whenever you make your own autorun.inf Avast detects and then quarantines it… Is that correct

I can see no safe way around this this, as if you add autorun.inf to the exceptions then that would allow any infection to possibly run rampant… So it really is in your own interest that Avast is removing it

Hi

1- I have not used USB and I have not test any time my autorun.inf
2- OK, I download and I test … follow back
3- OK … follow back

For the moment:

Full check with Avast have no infection (new update today)
Full check with Spyware Terminator have no infection
First check with Malwarebytes’ Anti-Malware found 5 minors infections (rapid search) and I have repair
Second check with Malwarebytes’ Anti-Malware found 0 infections (full search)
I can post log if important ?

I have a USB key, a hard disk, MP3 readers on USB sticks but not used for the moment …

thanks

1- Yes, whenever I make with my autorun.inf, Avast detects and then quarantines it …

2- How I can make exceptions for INF file ? In Avast parameters, exceptions (exclusions in french) ?

thanks

To be honest I would not advise that, as that is one of the prime malware infection points

Hello

An answering forum avast!

Topic: MP3 Autorum.inf Worm!?
http://forum.avast.com/index.php?topic=70798.0

Hum … For me autorun.inf is important. I’m programmer and I make occasionally autoruns for CD-DVD (sites/catalogues with server2go and autorun), just my autoruns, not others …

The free Panda USB Vaccine disable AUTORUN.INF. USB drives that have been vaccinated cannot be reversed except with a format.

Sorry. I have test and useless …

How to format or cleanse your USB / flash drive:

  • Right click from Windows Explorer and do a full format to cleanse your USB flash drive.

However the problem still exists that you need to remove the worm from your machine. Avast is detecting it as Essexboy posted; he is a Certified Malware Removal Expert. Re-read his post and respond to his post please.

Using the Panda USB Vaccine, you are given the options:

  1. To vaccine the machine, which disables autoruns and prevents autorun.inf worm
  2. To vaccinate all USB and removable media (resident protection)
  3. To vaccinate only USB and removable media you want (on-demand protection), but you need to remember which ones are vaccinated and which ones are not.

Please let us know if you have additional questions. Thank you.

I understand the potential risks of the file autorun.inf

Avast from a recent update has responded to MY autorun.inf file that I edited and saved, as a precaution, I guess.

But so far I have not found any software that detects a potential hazard on my machine, style virus, malware, etc. … so why vaccinate?

USB Panda Vaccine disable AUTORUN.INF and USB Drives Have Been vaccinated That Can not Be Reversed With A EXCEPT format. This is not satisfactory for me and some comments of this Panda Vaccine put me in doubt …

What software can detect the worm and repair it but here, I’m not sure this is a warm.

You can try MC shield:http://amf.mycity.rs/programs/mc/mcshield/index.html

@rpaul
Import autorun.inf on the white list and will not touch (for your USB)

Hello,
are you sure that your own autorun look exactly like samples that you posted here?
Because avast don’t block these AutoRun.

Thanks but see post: http://forum.avast.com/index.php?topic=75670.msg627354#msg627354

I have import this … (I have renamed to TXT because not possible to INF)

Yes, sure and others …

Here, log of Malwarebytes’ Anti-Malware with minors infections, now deleted
ref: http://forum.avast.com/fr/index.php?topic=574.0