Support in other languages: 
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Forums KB Blogs Support Shop
Reply
Topic Options
nightoil
Paper Tape
nightoil
Posts: 10
Registered: ‎11-06-2010
Location: London UK
0

AUTORUN.INF repeatedly trying to run for no apparent reason

[ Edited ]
Options

‎03-14-2011 07:41 AM - last edited on ‎03-14-2011 07:56 AM by Community Moderator

I got this Thinkpad X201s direct from Lenovo last November.

Since then, my Avira antivirus software has been blocking Q:\AUTORUN.INF several times a day.

Why would Q:\AUTORUN.INF be trying to run from the recovery partition during normal use of the computer?

Is it likely to have been hijacked by malware?

Curiously, Q:\AUTORUN.INF seems to go mad whenever any potential threat to it is running,

i.e. when Windows Defender is running or paticularly when AUTORUN.INF removal software is downloaded.

If I click on it in Windows Explorer, Avira blocks it but it does open as a Notepad document with an "Access is denied" warning and an empty Notepad window behind it.

Repeated Avira system scans and Windows Defender scans find nothing abnormal.

Can anyone help?

Message 1 of 8 (2,472 Views)
 
Reply
Please use plain text.
 
Community Moderator
Community Moderator
buddinggeek
Posts: 2,761
Registered: ‎02-22-2008
Location: Andhra Pradesh, India +GMT 5.30
0

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

Options

‎03-14-2011 07:57 AM

Is Avira only blocking the file or is also giving you an option to remove it? It might be a false alarm.Try using Malwarebytes or Microsoft security essentials ..

Cheers and regards,
• » νιנαソѕαяα∂нι ѕαмανє∂αм ™ « •
3000H,T410,X220T,Y560,X1,Yoga 11
Quntal Quetzal,Win7,Chromium OS,Windows 8 RT
●๋•کáŕádhí'ک díáŕý ツ
Message 2 of 8 (2,463 Views)
 
Reply
Please use plain text.
 
nightoil
Paper Tape
nightoil
Posts: 10
Registered: ‎11-06-2010
Location: London UK
0

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

Options

‎03-14-2011 08:57 AM

Dear Vijay

Thanks for your prompt reply.

No, Avira is only blocking it, not offering to remove it.

By false alarm, do you mean that Avira only thinks Q:\AUTORUN.INF is trying to run but isn't

or that it is trying to run and that Avira is blocking it by mistake.

Question remains for me why Q:\AUTORUN.INF should be trying to run at all during normal use.

Can you say whether the Q recovery partition does normally contain an AUTORUN.INF? If not, could I not simply delete Q:\AUTORUN.INF myself.

Meanwhile, I will try Malwarebytes and/or Microsoft security essentials, as you suggest.

Thanks again

nightoil

Message 3 of 8 (2,459 Views)
 
Reply
Please use plain text.
 
Retired Guru
Duck3
Posts: 2,081
Registered: ‎07-13-2009
Location: USA
0

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

Options

‎03-14-2011 10:34 AM

Can you access the Q partition?
Open autorun in notepad if you can and post contents.
(Might be something to do with recovery backups?)
Message 4 of 8 (2,452 Views)
 
Reply
Please use plain text.
 
nightoil
Paper Tape
nightoil
Posts: 10
Registered: ‎11-06-2010
Location: London UK
0

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

Options

‎03-14-2011 11:00 AM

Yes, folders/files in Q partition are "hidden" but can be seen by checking "Show hidden files" in Folder Options.

Opening Q:\AUTORUN.INF in Notepad causes Avira to block it

but Notepad does open with an "Access is denied" warning and with the Notepad window empty behind it.

Yes, seems to be to do with recovering the OS in the event of total failure.

But why does Q:\AUTORUN.INF run at all during normal use?

Have downloaded Malwarebytes.

Quick scan of full system and a full scan of the Q partition both yield nothing.

Message 5 of 8 (2,444 Views)
 
Reply
Please use plain text.
 
Retired Guru
Duck3
Posts: 2,081
Registered: ‎07-13-2009
Location: USA
0

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

Options

‎03-16-2011 11:33 AM

Still there?
Try to temporarily disable Avira and see if you can view file.

Personally recommend Avast for free AV myself...
Message 6 of 8 (2,395 Views)
 
Reply
Please use plain text.
 
goretsky
Posts: 1,489
Topics: 17
Kudos: 247
Solutions: 76
Registered: ‎12-01-2007
Location: California, USA

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

[ Edited ]
Options

‎03-16-2011 10:00 PM - edited ‎03-16-2011 10:01 PM

Hello,

 

Perhaps it is a false positive alarm.  Have you tried uploading the AUTORUN.INF file to a site which runs files against multiple anti-malware scanning engines like VirusTotal to see what is reported back?  That should help give you an idea of whether the file is infected. You can also submit it your anti-virus vendor's researchers for examination. 

 

Regards,

 

Aryeh Goretsky

 


I am a volunteer and neither a Lenovo nor a Microsoft employee. • Dexter is a good dog • Dexter je dobrý pes
X220 (4286-CTO) • W510 (4318-CTO) • X120e (0596-CTO) • T61p (6459-CTO) • T43p (2678-H7U) • T42 (2378-R4U) • T23 (2648-LU7)
de.gif  Deutsche Community es.gif  Comunidad en Español
Message 7 of 8 (2,387 Views)
 
Reply
Please use plain text.
 
nightoil
Paper Tape
nightoil
Posts: 10
Registered: ‎11-06-2010
Location: London UK
0

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

Options

‎03-18-2011 10:53 AM

Dear Guru

Thanks for your interest!

I turned off Avira, as you suggested, and clicked on Q:\AUTORUN.INF, which then opened in notepad thus:

[AutoRun]

open=LenovoQDrive.exe

icon=qdrive.ico

i.e. it looks totally innocuous and as it should do.

I've also repeatedly run full system scans by Avira, Windows Defender, Microsoft Security Essentials and Malwarebytes, all of which report clean.

So it would seem that Avira has just been being hyper-cautious, which is fine by me.

I think I'll probably now just make a set of recovery discs, delete Partition Q and free up the space for my own use and leave it at that, unless anyone else thinks otherwise.

Anyway, thanks very much for your (and Aryeh Goretsky's and Vijay Saradhi's) help.

Regards

nightoil

Message 8 of 8 (2,370 Views)
 
Reply
Please use plain text.
 
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.