Support in other languages: 
Showing results for 
Search instead for 
Do you mean 
Reply
Paper Tape
nightoil
Posts: 10
Registered: ‎11-06-2010
Location: London UK
0

AUTORUN.INF repeatedly trying to run for no apparent reason

[ Edited ]

I got this Thinkpad X201s direct from Lenovo last November.

Since then, my Avira antivirus software has been blocking Q:\AUTORUN.INF several times a day.

Why would Q:\AUTORUN.INF be trying to run from the recovery partition during normal use of the computer?

Is it likely to have been hijacked by malware?

Curiously, Q:\AUTORUN.INF seems to go mad whenever any potential threat to it is running,

i.e. when Windows Defender is running or paticularly when AUTORUN.INF removal software is downloaded.

If I click on it in Windows Explorer, Avira blocks it but it does open as a Notepad document with an "Access is denied" warning and an empty Notepad window behind it.

Repeated Avira system scans and Windows Defender scans find nothing abnormal.

Can anyone help?

buddinggeek
Posts: 2,852
Topics: 105
Kudos: 140
Blog Posts: 0
Solutions: 118
Registered: ‎02-22-2008
Location: Texas A&M University, Commerce
0

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

Is Avira only blocking the file or is also giving you an option to remove it? It might be a false alarm.Try using Malwarebytes or Microsoft security essentials ..





Cheers and regards,
• » νιנαソѕαяα∂нι ѕαмανє∂αм ™ « •
Think : T410,X220T,Thinkpad Yoga
Idea :3000H,Z500,U410,Yoga 11, Yoga tab 10,Horizon
●๋•کáŕádhí'ک díáŕý ツ


I am a volunteer here. I don't work for Lenovo
Paper Tape
nightoil
Posts: 10
Registered: ‎11-06-2010
Location: London UK
0

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

Dear Vijay

Thanks for your prompt reply.

No, Avira is only blocking it, not offering to remove it.

By false alarm, do you mean that Avira only thinks Q:\AUTORUN.INF is trying to run but isn't

or that it is trying to run and that Avira is blocking it by mistake.

Question remains for me why Q:\AUTORUN.INF should be trying to run at all during normal use.

Can you say whether the Q recovery partition does normally contain an AUTORUN.INF? If not, could I not simply delete Q:\AUTORUN.INF myself.

Meanwhile, I will try Malwarebytes and/or Microsoft security essentials, as you suggest.

Thanks again

nightoil

Retired Guru
Duck3
Posts: 2,090
Registered: ‎07-13-2009
Location: USA
0

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

Can you access the Q partition?
Open autorun in notepad if you can and post contents.
(Might be something to do with recovery backups?)
Paper Tape
nightoil
Posts: 10
Registered: ‎11-06-2010
Location: London UK
0

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

Yes, folders/files in Q partition are "hidden" but can be seen by checking "Show hidden files" in Folder Options.

Opening Q:\AUTORUN.INF in Notepad causes Avira to block it

but Notepad does open with an "Access is denied" warning and with the Notepad window empty behind it.

Yes, seems to be to do with recovering the OS in the event of total failure.

But why does Q:\AUTORUN.INF run at all during normal use?

Have downloaded Malwarebytes.

Quick scan of full system and a full scan of the Q partition both yield nothing.

Retired Guru
Duck3
Posts: 2,090
Registered: ‎07-13-2009
Location: USA
0

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

Still there?
Try to temporarily disable Avira and see if you can view file.

Personally recommend Avast for free AV myself...
goretsky
Posts: 1,976
Topics: 19
Kudos: 352
Solutions: 138
Registered: ‎12-01-2007
Location: California, USA

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

[ Edited ]

Hello,

 

Perhaps it is a false positive alarm.  Have you tried uploading the AUTORUN.INF file to a site which runs files against multiple anti-malware scanning engines like VirusTotal to see what is reported back?  That should help give you an idea of whether the file is infected. You can also submit it your anti-virus vendor's researchers for examination. 

 

Regards,

 

Aryeh Goretsky

 



I am a volunteer and neither a Lenovo nor a Microsoft employee. • Dexter is a good dog • Dexter je dobrý pes
S230u (3347-4HU)X220 (4286-CTO)W510 (4318-CTO)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)T61p (6459-CTO)T43p (2678-H7U)T42 (2378-R4U)T23 (2648-LU7)
de.gif  Deutsche Community es.gif  Comunidad en Español ru.gif Русскоязычное Сообщество
Paper Tape
nightoil
Posts: 10
Registered: ‎11-06-2010
Location: London UK
0

Re: AUTORUN.INF repeatedly trying to run for no apparent reason

Dear Guru

Thanks for your interest!

I turned off Avira, as you suggested, and clicked on Q:\AUTORUN.INF, which then opened in notepad thus:

[AutoRun]

open=LenovoQDrive.exe

icon=qdrive.ico

i.e. it looks totally innocuous and as it should do.

I've also repeatedly run full system scans by Avira, Windows Defender, Microsoft Security Essentials and Malwarebytes, all of which report clean.

So it would seem that Avira has just been being hyper-cautious, which is fine by me.

I think I'll probably now just make a set of recovery discs, delete Partition Q and free up the space for my own use and leave it at that, unless anyone else thinks otherwise.

Anyway, thanks very much for your (and Aryeh Goretsky's and Vijay Saradhi's) help.

Regards

nightoil