03-14-2011 07:41 AM - last edited on 03-14-2011 07:56 AM by buddinggeek
I got this Thinkpad X201s direct from Lenovo last November.
Since then, my Avira antivirus software has been blocking Q:\AUTORUN.INF several times a day.
Why would Q:\AUTORUN.INF be trying to run from the recovery partition during normal use of the computer?
Is it likely to have been hijacked by malware?
Curiously, Q:\AUTORUN.INF seems to go mad whenever any potential threat to it is running,
i.e. when Windows Defender is running or paticularly when AUTORUN.INF removal software is downloaded.
If I click on it in Windows Explorer, Avira blocks it but it does open as a Notepad document with an "Access is denied" warning and an empty Notepad window behind it.
Repeated Avira system scans and Windows Defender scans find nothing abnormal.
Can anyone help?
03-14-2011 07:57 AM
03-14-2011 08:57 AM
Thanks for your prompt reply.
No, Avira is only blocking it, not offering to remove it.
By false alarm, do you mean that Avira only thinks Q:\AUTORUN.INF is trying to run but isn't
or that it is trying to run and that Avira is blocking it by mistake.
Question remains for me why Q:\AUTORUN.INF should be trying to run at all during normal use.
Can you say whether the Q recovery partition does normally contain an AUTORUN.INF? If not, could I not simply delete Q:\AUTORUN.INF myself.
Meanwhile, I will try Malwarebytes and/or Microsoft security essentials, as you suggest.
03-14-2011 11:00 AM
Yes, folders/files in Q partition are "hidden" but can be seen by checking "Show hidden files" in Folder Options.
Opening Q:\AUTORUN.INF in Notepad causes Avira to block it
but Notepad does open with an "Access is denied" warning and with the Notepad window empty behind it.
Yes, seems to be to do with recovering the OS in the event of total failure.
But why does Q:\AUTORUN.INF run at all during normal use?
Have downloaded Malwarebytes.
Quick scan of full system and a full scan of the Q partition both yield nothing.
03-16-2011 10:00 PM - edited 03-16-2011 10:01 PM
Perhaps it is a false positive alarm. Have you tried uploading the AUTORUN.INF file to a site which runs files against multiple anti-malware scanning engines like VirusTotal to see what is reported back? That should help give you an idea of whether the file is infected. You can also submit it your anti-virus vendor's researchers for examination.
03-18-2011 10:53 AM
Thanks for your interest!
I turned off Avira, as you suggested, and clicked on Q:\AUTORUN.INF, which then opened in notepad thus:
i.e. it looks totally innocuous and as it should do.
I've also repeatedly run full system scans by Avira, Windows Defender, Microsoft Security Essentials and Malwarebytes, all of which report clean.
So it would seem that Avira has just been being hyper-cautious, which is fine by me.
I think I'll probably now just make a set of recovery discs, delete Partition Q and free up the space for my own use and leave it at that, unless anyone else thinks otherwise.
Anyway, thanks very much for your (and Aryeh Goretsky's and Vijay Saradhi's) help.