My laptop has been infected by Win32/Autorun.PN.Worm through a USB.

NOD32 can't find it or delete it upon a computer scan, any suggestions or advice in removing this virus would be greatly appreciated.

What makes you think you're infected if nod32 found nothing?

Everytime I insert my USB, NOD32 quarantines the Win32/Autorun.PN.Worm virus, then pop-up windows repetitively display on the desktop and NOD32 quarantines this approximately 5-6 times per minute.

I purchased a new USB hoping it was only the USB infected not my laptop, but the samething happened with the new one.

What's the full path to the file that is detected?

Thanks for your help, Funkydude & Marcos !!

This is becoming extremely frustrating, NOD32 picks this up as a virus immediately upon my USB being inserted. But won't find it in a computer scan.

Comodo, SuperAntiSpyware, HijackThis and Malwarebyte's say may laptop is clean !!

I inserted the same USB into another laptop with a Vista Ultimate OS and no problem but their Antivirus is Kaspersky.

Have I got a virus or is NOD32 showing a false positive ????

I've attached some jpegs below:


Pop-Up
http://img99.imageshack.us/img99/7002/popupxi3.jpg (http://imageshack.us)
By Australasian (http://profile.imageshack.us/user/Australasian)

NOD32 Log File
http://img99.imageshack.us/img99/3936/nod32aob1.jpg (http://imageshack.us)
By Australasian (http://profile.imageshack.us/user/Australasian)

NOD32 Quarantine
http://img99.imageshack.us/img99/9980/nod32bga2.jpg (http://imageshack.us)
By Australasian (http://profile.imageshack.us/user/Australasian)

By USB I assume you mean a USB thumb drive?

A search on this worm lead to this link: http://techiesworld.org/index.php/Windows-Troubleshooting/Autorun.inf-Worm.html

If this is a USB drive, is the write protect on the drive switched on?

The other suggestion is to make sure you turn off autoplay for USB devices (search "disable autorun usb"), typically by running by using gpedit.msc in the run window. Then follow the procedure in the link above to find the file on the drive.

And it is not unknown to have false positives. I get them every time I run subversion and it hits a particular database file.

Your images don't resolve for me, please upload them to the forum when you make the post.

Hey Zuik,

It is a USB Flash Drive, unfortunately the link http://techiesworld.org/index.php/Windows-Troubleshooting/Autorun.inf-Worm.html, did not rectify my problem.

Could you try scanning the drive in safe mode?

Now Autofmtp.exe has infected my computer, again NOD32 did'nt pick this up and can't find it in a computer scan.

I have used NOD32 for long a time without any dramas, 2 infections in 1 week is making me question is this now a suitable Antivirus. These 2 infections entered through known email contacts transferring AutoCAD DWG files or jpegs.

Unfortunately, I'm losing to much time trying to resolve this issue and I've decided to reformat my laptop to factory restore settings.

Thanks kindly for everyone's advice and help!!

Cheers

I have the same problem with my usb flash drives. in one computer, nod32, pops the infetion windows 8 seconds after 8 seconds... the problem is only with Win32/Autorun.PN.Worm. in my laptop, using nod32, same versions, it does not detect any threat.

Why is that? i could disable the threat window in a breeze but what about other infections? it really gets boring and anoying having the pop-up constantly there.

Any help is precious!

regards,
Luis

I think you should turn on show hidden files(total commander) and kill it:-\ Give me that worm:shifty:

as funny as it may seen, i always have the "show hiden files" on and i never saw that autorun.inf in my usb flash drive. even using other computers with nod32, panda, kaspersky, avira... you name it.

this is trully a "X-Files" case. Call Spooky Mulder and Scully!!


Luis

EDIT: I used total commander, and the autorun.inf did show up!!!

here are the contents of the file:


[autorun]
open=RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe
shell\open\default=1


What could be wrong? :(



EDIT 2: i found the RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe and i deleted the folder and autorun.ini .

No matter how many times i deleted them, they always come back in a few seconds. honnestly, where do they come from?

Try to find it from regedit.exe, maybe you will see the path where its hidding;)

i have been around regedit for about 1 hour :| no luck.

i submited the files to virustotal.com (the files i was able to pack with total commander) and the result is here:

~VT link removed per Policy (http://www.wilderssecurity.com/showthread.php?t=180057)~

28/39 (71.79%)



how come this is a known virus to nod32 and it does not find the source? obviously i have already made dozens of full system scans and in depth scans with all the options turned to full eficiency.

regards,

Luis

Download ESET SysInspector (ESI), create a log, then send it to support("at")eset[dot]com for analysis, they will assist you further. Add in as much information as possible including a link to this thread.

It may be a case that v3 can't clean it and v4 is needed.

Thank you Funkydude :) i will try!


I will let you guys know any updates later.


Luis

SEARCH FOR FLASH DISINFECTOR, worked for me
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

hope it works for you.

Have you considered installing EAV v4? It has detection of threats on removable media significantly improved and I'm positive it would find and block the threat in question perfectly.