Win32/Autorun.PN.Worm

Discussion in 'ESET NOD32 Antivirus' started by Australasian, Feb 6, 2009.

Thread Status:
Not open for further replies.
  1. Australasian

    Australasian Registered Member

    Joined:
    Aug 9, 2007
    Posts:
    9
    My laptop has been infected by Win32/Autorun.PN.Worm through a USB.

    NOD32 can't find it or delete it upon a computer scan, any suggestions or advice in removing this virus would be greatly appreciated.
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    What makes you think you're infected if nod32 found nothing?
     
  3. Australasian

    Australasian Registered Member

    Joined:
    Aug 9, 2007
    Posts:
    9
    Everytime I insert my USB, NOD32 quarantines the Win32/Autorun.PN.Worm virus, then pop-up windows repetitively display on the desktop and NOD32 quarantines this approximately 5-6 times per minute.

    I purchased a new USB hoping it was only the USB infected not my laptop, but the samething happened with the new one.
     
    Last edited: Feb 6, 2009
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    What's the full path to the file that is detected?
     
  5. Australasian

    Australasian Registered Member

    Joined:
    Aug 9, 2007
    Posts:
    9
    Thanks for your help, Funkydude & Marcos !!

    This is becoming extremely frustrating, NOD32 picks this up as a virus immediately upon my USB being inserted. But won't find it in a computer scan.

    Comodo, SuperAntiSpyware, HijackThis and Malwarebyte's say may laptop is clean !!

    I inserted the same USB into another laptop with a Vista Ultimate OS and no problem but their Antivirus is Kaspersky.

    Have I got a virus or is NOD32 showing a false positive o_O?

    I've attached some jpegs below:


    Pop-Up
    http://img99.imageshack.us/img99/7002/popupxi3.jpg
    By Australasian

    NOD32 Log File
    http://img99.imageshack.us/img99/3936/nod32aob1.jpg
    By Australasian

    NOD32 Quarantine
    http://img99.imageshack.us/img99/9980/nod32bga2.jpg
    By Australasian
     

    Attached Files:

    Last edited: Feb 8, 2009
  6. Zuik

    Zuik Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    14
    By USB I assume you mean a USB thumb drive?

    A search on this worm lead to this link: http://techiesworld.org/index.php/Windows-Troubleshooting/Autorun.inf-Worm.html

    If this is a USB drive, is the write protect on the drive switched on?

    The other suggestion is to make sure you turn off autoplay for USB devices (search "disable autorun usb"), typically by running by using gpedit.msc in the run window. Then follow the procedure in the link above to find the file on the drive.

    And it is not unknown to have false positives. I get them every time I run subversion and it hits a particular database file.
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Your images don't resolve for me, please upload them to the forum when you make the post.
     
  8. Australasian

    Australasian Registered Member

    Joined:
    Aug 9, 2007
    Posts:
    9
    Last edited: Feb 8, 2009
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Could you try scanning the drive in safe mode?
     
  10. Australasian

    Australasian Registered Member

    Joined:
    Aug 9, 2007
    Posts:
    9
    Now Autofmtp.exe has infected my computer, again NOD32 did'nt pick this up and can't find it in a computer scan.

    I have used NOD32 for long a time without any dramas, 2 infections in 1 week is making me question is this now a suitable Antivirus. These 2 infections entered through known email contacts transferring AutoCAD DWG files or jpegs.

    Unfortunately, I'm losing to much time trying to resolve this issue and I've decided to reformat my laptop to factory restore settings.

    Thanks kindly for everyone's advice and help!!

    Cheers
     
    Last edited: Feb 9, 2009
  11. luisqcosta

    luisqcosta Registered Member

    Joined:
    Feb 12, 2009
    Posts:
    4
    I have the same problem with my usb flash drives. in one computer, nod32, pops the infetion windows 8 seconds after 8 seconds... the problem is only with Win32/Autorun.PN.Worm. in my laptop, using nod32, same versions, it does not detect any threat.

    Why is that? i could disable the threat window in a breeze but what about other infections? it really gets boring and anoying having the pop-up constantly there.

    Any help is precious!

    regards,
    Luis
     
  12. Novicex

    Novicex Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    72
    I think you should turn on show hidden files(total commander) and kill it:doubt: Give me that worm:shifty:
     
  13. luisqcosta

    luisqcosta Registered Member

    Joined:
    Feb 12, 2009
    Posts:
    4
    as funny as it may seen, i always have the "show hiden files" on and i never saw that autorun.inf in my usb flash drive. even using other computers with nod32, panda, kaspersky, avira... you name it.

    this is trully a "X-Files" case. Call Spooky Mulder and Scully!!


    Luis

    EDIT: I used total commander, and the autorun.inf did show up!!!

    here are the contents of the file:


    [autorun]
    open=RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe
    icon=%SystemRoot%\system32\SHELL32.dll,4
    action=Open folder to view files
    shell\open=Open
    shell\open\command=RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe
    shell\open\default=1


    What could be wrong? :(



    EDIT 2: i found the RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe and i deleted the folder and autorun.ini .

    No matter how many times i deleted them, they always come back in a few seconds. honnestly, where do they come from?
     
    Last edited: Feb 12, 2009
  14. Novicex

    Novicex Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    72
    Try to find it from regedit.exe, maybe you will see the path where its hidding;)
     
  15. luisqcosta

    luisqcosta Registered Member

    Joined:
    Feb 12, 2009
    Posts:
    4
    i have been around regedit for about 1 hour :| no luck.

    i submited the files to virustotal.com (the files i was able to pack with total commander) and the result is here:

    ~VT link removed per Policy~

    28/39 (71.79%)



    how come this is a known virus to nod32 and it does not find the source? obviously i have already made dozens of full system scans and in depth scans with all the options turned to full eficiency.

    regards,

    Luis
     
    Last edited by a moderator: Feb 13, 2009
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Download ESET SysInspector (ESI), create a log, then send it to support("at")eset[dot]com for analysis, they will assist you further. Add in as much information as possible including a link to this thread.

    It may be a case that v3 can't clean it and v4 is needed.
     
  17. luisqcosta

    luisqcosta Registered Member

    Joined:
    Feb 12, 2009
    Posts:
    4
    Thank you Funkydude :) i will try!


    I will let you guys know any updates later.


    Luis
     
  18. billhover

    billhover Registered Member

    Joined:
    May 2, 2009
    Posts:
    1
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Have you considered installing EAV v4? It has detection of threats on removable media significantly improved and I'm positive it would find and block the threat in question perfectly.
     
Thread Status:
Not open for further replies.