Another F/P by MBAM? Autorun.inf?

Hernan,

I tried scanning, and that file was not found on my system.    Since your system is not exhibiting any strange behavior, I would tend to believe it might be a F/P.   I suggest you NOT quarantine anything (yet), and wait for a reply in the thread you cited above.

By the way, did you notice whether the "threat" was detected during the "basic" scanning process, or if it was only found toward the end, in the "extra plus heuristics scanning"?   [You can re-run the scan now, to see].   If during the heuristics scanning, that increases the likelihood that it was a F/P.

I went to run the scan on another PC, but by the time I did, the MBAM database had already been updated to 3282.   You can try updating to see if this version finds the file again.

On this second PC, I have an autorun.inf file, but it is located in

C:\Program Files\Synaptics\SynTP\Media          (my Synaptics TouchPad).

MBAM did NOT detect my file.

"An autorun.inf file is a text file that can be used by the AutoRun and AutoPlay components of Microsoft Windows Operating systems. For the file to be discovered and used by these components, it must be located in the root directory of a volume".

In other words, an autorun file is really a toss-up:   Since it can make a volume (e.g., a memory stick) auto-run a program upon insertion, it has the potential to run malware.   But if used "properly", it can also run a desired program (e.g., auto-boot a program from an inserted CD).

Since an inf file is merely a TEXT file, you should be able (assuming you know how to access/use the command prompt) to enter the directory and TYPE out the contents of the file.  In my case, it contained information to execute a SETUP file --- which can be good or bad, depending on what the SETUP will attempt to do.

The fact that neither your file nor mine was located in the root directory should mitigate any potential impact (good or bad) that the file was intended to have.

Hi ky331.

Sorry it took me a while to answer you. I was running an Avast Schedule Boot-Time Scan, and found nothing. Autorun.inf is detected at the end, just when heuristics exam stars. If I choose System 32 folder to be scanned by MBAM, nothing is found.

Still no answer in MBAM Forums.

I have not been able to use one of the on-line scanners because my DSL broadband is painfully slow today, waiting for it to pick up speed.

Appreciate your help, thank you.

I ran scan with v. 3282 and still found the file.

I posted the scan log in MBAM Forums.

I know what autorun.inf does that is why it looked to me like a F/P also it has not been modified since 2007 ; However, eventhough I know how to use run > cmd, I do not know the commands to "TYPE out the contents of the file" in order to find out what my autorun.inf is running in my PC. Any help or instructions will be appreciated.

Thank you again. 

after doing run > cmd

and the command prompt screen appears, you can key-in the single line

TYPE C:\WINDOWS\System32\autorun.inf

and then hit the ENTER key.

ky:emotion-2:

:emotion-5:Just OPEN the file. I got it. It was a language misunderstanding.:emotion-2:

Mine handles some drives (HP, CD/DVD) and some softwares, most things I could recognise.

Still nothing from MBAM.:emotion-9:

Thank you again.

The following all point to a false positive:

- A malware "trace" (traces alone, by definition, cannot harm you).
- Presence since 2007, previously undetected
- Detection by heuristics, as previously noted by ky
- No system problems, and detection by a routine scan only
- File cleared by VirusTotal (except for McAfee)

I presume you discovered that *.inf files can be opened and read by text editors such as note_pad. Just out of interest, what did the file say?

I ask only because I have disabled autorun for my CD and DVD drives, as a security measure. Even if a "false positive", it might be wise to delete that file.

Hi Joe.

Thank you for your response. I could not answer you last night because my PC went crazy with Avast last update. I had to disconnect from the web in order to disable Avast to be able to uninstall Spy Sweeper that was seen as a trojan, and other small games.

My file is long and it works for my CD/DVD, HP printer, USB ports in monitor, and other programs. I am still reading, looking for something that does not belong.

Still nothing from MBAM Forums. Another member reported the same finding in the same folder.

Thank you Joe.

Hi guys.

Installed MBAM 1.42 DB v. 3291 and ran scan. :emotion-3:Surprise. No autorun.inf file seen as a malware.trace. Tah tah!:emotion-2:

Thank you for your input and advice.

I see there are finally a few responses in your MBAM thread...

citing two comments by Nosirrah (Bruce):

1) "This may be a trace from a lo(n)g ago removed infection , either way it is same [I assume he meant 'safe'] to remove and I cant verify any legit reason for it to be there".

Based on this first statement, he is asserting it was NOT a false positive... it's something that shouldn't have been there... which is why MBAM was detecting it.   However, he subsequently learned and wrote:

2) "I pulled it while looking into claims that HP [printers] may be adding this file".

This second statement would have us conclude it may indeed be a F/P.

Yes. Because of his first remark, I did KIS, BitDefender, and ESET on-line scans, also scan with Hijack this. Besides SAS, SS, and Avast scans performed earlier. I was looking for something to give me an idea on how and when if any, I really got infected without my knowledge.., but everything came out clean. Joe gave me some hope that is was a F/P with his last post, and that the file was related to HP printers according to other user in MBAM Forums.

Anyway, I was just about to quarantine the file when saw Joe´post announcing MBAM new version, and decided to leave everything like it was and start new today. I installed the new version this morning (my day off). It did not detect the file, so I posted my findings in MBAM Forums to the benefits of other member who has quarantined his file, and Nosirrah posted his findings. 

 I already thanked him for his research on the matter and appreciate your interest in my posts.

Thank you.