I have a client that keeps getting their ntuser.dat and ntuser.tmp file quarantined because it says it has Worm.Autorun-1838 on it, but I have ran all the Clam, Malwarebytes, MS Malicious Software Removal tool, the MS Live online scan and I get nothing detected. This happend about a week ago, I cleaned machine out, turned off restore points ran all cleaners and nothing. Then it showed up again, putting these files in the quarantee causes his profile not to load, I don't think I have the ability to just notify instead of quarantee as the Clam is built in the Cisco CSA agent. If I restore them he can boot, but next full scan he can't load his profile again.

I rebuilt users machine , format and full clean install scanned all data moved back, he worked for a week and it's back happening again, anyone have any ideas on this?

Is this another false positive? How can I fix it, if it was a false positive wouln't it be effecting all my users machines with CLam and CSA? Running rev. 51/10329 from 1/24/2010

Any help would be great.

Did you run all those AVs against a copy of the "worm" file? If you didn't, the next time you see it, upload the file to Jotti or VirusTotal to see what their AVs say. Look for detections by McAfee, Microsoft, Symantec, Trend Micro, Avast, Bitdefender, NOD32 and Sophos. If four or more of these see an infection, it is probably a real infection and not a false positive.

Worm infections can be persistent. USB drives are a common source for them. If Jotti/VirusTotal see an infection per above, disable automatic USB access and see if that helps. If it stops the worm, that's the source, and it should be cleaned.

Regards,

Yes I ran the scans on the whole system, if/when this pops up again I will upload the files. User did say they had used their USB drive and I was suspect of that. I also ran McAfee 8.7 with latest updates, I don't like to normally run both on a machine, it will slow it down but for now I left it on there to see if McAfee catches anything else.

Thanks for the information.

Followed instructions, user said after updates today he rebooted and couldn't login again , I ran the sites on his supposed file with the issue and the resulted in nothing, the only one that found anything was Clam again on both sites. I restored the file rebooted so he could get back to his profile. Any idea how I should proceed with this. Since the ClamAV is embedded in the CSA agent I have little control over the issue other than restoring it all the time. I have printed the results of Jotti and Virus Total.

If you upload the file to Clam, they can fix the false positive. Also, you could exclude the file (or maybe any container file) from ClamWin's detections via the Filters configuration tab until the FP is fixed.

Regards,

I don't have access to the actual Clam excemption area, its built into the CSA, and there is even no control over that on the CSA server that I can find.

It might be time to call in a CSA expert.

Regards,