INF:Autorun-G [Trj] Trojan Horse?

[63099703]

Please try again.  I just tried to click the link from a different computer and I was connected!    I don't know why the server was down, especially during daytime their time.  I will be on my way to work later and should be able to log in from my work computer probably an hour later.  I will give you an update after I try in the office from a third computer.  Thanks!

[Maxx_original]

btw: i don't know if this really is useful for you, but i think it could be... download TweakUI from here http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx and disable autoruns via unchecking all related items (see it in atatchment).. the whole autorun mechanism on fixed disks (and USB drives) is a crappy hole to your system imho... you can let autoruns allowed on cd-drive (or dvd, of course), nowhere else...

[63099703]

Now I am in a pure English OS environment and I have no problem conntecting to that Taiwanese site.  That site provided three solutions, from easy to difficult.  I used the first one for the no-brainer.  Second one, EFIX, is an .exe file.  The advantage is that it creates a log file to see what have been done during the removing process.  The third one is for pro.  Very similar to the solution provided by Oldman using OTMoveIt.  The developer recommends using second solution first and then the first one to make sure everything is cured.  I went directly with the first one since I don't trust .exe file.  Thanks!

[michaelong]

hi 63099703,

I ran a removal tool del_kavo.zip from a Taiwanese site at http://www.cses.chc.edu.tw/teach_doc/how_to_clear_kavo.htm. My computer seems back to normal, at least in last several hours.  I know it will be hard for everyone to read Chinese so I translate and make some key points here:
1. Download del_kavo.zip from the site and unzip. (don't bother with the Chinese characters.  Just look for the zipfile link)
2. There are several batch files.  We only need two of them.
  1) -Kavo--1.bat ("-" stands for Chinese characters.  You may want to rename this file to 1.bat)
  2) -Kavo--2.bat (rename this file to 2.bat)
3. Steps:
  A. Run 1.bat
    Step 1: you will see several lines of Chinese and DOS prompt followed.  This step is to remove autorun.inf and ntdelete.com.  Press any key once or twice to the DOS prompt to start
    Step 2: This is to create a C:\Autorun.inf folder.  The purpose of this folder is to provide a virus files destination in case you got the Kavo.exe again.  Press any key on the DOS prompt to start
    Step: A note asks you to reboot.  Press any key to the DOS prompt to exit DOS
    Step: Reboot
  B. Run 2.bat after reboot
    Step 3: This is to repair Windows "Show Hidden files" functionality.  Press any key to start
    Step 4: This is to kill Kavo.exe.  Wait for around a minute while the tool automatically remove the Troj.  If more than a couple minutes, you may want to manually remove Kavo.exe on C:\Windoes\Prefetch\
    Step: Completed.  Press any key to exit DOS

At this point, you might want to run Avast Boot-time Scan to make sure there are no other virus on your computer.

I am not a tech geek so I am not able to understand how the batch files were written.  As mentioned earlier, my computer doesn't seem to have problem after running the tool.  Hopefully it has removed Kavo completely.  If someone can read Chinese or understand the DOS language, please provide your opinion to verify this is a cure.  Thanks!

if u saw this message, can u provide us wt a new link as the current link is down.

thanking u for taking the trouble to post the remedies.

regards
michaelong

hi 63099703

i've given the lnk that u provided a shot by and it works.   

the virus (autorun.inf) runs on start up n when i check on my C; drive, the autorun file is no longer there.

it also no longer runs from my E: drive but i can access my E:drive.

luckily my E drive is empty n i believe wt a simple quick formatting might make my drive accessible again.

though i run both kavo .1 bat .2bat, when i search for the C/windows/prefetch, there's still a trace of kavo residing in the directory.

i've haven't run the full scan wt the antivirus n antispyware yet.

i'm posting it 1st to let those that were infected wt this virus that fixes would be available quite soon.

a sincere thx fr me to u 63099703.

i'll be doing my DSS n HJT scan again n will be posting my log file at my thread at this link

http://forum.avast.com/index.php?topic=31721.0

to be verify that it's truly cleaned.

 
michaelong

[63099703]

once both .bat files run, kavo.exe should be removed automatically.  I think that explain why you couldn't find kavo.  I hope the problem is fixed permanently.  Thanks!

[ixjerryxi]

worked for me too, but my IE, Windows Media Player and Windows search function is not working anymore.  Does anyone know how I can fix it?

[michaelong]

hi 63099703,

i'm truly grateful for your kavo remover software which effectively remove the kavo file fr my pc.

initially there's a remnant of kavo.dll in my C/windows/prefetch but it was caught by avast few hours later when it try to run.

this time avast managed to move it into chest.

i check on my C/windows/prefetch folder n its longer there.

i even scan wt OTMoveit n DSS but no longer to be found.

but there's still a deposit of autorun file n ntdelect.com in the registry key as well as my other drive which i manualy delete it.

to those wt this autorun.inf virus problem n those wt additional partition drive, after running the kavo remover,

i'm unable to access my the other drive which resulting me in formatting.

so for those of u who got important file or documents in the other drive, do take extra care wt it as u might lost all your

doc or file if u cant access your drive later.

once again, 63099703  your contribution are truly appreciated.

all the best to u

regards
michaelong

[63099703]

Michaelong,  sorry for your data lost.  The computer I got infected has only one drive so i didn't aware that removal tool would cause other drives malfunction.  The developers only addresses that an autorun.inf folder will be created to each drive.  I guess that remover is still imperfect. I saw you are still working with oldman on another posting.  Hopefully you both can get a better resolution.

ixjerryxi, I haven't tried IE, Media Player and others yet.  I will take a look after work.  I use firefox and it functions well after troj. removed.

I think we owe oldman a big thank for his continuous efforts on this problem.  He is the real pro.  Thanks, oldman. 




 

[oldman]

No, not a pro, just a user like everyone, trying to help.

You posted the fix and  cfisco and michaelong agreed to report the results.

The two had slightly different results though.

cfisco ran the .exe, but also did the auto removal first. In that case, he reported that the reg keys seemed to be reset properly and I saw in the Dss log that the mount points had been cleared. The only thing I found was 1 dll and another file. The second was in the temp folder and set to run at startup.

michaelong I think also ran the .exe, but with less succesful results. But I'm not sure if some of it was from trying to access the usb before doing the reg fix. So I can't be sure as to how well it worked. Again 1 dll left.

I think if I where to suggest this fix, I'd do the following

Download both the fix.exe and DSS and the manual checklist
Disconnect from the internet, turn off system restore, plug in the usb device, do a DSS to see what files and mountpoints where, and backup the registry.

Boot to safe mode, run the fix twice, empty the recycle bin and all temp files, do the manual check, fix what was required, reboot to normal windows, check with DSS. Then take it from there.

About how long did it take to run the fix?

 

[michaelong]

hi Oldman,

if u were asking how long to run this kavo fix,

well the answer is only few seconds.

not sure if this is the answer u need to know.

indeed u r a pro Oldman.

we all owe it to u.

i would be very contented wt my result after seeing that the virus no longer runs during start up n i'm able to runs

yahoo messenger which i cant previously.

only wt your advice n guidiance that i manage to found out that it only stops the virus from running during start up

but there's still a lot of deposit n fixes need to be done.

cheers to u Oldman for not giving up on me yet.

also to u 63099703 for ur kavo fix which has temporary fixed the virus.

without it, i'll still be using my pc wt virus in my main screen.

all the best to both of u.

regards
michaelong

[armageddon42388]

Ok, so I created fix.reg by pasting it into notepad, then saving it as fix.reg as type ALL FILES. When I try to merge, it says:

"Are you sure you want to add the information in C:\Documents and Settings\Stephen Lai\Desktop\fix.reg to the registry?"

Which is choose yes to, and then I get an error saying:

"Cannot import C:\Documents and Settings\Stephen Lai\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor"

What am I doing wrong? Thanks again for your patience and help.

[michaelong]

''Are you sure you want to add the information in C:\Documents and Settings\Stephen Lai\Desktop\fix.reg to the registry?"

Which is choose yes to, and then I get an error saying:

"Cannot import C:\Documents and Settings\Stephen Lai\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor"

i'm facing this problem too when i try to merge it.

seems like this is the way it works.

hi Oldman,  correct me if i'm wrong wt the procedure.

thanks
michaelong

[oldman]

Okay guys, are you coping all the text in the text box including regedit4?

Also make sure there is no space at the top.

[michaelong]

hi Oldman,

shy to say that i didnt copy the ''regedit4''.

i think it also the same wt armageddon42388 since both of us get the same error message.

i only copy the registry keys n paste it into notepad.

felt bad for not properly adhere to your instruction.

my apology,
michaelong

[oldman]

No problem, common error.