Author Topic: INF:Autorun-G [Trj] Trojan Horse?  (Read 100966 times)

0 Members and 1 Guest are viewing this topic.

armageddon42388

  • Guest
INF:Autorun-G [Trj] Trojan Horse?
« on: November 24, 2007, 04:51:38 AM »
Hello everybody.  My avast! On-Access Scanner has recently detected an trojan horse malware identified as INF:Autorun-G [trj]. It says "C:\autorun.inf contains traces of INF:Autorun-G [trj]!" and another popup giving me options of dealing with it (move/rename, delete, move to chest, no action) but when I pick delete or move to chest, I just get the same message again in a few seconds. VPS version says 071123-0, 11/23/2007, if that helps at all. What do I do?  :-[

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #1 on: November 24, 2007, 12:32:34 PM »
Returning infection over and over again?
I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #2 on: November 24, 2007, 03:21:35 PM »
can you post here the contents of your autorun.inf? you can open it e.g. with notepad, it's an ASCII file...

michaelong

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #3 on: November 25, 2007, 07:10:56 AM »
[AutoRun]
open=ntdelect.com
;shell\open=Open(&O)
shell\open\Command=ntdelect.com
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=ntdelect.com

michaelong

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #4 on: November 25, 2007, 07:14:34 AM »
i'm facing the same virus n i posted it according to your request which i opened it wt notepad.

need your help badly to deal wt it!

wish u hv a nice weekend.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #5 on: November 25, 2007, 08:43:27 AM »
Here try this.

Download ERUNT from

http://www.larshederer.homepage.t-online.de/erunt/

and backup your registry


Then go here and do the manual removal instructions from here.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ONLINEG.JRC&VSect=Sn

Just do the manual removal part.

armageddon42388

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #6 on: November 25, 2007, 10:39:06 AM »
Ah! It worked! Thanks a lot!  ;D

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #7 on: November 25, 2007, 11:16:52 AM »
You are welcome. Stay safe!

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #8 on: November 25, 2007, 02:31:58 PM »
if you are able to locate the file ntdelect.com, send it to virus[at]avast[dot]com in password protected archive and fill in "for misak - autorun virus" as a subject...

michaelong

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #9 on: November 25, 2007, 07:38:12 PM »
hi Oldman, truly grateful for your reply.

i'm still looking for the link that u provided to download the erunt.

seems to not able to download the erunt yet bcos i seems to not able to find the download link.

will update u later if i manage to do it.

once again, a thousand thx for the reply.

regards
michaelong

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #10 on: November 25, 2007, 07:40:35 PM »
i'm still looking for the link that u provided to download the erunt.
seems to not able to download the erunt yet bcos i seems to not able to find the download link
http://www.snapfiles.com/get/erunt.html
The best things in life are free.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #11 on: November 25, 2007, 07:49:46 PM »
Hi, just use Tech's link or click on the link in my post. When the page opens, scroll down a bit. The download link is server1, server2, server3. the program you what is on the left.

Good luck!  8)

armageddon42388

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #12 on: November 25, 2007, 11:02:44 PM »
Augh, the problem came back again.  :'( My computer seemed fine last night, but then the next day the virus came back. I did the manual removal instructions again, and the problem is once again solved... for now. But during the process, I couldn't do the following step:

Removing Other Malware Entries from the Registry

   1. Still in Registry Editor, in the left panel, double-click the following:
      HKEY_CLASSES_ROOT>AutoRun>2>Shell>AutoRun>command
   2. In the right panel, locate and delete the entry:
      (Default) = "C:\ntdelect.com"
   3. In the left panel, double-click the following:
      HKEY_CLASSES_ROOT>AutoRun>2>Shell>explore>Command
   4. In the right panel, locate and delete the entry:
      (Default) = "C:\ntdelect.com"
   5. In the left panel, double-click the following:
      HKEY_CLASSES_ROOT>AutoRun>2>Shell>open>Command
   6. In the right panel, locate and delete the entry:
      (Default) = "C:\ntdelect.com"
   7. Close Registry Editor.

Because I couldn't find an "AutoRun" folder under "HKEY_CLASSES_ROOT". This step does sound pretty important though... And I didn't restart in safe mode, if that's important too.

cfisco

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #13 on: November 26, 2007, 01:36:21 AM »
I'm getting the same virus on my laptop. I also tried the manual removal, but like armageddon, I wasn't able to find the AutoRun folder, as well as the "ShowSuperHidden" entry and one other entry. I was in safe mode however.

When I restarted, searched for "ntdelect.com" and found a file named "NTDELECT.COM-13A42558.pf" in under C:\WINDOWS\Prefetch. As I was searching, I got the virus alert again, and a error message about a couple of processes (one is that kavo thing) that cannot be on "read" mode, from which I click the button to stop the process.

Not sure what to do here...
Any suggestions?

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #14 on: November 26, 2007, 01:49:44 AM »
The biggest thing about doing it in safe mode, is that very little else is running, it makes removing things easier. System restore may be the culprip in this case.

What you should do is boot into safe mode, turn off system restore on all drives, check the keys and reset the ones needed.

Removing the bad ini files from all the drives is equally important. So you will have to find and check them them all, including usb devices, deleting the bad ones.

When done reboot into normal, windows and turn system restore back on.

Let us know how it goes.