Author Topic: INF:Autorun-G [Trj] Trojan Horse?  (Read 100967 times)

0 Members and 1 Guest are viewing this topic.

cfisco

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #15 on: November 26, 2007, 01:56:42 AM »
When you say to check the keys and reset the ones needed, do you mean follow the instructions from that other site and change any of the listed keys that I can find in my registry? Or change them back to the original values?

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #16 on: November 26, 2007, 02:03:37 AM »
Yes follow the instructions again. Remove everything you find before restarting.

cfisco

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #17 on: November 26, 2007, 02:11:29 AM »
So..........

This time, when I accessed the registry, the only things I could not find were the "folder" folder and the "AutoRun" folder. Problem is, when I change the other values, approximately 3-5 seconds later, they revert to their original settings.

Is that bad?

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #18 on: November 26, 2007, 02:36:36 AM »
Not good, something is writing to the reg I couldn't tell you what though.

The same page offers an auto clean option also.

http://www.trendmicro.com/download/dcs.asp

Might be worth a try. Scroll down to the non trendmicro user's section (2nd one)

cfisco

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #19 on: November 26, 2007, 04:02:37 AM »
I ran the system cleaner, and it didn't seem to have much luck as far as I can tell.

It reported 4 viruses.
1) Possible "Infost1" in C:\WINDOWS\Help\F3C74E3FA248.dll  --> Can not clean
2) RTKT_ONLINEG.LTZ in ~Local Settings\Temp\ppkyb9.dll --> Success Clean
3) TSPY_ONLINEG.NAA in ~Local Settings\Temp\tasol.dll --> Success Clean
4) TSPY_ONLINEG.LTZ in ~Local Settings\Temporary Internet Files\Content.IE5\ZVDRRLKS\ff[1].exe --> Success Clean

Avast is still popping up because those "Autorun.inf" things keep being created.

Edit: As I mentioned before, the autorun.inf files look like they are trying to run, or are somehow related to, this "ntdelect.com" file. I found the file "NTDELECT.COM-13A42558.pf in C:\WINDOWS\Prefetch, and since I have no idea what a prefetch is, I'm wondering if I should just delete this file.
« Last Edit: November 26, 2007, 04:06:04 AM by cfisco »

cfisco

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #20 on: November 26, 2007, 06:24:09 AM »
I found a solution to what looks like this virus on the TrendMicro website.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNSPM%2EJS&VSect=Sn

One problem I have: the solution says I must use the recovery console on the Windows installation CD, and I don't have the CD with me. Does anyone know of another way I can safely delete these files from the system root? Once those two files are deleted, it shouldn't be a problem to deal with those registry entries.

Thanks for pointing me in the right direction!

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #21 on: November 26, 2007, 07:27:45 AM »
As long as you don't have an OEM system, the type bundled with HP, Compax, Dell, etc, any xp cd will work. There isn't a recovery concel in the oems.
The recovery consel is similar to the old dos that could be run independent of windows. I really miss dos sometimes.


I was going to suggest that you each start your own thread and post a DSS log and maybe we can see what is restoring the files.

The only other option would be to make a floppy that is capable of viewing a ntfs file system with basic dos commands such as del (delete). Similar to this.

http://www.bootdisk.com/ntfs.htm

Keep us informed as to how things are going, others can use the info you are providing.

ps if no joy and you want to try

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
« Last Edit: November 26, 2007, 07:30:15 AM by oldman »

michaelong

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #22 on: November 26, 2007, 09:31:00 AM »
Augh, the problem came back again.   My computer seemed fine last night, but then the next day the virus came back. I did the manual removal instructions again, and the problem is once again solved... for now. But during the process, I couldn't do the following step:

Removing Other Malware Entries from the Registry

   1. Still in Registry Editor, in the left panel, double-click the following:
      HKEY_CLASSES_ROOT>AutoRun>2>Shell>AutoRun>command
   2. In the right panel, locate and delete the entry:
      (Default) = "C:\ntdelect.com"
   3. In the left panel, double-click the following:
      HKEY_CLASSES_ROOT>AutoRun>2>Shell>explore>Command
   4. In the right panel, locate and delete the entry:
      (Default) = "C:\ntdelect.com"
   5. In the left panel, double-click the following:
      HKEY_CLASSES_ROOT>AutoRun>2>Shell>open>Command
   6. In the right panel, locate and delete the entry:
      (Default) = "C:\ntdelect.com"
   7. Close Registry Editor.

Because I couldn't find an "AutoRun" folder under "HKEY_CLASSES_ROOT". This step does sound pretty important though... And I didn't restart in safe mode, if that's important too.



i'm facing the abv pro too even though i boot into safe mode wt sys restore being disable.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #23 on: November 26, 2007, 02:53:05 PM »
@michaelong

If you have a retail version of xp and the xp disk you can try the solution posted by cfisco. As I mentioned to him something is rewritting as fast as you are removing.

You can follow the advice I gave him. I know it's not much, but the key is finding and removing the file that is doing the writting.

michaelong

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #24 on: November 26, 2007, 06:22:05 PM »
hi Oldman,

once again, a million thks for all ur patience in helping n guiding us here to solve the problem on this virus issue,

currently my laptop were installed wt the xp home fr the acer recovery cd sp1 which i gradually updated into sp2.

right now, i got the retail xp oem home on hand, so i'll be able to do the recovery.

hopefully i won't be doing something wrong while in the process of recovery as to cause the loss of my things.

will brief u with the outcome of the installation after i'm done.

all the best to u n may luck be wt u all the time.

best regards
michaelong


michaelong

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #25 on: November 26, 2007, 07:15:10 PM »
hi Oldman,

sad to say that i'm unable to boot using recovery console as it was using a command which i'm totally raw at it.

truly hope that u can draw some guideline on how to perform the recovery.

many thx to u once again.


michaelong

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #26 on: November 26, 2007, 07:27:22 PM »
hi Oldman, it was also requesting for my admin password which i've totally forgotten after so long.

but when i enter into the safe mode in the earlier session, it doesnt request for my admin password even when i click the admin logon.

when in the recovery section, the console only detect c drive where my windows is.

it cant detect my e drive although there's no windows in it.

this virus is also infecting my e drive too.

 :'( :'( :'( :'(

this virus is driving me crazy.....

michaelong

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #27 on: November 26, 2007, 07:34:40 PM »
hope u can provide some info too on how safe is my comp now.

i'm able to access the internet n access all my mails as well as chatting in skype,icq but unfortunately i'm not able to do so wt yahoo messenger.

will my user id n password being sent to the recipient of this virus inventor?

sorry if my question start to get out of thread.

this is the only comp i owned.


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #28 on: November 26, 2007, 07:47:58 PM »
Here's a couple of links for setting up and using the recovery consol. They can explain it better than I can. Remember, you are not doing a repair instatation. You just want the consol to run, so you can attempt to delelte the files.

http://www.kellys-korner-xp.com/win_xp_rec.htm

http://support.microsoft.com/kb/314058

http://support.microsoft.com/kb/307654

I just saw your post, just as i was submitting this.

Well, without the admin password, you may be out of luck. Read the articles, maybe someone knows a way around the admin password.

If this is what you got then it's probably been busy.

from the trendmico page

Quote
This worm steals user account information, such as user names and passwords, related to popular online games. It does this routine by logging keystrokes. It then sends the gathered information to a predetermined email address using its own Simple Mail Transfer Protocol (SMTP) engine

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #29 on: November 26, 2007, 09:08:39 PM »
What would happen if you did an online scan with trendmicro's online scanner and made a note of the infected files' names and paths and what they where infected with. I may have a small program at home that will allow you to make a bootable floppy disk capable of viewing a ntfs partition with some basic dos commands. You might be able to delete what you have to that way.

Come guys, we're open to suggestions here.  ;)