Hi there,
Today I am being bugged by an avast! warning, telling me that my system was infected by INF:Autorun-C [trj].
It apparently creates a file root:/autorun.inf in each one of my drives.
I proceed to delete the file, but after a minute it reappears and I get new warning.
Because I have 4 drives, it creates one in each drive, resulting to corresponding warnings/alerts.
I searched and searched the internet for a reference or info, but to no avail.
Any advice?
Regards
If a virus is replicant (coming and coming again), you could follow the general cleaning procedure. Take a special look on step 5.
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.
Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster (for XP/Vista). For XP: Panda (for XP).
Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
Thanks, Tech, I’ll try your suggestions and post results.
Do you have a USB pen drive connected to your system ?
If so remove it.
If you can, open one of these autorun.inf files using notepad and paste the contents.
Ok, tried 2-3 things, and it seems I got rid of it.
I firstly made sure that System Restore was deactivated (it was).
Secondly, I ran Spybot Search & Destroy from Safe Mode (found some spyware that were not there 3 days ago, when I had scanned).
Thirdly, I ran CleanUp as per advice form Tech above (cleaned 110MB of junk).
Then I did a full system scan with avast! (didn’t find anything).
After that, I rebooted and voila! - the system was clean!
(I re-ran avast! and Spybot just to make sure)
Thanks for all the help, guys, sorry that I didn’t have the chance to obtain the contents of the “autoexec.inf”.
No problem, the reason I asked was it contains commands that can run other malware or functions (the whole point of the autorun.inf, that really inst the true problem). From that it might have revealed other hidden elements.
Got the same problem on my PC.
I ran SpyBot S&D in safemode, boot scan with avast!, ran spybot in normal boot mode, ran CleanUp!, still getting autorun.inf problems. I forgot to mention that I also disabled system restore.
Here’s the autorun.inf notepad that I was able to get from it:
[AutoRun]
open=ntde1ect.com
;shell\open=Open(&O)
shell\open\Command=ntde1ect.com
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=ntde1ect.com
Can anyone help me? I’m about to pull my hair out because of this! >:(
Well you can start by following other actions in Tech’s listed suggestions and work through them.
If you haven’t already done so send a copy of ntde1ect.com to avast.
If you are not getting a virus warning that you believe is a new, undetected virus then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest (after adding it to the User Files section of the chest).
Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
i´ Sorry about my english, i talk sapnish) i suffer an attack by this trojan inf:autorun-C, but avast dont destroy i´m changiung to other antivirus software because avast is really bad, show me a message that the virus was eliminated, but it will appear agai and again…estoy desepciopnado porque pensaba que no habia ningun software antivirus mejor que avast, pero es una verdadera porqueria,çporque no elimina un car4ajo,que mal …haber si se esfuerzan un poco mas en desarrollar mejores productos,aunquye pensandolo bien no les convendria cierto ???..porque si no existieran los virus…compañias multimillonarias como esta ni siquiera existierian,lo siento por la sinceridad,pero este virus me causo muchos perjuicios y perdidas,tan solo por confiar en un antivirus que no sirve para nada…si entienden español bien ,ojala se den la molestia de traducir esto,sabian que este antivirus es el segundo mas perjudicial en latinoimaerica ???..m alditotrojanoooooo…
blah… i don’t understand your language, but the related ntde1ect.com file should be detected soon (or is detected already)… misak has made the detection…
I found a utility to remove this virus http://www.blogged4ever.com/2007/10/27/ntde1ect-removal/
Not sure why Avast missed it though?
The utility you mention comes up as a trojan.reboot.origin using DrWeb link checker, now this may be because of what the tool does, possibly a reboot after the fix I don’t know.
However VirusTotal only shows 1/32 scanners and that is DrWeb so it is likely that it is OK.
Guys, I did notice something wrong with the Autorun file. notice the 2nd line “open=ntde1ect.com” then the 4th line “shell\open\Command=ntde1ect.com” and the 7th line “shell\explore\Command=ntde1ect.com”.
According to me there is no such file called as ntde1ect.com. Alright, notice the difference… “ntde1ect.com” and “ntdelect.com” The latter one is the original file, and “ntde1ect.com” is a virus.
Try looking for “ntde1ect.com” if you cannot find it then look for “ntdelect.com” As I mentioned earlier, ntde1ect.com is not an original file.
It would have probably infected avast before it went for ntdelect.com.
It is common for malware to use names that are very close to genuine names. This when you look at it makes you thing it is legit it is also likely that it has an attribute of system file to further hide it from view.
Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.