INF:Autorun-F [Trj]

system · 2007-11-26T10:54:31.000Z

Hi all,
I keep getting a warning from avast about this malware: “INF:Autorun-F [trj]” and I tell avast to delete it and it keeps popping like every minute.
How can I remove this malware once and for all??

Thanks in advance.

Dr.Mohammed Alani

Lisandro · 2007-11-26T11:35:58.000Z

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)

If it is a autorun.inf file, can you open it in Notepad and post the contents?

Maxx_original · 2007-11-26T11:36:51.000Z

follow this thread http://forum.avast.com/index.php?topic=31671.0 , you can find a help there… i think, the problem is quite similar…

system · 2007-11-27T07:04:36.000Z

Hi,
Thanks you so much for showing me the way. The other thread was useful and it worked fine for me. Except that the problematic file was not “ntdelect.com” it was "“ntde1ect.com”.

Thanks again for the quick response.

Dr.Mohammed

Lisandro · 2007-11-27T11:02:09.000Z

malani post:4:

The other thread was useful and it worked fine for me.

Are you clean now? Do you need further help?

system · 2007-11-27T11:08:11.000Z

Thank you, the computer is clean now, although I got re-infected through my flash stick but I got around it and re-cleaned the stuff.

Thanx again.

system · 2007-11-28T10:03:39.000Z

Hi again everyone,
It seems the I was not so lucky to get rid of the worm completely. My desktop at the college is completely clean as I have said before but I have found out that the same work is on my laptop at home.
I tried to do the exact steps that I did on the other computer but it did not work properly.
the file name is avpo.exe and its in the system32 folder inside windows. The file on the root supporting the work is called ntde1ect.com and the problem goes as follows:
After cleaning the registry records as shown in the procedure, I have the problem of not being able to access C: or D; from My Computer. It says that the file is not associated with a program to open it…!!!
So I did the rest of the deleting of autorun.inf and ntde1ect.com and avpo.exe through the command prompt by using the “dir /a:h” and changing the attributes of files through “attrib” and the deleting the files that I need to. The problem is even after I delete the files I restart and still cannot view the hidden files and the worm is back. There is another file that supports it as I think and its in the system32 folder too. This file is called “avpo0.dll”. I could not delete this file from the command propot as it says “access is denied” even after I set the attributes to read/write and unhide the file. So I tried to rename and move the file to somewhere else and still when I restart I have all the sh*t back again.
Any suggestions anyone?

Dr.Mohammed

Maxx_original · 2007-11-28T11:02:51.000Z

disable the autoruns to stop the re-infecting until a reliable detection of your Autorun virus variant will be added…

system · 2007-12-01T06:30:05.000Z

Thanks for the advice…
The problem is whenever I change the registry value of
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Policies>Explorer>NoDriveTypeAutoRun = “91” to “95”
to disable the autoruns, it goes back again to 91 in few seconds!!!

oldman960 · 2007-12-01T08:48:05.000Z

If you post a DSS log, I will see if I can write a fix for you if you wish.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

If you chose to go head you will also need this program

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop. Don’t run this yet, you will need it later.

system · 2007-12-02T06:38:30.000Z

Hi again,
I have got around it. Before I started doing the steps that you told me, I looked thoroughly for the worm files I told you about and I did not manage to find them. So, the deletion actually worked and the only problem that I had left was the viewing of hidden files and the worm was erased even from the registry.
So, my conclusion for other who have the same problem is to follow the same steps mentioned here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ONLINEG.JRC&VSect=Sn
except the part of “Removing Other Malware Entries from the Registry” I could not find the entries in the same places as mentioned so I ran a search through the whole registry looking for the word “ntde1ect.com” instead of “ntdelect.com”.
And the files need to be deleted after deleting the autorun.inf is to delete these two files:
avpo.exe
avpo0.dll
both are in the windows\system32 folder.

Thank you all for the help guys. One thing I miss to understand is that why did not avast give me a warning when I plugged in the infected flash stick??!!
I updated avast only two days prior to the incident.

Dr.Mohammed

oldman960 · 2007-12-02T10:05:50.000Z

Glad to see you got it sorted out.

I’d like to add to your list of files to look for

avpo1.dll, avpo2.dll,avpo3.dll,avpo4.dll…up to apco9.dll

Announcements