Hello everybody. My avast! On-Access Scanner has recently detected an trojan horse malware identified as INF:Autorun-G [trj]. It says “C:\autorun.inf contains traces of INF:Autorun-G [trj]!” and another popup giving me options of dealing with it (move/rename, delete, move to chest, no action) but when I pick delete or move to chest, I just get the same message again in a few seconds. VPS version says 071123-0, 11/23/2007, if that helps at all. What do I do? :-[

Returning infection over and over again?
I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

can you post here the contents of your autorun.inf? you can open it e.g. with notepad, it’s an ASCII file…

[AutoRun]
open=ntdelect.com
;shell\open=Open(&O)
shell\open\Command=ntdelect.com
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=ntdelect.com

i’m facing the same virus n i posted it according to your request which i opened it wt notepad.

need your help badly to deal wt it!

wish u hv a nice weekend.

Here try this.

Download ERUNT from

http://www.larshederer.homepage.t-online.de/erunt/

and backup your registry

Then go here and do the manual removal instructions from here.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ONLINEG.JRC&VSect=Sn

Just do the manual removal part.

Ah! It worked! Thanks a lot! ;D

You are welcome. Stay safe!

if you are able to locate the file ntdelect.com, send it to virus[at]avast[dot]com in password protected archive and fill in “for misak - autorun virus” as a subject…

hi Oldman, truly grateful for your reply.

i’m still looking for the link that u provided to download the erunt.

seems to not able to download the erunt yet bcos i seems to not able to find the download link.

will update u later if i manage to do it.

once again, a thousand thx for the reply.

regards
michaelong

http://www.snapfiles.com/get/erunt.html

Hi, just use Tech’s link or click on the link in my post. When the page opens, scroll down a bit. The download link is server1, server2, server3. the program you what is on the left.

Good luck! 8)

Augh, the problem came back again. My computer seemed fine last night, but then the next day the virus came back. I did the manual removal instructions again, and the problem is once again solved… for now. But during the process, I couldn’t do the following step:

Removing Other Malware Entries from the Registry

1. Still in Registry Editor, in the left panel, double-click the following:
   HKEY_CLASSES_ROOT>AutoRun>2>Shell>AutoRun>command
2. In the right panel, locate and delete the entry:
   (Default) = “C:\ntdelect.com”
3. In the left panel, double-click the following:
   HKEY_CLASSES_ROOT>AutoRun>2>Shell>explore>Command
4. In the right panel, locate and delete the entry:
   (Default) = “C:\ntdelect.com”
5. In the left panel, double-click the following:
   HKEY_CLASSES_ROOT>AutoRun>2>Shell>open>Command
6. In the right panel, locate and delete the entry:
   (Default) = “C:\ntdelect.com”
7. Close Registry Editor.

Because I couldn’t find an “AutoRun” folder under “HKEY_CLASSES_ROOT”. This step does sound pretty important though… And I didn’t restart in safe mode, if that’s important too.

I’m getting the same virus on my laptop. I also tried the manual removal, but like armageddon, I wasn’t able to find the AutoRun folder, as well as the “ShowSuperHidden” entry and one other entry. I was in safe mode however.

When I restarted, searched for “ntdelect.com” and found a file named “NTDELECT.COM-13A42558.pf” in under C:\WINDOWS\Prefetch. As I was searching, I got the virus alert again, and a error message about a couple of processes (one is that kavo thing) that cannot be on “read” mode, from which I click the button to stop the process.

Not sure what to do here…
Any suggestions?

The biggest thing about doing it in safe mode, is that very little else is running, it makes removing things easier. System restore may be the culprip in this case.

What you should do is boot into safe mode, turn off system restore on all drives, check the keys and reset the ones needed.

Removing the bad ini files from all the drives is equally important. So you will have to find and check them them all, including usb devices, deleting the bad ones.

When done reboot into normal, windows and turn system restore back on.

Let us know how it goes.

When you say to check the keys and reset the ones needed, do you mean follow the instructions from that other site and change any of the listed keys that I can find in my registry? Or change them back to the original values?

Yes follow the instructions again. Remove everything you find before restarting.

So…

This time, when I accessed the registry, the only things I could not find were the “folder” folder and the “AutoRun” folder. Problem is, when I change the other values, approximately 3-5 seconds later, they revert to their original settings.

Is that bad?

Not good, something is writing to the reg I couldn’t tell you what though.

The same page offers an auto clean option also.

http://www.trendmicro.com/download/dcs.asp

Might be worth a try. Scroll down to the non trendmicro user’s section (2nd one)

I ran the system cleaner, and it didn’t seem to have much luck as far as I can tell.

It reported 4 viruses.

1. Possible “Infost1” in C:\WINDOWS\Help\F3C74E3FA248.dll → Can not clean
2. RTKT_ONLINEG.LTZ in ~Local Settings\Temp\ppkyb9.dll → Success Clean
3. TSPY_ONLINEG.NAA in ~Local Settings\Temp\tasol.dll → Success Clean
4. TSPY_ONLINEG.LTZ in ~Local Settings\Temporary Internet Files\Content.IE5\ZVDRRLKS\ff[1].exe → Success Clean

Avast is still popping up because those “Autorun.inf” things keep being created.

Edit: As I mentioned before, the autorun.inf files look like they are trying to run, or are somehow related to, this “ntdelect.com” file. I found the file "NTDELECT.COM-13A42558.pf in C:\WINDOWS\Prefetch, and since I have no idea what a prefetch is, I’m wondering if I should just delete this file.