INF:Autorun-G [Trj] Trojan Horse?

Viruses and worms
61

Please try again. I just tried to click the link from a different computer and I was connected! ??? I don’t know why the server was down, especially during daytime their time. I will be on my way to work later and should be able to log in from my work computer probably an hour later. I will give you an update after I try in the office from a third computer. Thanks!

62

btw: i don’t know if this really is useful for you, but i think it could be… download TweakUI from here http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx and disable autoruns via unchecking all related items (see it in atatchment)… the whole autorun mechanism on fixed disks (and USB drives) is a crappy hole to your system imho… you can let autoruns allowed on cd-drive (or dvd, of course), nowhere else…

63

Now I am in a pure English OS environment and I have no problem conntecting to that Taiwanese site. That site provided three solutions, from easy to difficult. I used the first one for the no-brainer. Second one, EFIX, is an .exe file. The advantage is that it creates a log file to see what have been done during the removing process. The third one is for pro. Very similar to the solution provided by Oldman using OTMoveIt. The developer recommends using second solution first and then the first one to make sure everything is cured. I went directly with the first one since I don’t trust .exe file. Thanks!

64

hi 63099703

i’ve given the lnk that u provided a shot by and it works. ;D ;D

the virus (autorun.inf) runs on start up n when i check on my C; drive, the autorun file is no longer there.

it also no longer runs from my E: drive but i can access my E:drive.

luckily my E drive is empty n i believe wt a simple quick formatting might make my drive accessible again.

though i run both kavo .1 bat .2bat, when i search for the C/windows/prefetch, there’s still a trace of kavo residing in the directory.

i’ve haven’t run the full scan wt the antivirus n antispyware yet.

i’m posting it 1st to let those that were infected wt this virus that fixes would be available quite soon.

a sincere thx fr me to u 63099703.

i’ll be doing my DSS n HJT scan again n will be posting my log file at my thread at this link

http://forum.avast.com/index.php?topic=31721.0

to be verify that it’s truly cleaned.

;D :smiley: ;D
michaelong

65

once both .bat files run, kavo.exe should be removed automatically. I think that explain why you couldn’t find kavo. I hope the problem is fixed permanently. Thanks!

66

worked for me too, but my IE, Windows Media Player and Windows search function is not working anymore. Does anyone know how I can fix it?

67

hi 63099703,

i’m truly grateful for your kavo remover software which effectively remove the kavo file fr my pc.

initially there’s a remnant of kavo.dll in my C/windows/prefetch but it was caught by avast few hours later when it try to run.

this time avast managed to move it into chest.

i check on my C/windows/prefetch folder n its longer there.

i even scan wt OTMoveit n DSS but no longer to be found.

but there’s still a deposit of autorun file n ntdelect.com in the registry key as well as my other drive which i manualy delete it.

to those wt this autorun.inf virus problem n those wt additional partition drive, after running the kavo remover,

i’m unable to access my the other drive which resulting me in formatting.

so for those of u who got important file or documents in the other drive, do take extra care wt it as u might lost all your

doc or file if u cant access your drive later.

once again, 63099703 ;D ;D your contribution are truly appreciated.

all the best to u

regards
michaelong

68

Michaelong, sorry for your data lost. The computer I got infected has only one drive so i didn’t aware that removal tool would cause other drives malfunction. The developers only addresses that an autorun.inf folder will be created to each drive. I guess that remover is still imperfect. I saw you are still working with oldman on another posting. Hopefully you both can get a better resolution.

ixjerryxi, I haven’t tried IE, Media Player and others yet. I will take a look after work. I use firefox and it functions well after troj. removed.

I think we owe oldman a big thank for his continuous efforts on this problem. He is the real pro. Thanks, oldman. :slight_smile:

69

No, not a pro, just a user like everyone, trying to help.

You posted the fix and cfisco and michaelong agreed to report the results.

The two had slightly different results though.

cfisco ran the .exe, but also did the auto removal first. In that case, he reported that the reg keys seemed to be reset properly and I saw in the Dss log that the mount points had been cleared. The only thing I found was 1 dll and another file. The second was in the temp folder and set to run at startup.

michaelong I think also ran the .exe, but with less succesful results. But I’m not sure if some of it was from trying to access the usb before doing the reg fix. So I can’t be sure as to how well it worked. Again 1 dll left.

I think if I where to suggest this fix, I’d do the following

Download both the fix.exe and DSS and the manual checklist
Disconnect from the internet, turn off system restore, plug in the usb device, do a DSS to see what files and mountpoints where, and backup the registry.

Boot to safe mode, run the fix twice, empty the recycle bin and all temp files, do the manual check, fix what was required, reboot to normal windows, check with DSS. Then take it from there.

About how long did it take to run the fix?

70

hi Oldman,

if u were asking how long to run this kavo fix,

well the answer is only few seconds.

not sure if this is the answer u need to know.

indeed u r a pro Oldman.

we all owe it to u.

i would be very contented wt my result after seeing that the virus no longer runs during start up n i’m able to runs

yahoo messenger which i cant previously.

only wt your advice n guidiance that i manage to found out that it only stops the virus from running during start up

but there’s still a lot of deposit n fixes need to be done.

cheers to u Oldman for not giving up on me yet.

also to u 63099703 for ur kavo fix which has temporary fixed the virus.

without it, i’ll still be using my pc wt virus in my main screen.

all the best to both of u.

regards
michaelong

71

Ok, so I created fix.reg by pasting it into notepad, then saving it as fix.reg as type ALL FILES. When I try to merge, it says:

“Are you sure you want to add the information in C:\Documents and Settings\Stephen Lai\Desktop\fix.reg to the registry?”

Which is choose yes to, and then I get an error saying:

“Cannot import C:\Documents and Settings\Stephen Lai\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor”

What am I doing wrong? Thanks again for your patience and help. :slight_smile:

72

''Are you sure you want to add the information in C:\Documents and Settings\Stephen Lai\Desktop\fix.reg to the registry?"

Which is choose yes to, and then I get an error saying:

“Cannot import C:\Documents and Settings\Stephen Lai\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor”

i’m facing this problem too when i try to merge it.

seems like this is the way it works.

hi Oldman, correct me if i’m wrong wt the procedure.

thanks
michaelong

73

Okay guys, are you coping all the text in the text box including regedit4?

Also make sure there is no space at the top.

74

hi Oldman,

shy to say that i didnt copy the ‘‘regedit4’’. :-[

i think it also the same wt armageddon42388 since both of us get the same error message.

i only copy the registry keys n paste it into notepad.

felt bad for not properly adhere to your instruction.

my apology,
michaelong

75

No problem, common error. :smiley:

76

Unfortunately, I did copy the regedit4 also, and am still getting the error message. This is what I copy and paste into notepad:

Regedit4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“kava”=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{56c187be-8d46-11db-98e9-0018de45e983}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7d4c22b4-af82-11db-991e-0018de45e983}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c480a712-bec9-11db-9930-0018de45e983}]

Then I save as fix.reg on desktop, as file type all. :frowning:

77

hmm…I don’t think it matters, but try all capitals in REGEDIT4

Or replace regedit4 with

Windows Registry Editor Version 5.00

Some computer just won’t allow the editer run, I’m still looking for the reason.

If niether solution works, let me know. We’ll do it manually since you will be in the reg anyway.

78

Hahaha, I changed it to capitals, and it worked! ;D I followed all the steps, including the manual removal (still couldn’t find an autorun folder), and it seems to have taken care of the virus… But that’s what I thought last time before it came back. So I will update you guys on how it is later. Thanks again!

79

Hey you’re welcome. Hope it works for you. Let us know. Thanks for letting me know about the caps, I never thought about it before, I just wrote them. Maybe that’s why I couldn’t get it work sometimes. ???

80

I have the same problem with INF:autorun-G. Could someone help me??? I have Avast, but it can’t erase it. It always appers again and again.