adamant autorun.inf and its executable

July 31, 2012 at 07:32:38
Specs: XP, 3.0/512
cannot delete autorun.inf and its executable permanently in my C: D: and USB
combofix: finds and on reboot just hangs for hours
malwarebytes: finds but does not delete on reboot
tdsskiller: no threats
manual delete: executable gets deleted, but autorun.inf cannot be deleted as it is being used tried changing attrib etc..still unable to delete and a few other programs as well.
finally the combination of following deletes the 2 files:
avenger.exe with a list of files to delete although on reboot the report does not show any files deleted,
BUT only for 20 minutes, autorun.inf and executable with a different name just comes back again. Somebody Please help me delete the Virus that creates the autorun.inf and its executable.

See More: adamant autorun.inf and its executable

Report •

July 31, 2012 at 16:15:15
This might be of interest:

Unfortunately I cannot vouch for it personally, so use at your own risk.

Always pop back and let us know the outcome - thanks

Report •

July 31, 2012 at 21:33:39
Yes I tried now, autoeater it deleted the autorun.inf but it comes back again and detected again by autoeater and cycle continues. Something else (virus) is creating the autorun.inf again I need help to detect and remove that VIrus and then delete the autorun.inf

Report •

August 1, 2012 at 07:00:16
Yes, I think you are right - probably a rootkit.

Download and install Rkill:

Download and install TDSS killer:

Download and install that Autoeater again (if it is not still in situ):

Download and install MalwareBytes:
(untick any unwanted toolbars or other goodies if might offer during install).

Go to Safe Mode (tap F8 while booting and select from list).

Run Rkill and keep it running while you do the following:
Run TDSS killer.
Run Autoeater again.
Run MalwareBytes.

See how you get on.

Always pop back and let us know the outcome - thanks

Report •

Related Solutions

August 1, 2012 at 08:20:08
files all ready to run However I cannot get into safe mode.
It just reboot , I tried safe mode with and without networking.
shall I run in normal mode??

OK I did run in normal mode.
The Rkill finished quickly.
Tdsskiller : No threats
Autoeater : keeps finding autorun.inf and I keep deleting
Malwarebytes: found the executable files and deleted them
However New autorun.inf is being created along with random named exe and pif files
Rkill.txt as below:
Rkill 2.0.2 by Lawrence Abrams (Grinler)
Copyright 2008-2012
More Information about Rkill can be found at this link:

Program started at: 08/01/2012 07:19:37 PM in x86 mode.
Windows Version: Windows XP

Checking for Windows services to stop.

* No malware services found to stop.

Checking for processes to terminate.

* No malware processes found to kill.

Checking Registry for malware related settings.

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

* No issues found.

Restarting Explorer.exe in order to apply changes.

Program finished at: 08/01/2012 07:19:49 PM
Execution time: 0 hours(s), 0 minute(s), and 12 seconds(s)

Problem Still at large..

Report •

August 1, 2012 at 15:55:54
Probably a new variant and I'm out of ideas.

Maybe someone else will help but in the meantime you could try the additional two programs given in post #3 on here:

Always pop back and let us know the outcome - thanks

Report •

August 1, 2012 at 18:24:39
Just one further (probably far too simple) thought. You said that the dodgy files came back after 20 minutes. Were there any other USB storage devices running during that time? I was wondering if you were getting re-infected from a USB HD Drive or Flash Drive.

Always pop back and let us know the outcome - thanks

Report •

August 2, 2012 at 00:29:38
Tried as you recommended in post 5 to no avail
The USB flash was not plugged in at all.
But I am pretty sure I got infected via the USB.
Can anybody help?

Once it is cleaned with Rkill, autoeater, MBAM I was clean for a while (overnight) and I browsed using firefox and was Ok
But when I run any voip related app like rynga or voipdisount the autorun.inf file is created immediatly (picked up by autoeater running in the background), So I cleaned again and ran process monitor before I ran rynga and sure here is autorun.inf again with time stamp. So I have the logfile of process monitor if anybody knows how to decipher it.

Report •

August 29, 2012 at 02:03:57
OK finally got rid of the Autorun.inf Steps involved as follows:

1. USed Windows-KB890830-V4.10.exe (downloaded from MS) for a full scan. cannot remember the link.
2. Restored my safemode (deleted by virus) using a safeboot.reg file
3.Went in safe mode and deleted all files in System Volume Information ( had to change permissions first) There were a bunch of exe files starting with A........exe which apparently was not deleted by any virus scanners. repeat on other drives.
4.turned back security on the folder System Volume information to permission for nobody.
5. Deleted all autorun.inf on all drives.

Clean.. so far so good.

Had to do this on 5 computers. 3 at work, 1 @ home and 1 @ my cousins home
All had the same as I had USB travelling between these desktops.

Thanks for the help.

Report •

August 29, 2012 at 05:50:14
Nicely done.

Good to hear that MS Malicious Software found it because I've often wondered about its value. If you are on Auto Windows Updates it should have already been there already and usually updates once a month.

MS secret LOL, is that it runs (manual scan) from "C:\WINDOWS\system32\MRT.exe".

Always pop back and let us know the outcome - thanks

Report •

Ask Question