+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Wireless Networks Thread, Mal/AutoInf-A virus how to remove in Technical; We have a virus outbreak on our network. The virus in concern is Mal/AutoInf-A. The virus initially seems to have ...
  1. #1

    Join Date
    May 2007
    Location
    Birmingham
    Posts
    21
    Thank Post
    8
    Thanked 3 Times in 3 Posts
    Rep Power
    15

    Mal/AutoInf-A virus how to remove

    We have a virus outbreak on our network. The virus in concern is Mal/AutoInf-A. The virus initially seems to have come via USB memory sticks. Mal/AutoInf-A then spreads to all mapped network drives, it drops "Troj/VB-CSA" and also creates a ctfmon.exe
    Win32/FakeRecycled.A - CA

    I have disabled the autorun on memory sticks and applied the Microsoft patch.
    We have Sophos on the server and all client PC's and is fully up-to-date with daily scheduled scans.
    However Sophos finds the virus and says it has deleted it on the server but then 30 seconds later finds the virus again.
    The client PCs Sophos reports on daily scan "The attempt to delete the infected file H:autorun.inf failed the user dose not have the rights to perform the action on the infected file."
    I have placed all the users in the Sophos Power user group.

    It is the first year that we have used Sophos and I think it has been a real let down as we it should be blocking the virus or cleaning it up because we never had a virus problem with Symantec before.

    Any advice would be appreciated on how to get rid of this virus?

    Thanks
    Last edited by AM_LHS; 15th May 2009 at 10:44 AM.

  2. #2

    bossman's Avatar
    Join Date
    Nov 2005
    Location
    England
    Posts
    3,898
    Thank Post
    1,182
    Thanked 1,053 Times in 748 Posts
    Rep Power
    327
    Isolate the server first and look at cleaning it up totally then before you attempt to rejoin it to the network rebuild all infected workstations.

    Check all the other servers in the domain also.

    If this does not work then totally rebuilding the server + all workstations is the only other option open to you.

    Fully empathise with you on this one.

    Good luck

  3. #3
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,485
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    A bit late to say this I know, but why is autorun enabled, and why was the student able to the NastyVirus.exe file which the autorun was calling?

  4. #4


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,710
    Thank Post
    220
    Thanked 2,615 Times in 1,926 Posts
    Rep Power
    777
    You might also want to have a read of this and use the registry key below to prevent re-infection.

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    ""="@SYS:DoesNotExist"

  5. Thanks to Arthur from:

    OutToLunch (8th October 2009)

  6. #5

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    5,845
    Thank Post
    570
    Thanked 994 Times in 766 Posts
    Blog Entries
    15
    Rep Power
    460
    Plus see the previous threads regarding the Conficker virus for good detail on removal and prevention.

  7. #6

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,037
    Thank Post
    160
    Thanked 908 Times in 712 Posts
    Blog Entries
    3
    Rep Power
    270
    This is probably slightly off topic, but i had this on a few memory sticks and i had it on my 1TB hard drive the other day.

    So, i had a macbook in my office and i put my hard drive on there and it showed the auto.inf file and exe so i just deleted them and that got rid of the virus and my hard drive worked fine on a windows machine. i'm guessing if you put this on a linux box as well you would be able to do the same.

    I know it dont solve the problem but it is a nice easy way to get rid of it.

    James.

  8. #7

    Join Date
    May 2009
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Program to Remove Mal/AutoInf-A

    I made a program to get rid of it (the autorun.inf file). You can download it from filefront.
    Version 1.0
    [ame="http://files.filefront.com/Mal+AutoInf+A+VirusRemoverzip/;13092507;/fileinfo.html"]Mal/AutoInf-A VirusRemover.zip Download File[/ame]
    Version 2.0
    [ame="http://files.filefront.com/Mal+AutoInf+A+VirusRemoverzip/;13762227;/fileinfo.html"]Mal/AutoInf-A_VirusRemover.zip Download File[/ame]

    It works by not deleting it, but by REPLACING the autorun file with another. Essentially, it makes an autorun file over the top of the autorun from the virus. Or, you could simply not download the program, and make your own blank autorun.inf, then copy and paste (or move) it to where the infected autorun.inf is. Deleting it didn't work for me either, but this did- on multiple computers at school and on a friend's flash drive.

    Hope this helps.

  9. #8
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    Quote Originally Posted by TheMorphinator View Post
    Deleting it didn't work for me either, but this did- on multiple computers at school and on a friend's flash drive.
    Did you have Autorun disabled for all devices before plugging any infected media into your system otherwise it plays with your system makes it call the program from the os so that it gets marked as being in use.
    Last edited by p858snake; 16th May 2009 at 03:59 AM.

  10. #9

    Join Date
    May 2009
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by p858snake View Post
    Did you have Autorun disabled for all devices before plugging any infected media into your system otherwise it plays with your system makes it call the program from the os so that it gets marked as being in use.
    Autorun was enabled.

  11. #10
    lionsl2005's Avatar
    Join Date
    Nov 2008
    Location
    Barnet
    Posts
    533
    Thank Post
    373
    Thanked 23 Times in 22 Posts
    Rep Power
    16
    Quote Originally Posted by TheMorphinator View Post
    I made a program to get rid of it (the autorun.inf file). You can download it from filefront.
    Version 1.0
    Mal/AutoInf-A VirusRemover.zip Download File
    Version 2.0
    Mal/AutoInf-A_VirusRemover.zip Download File

    It works by not deleting it, but by REPLACING the autorun file with another. Essentially, it makes an autorun file over the top of the autorun from the virus. Or, you could simply not download the program, and make your own blank autorun.inf, then copy and paste (or move) it to where the infected autorun.inf is. Deleting it didn't work for me either, but this did- on multiple computers at school and on a friend's flash drive.

    Hope this helps.
    I tried your secound software but it didnt let me to overright. givin a error message syin This file have been used by anotherprogram.?? help

  12. #11


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,710
    Thank Post
    220
    Thanked 2,615 Times in 1,926 Posts
    Rep Power
    777
    If it's anything like the virus we had, the best option is to disable autorun entirely first e.g. using the method I posted above and then remove the Autorun.inf and associated .exe either automatically using anti-virus software or manually by deleting the files yourself.

  13. #12
    lionsl2005's Avatar
    Join Date
    Nov 2008
    Location
    Barnet
    Posts
    533
    Thank Post
    373
    Thanked 23 Times in 22 Posts
    Rep Power
    16
    Quote Originally Posted by Arthur View Post
    If it's anything like the virus we had, the best option is to disable autorun entirely first e.g. using the method I posted above and then remove the Autorun.inf and associated .exe either automatically using anti-virus software or manually by deleting the files yourself.
    This worked for me

  14. #13

    Join Date
    Aug 2009
    Posts
    76
    Thank Post
    2
    Thanked 9 Times in 5 Posts
    Rep Power
    11
    Use group policy to disable Autorun network wide, thius will provent these Autorun virus's from spreading, and then you can nail them, if you have a tricky one, use the program Unlocker to remove locked files if in use.

  15. #14
    leon999uk's Avatar
    Join Date
    Oct 2009
    Posts
    66
    Thank Post
    7
    Thanked 6 Times in 6 Posts
    Rep Power
    10
    Not had much experience configuring sophos but our network technician uses it here and you can force clients running the software to use specific settings using a policy, when they next connect contact the sophos server they pick up the settings and apply them, i think you can force the setting to delete the virus upon detection.

    not sure if this helps....

  16. #15

    Join Date
    Aug 2009
    Posts
    76
    Thank Post
    2
    Thanked 9 Times in 5 Posts
    Rep Power
    11
    With sophos you have to select ON WRITE in the policy as well, the stops the Virus on Write and not after its dropped on the machine when its being read.

    The option your on about is "automatically clean up items that contain virus's/spyware"

    Both of these are not on as default.

  17. Thanks to Scorpio from:

    leon999uk (9th October 2009)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. New Virus?
    By apeo in forum Windows
    Replies: 8
    Last Post: 10th October 2008, 01:12 PM
  2. Website Virus
    By karldenton in forum Web Development
    Replies: 6
    Last Post: 21st November 2007, 11:56 AM
  3. Mal/Behav-043 virus outbreak
    By tosca925 in forum Windows
    Replies: 13
    Last Post: 27th April 2007, 10:44 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •