AUTORUN.INF

avast keeps popping up with these messages every 5 minutes:

c:\autorun.inf contains sample of ‘bv:autorun-t [wrm]’!
and
d:\autorun.inf contains sample of ‘bv:autorun-t [wrm]’!

i did a full scan with avast and it said there wern’t any threats so how do i stop these messages from appearing

Let your USB drive plugged and run Autorun Eater or Flash Disinfector, allowing them to clean up all drives. They would create hidden folders named autorun.inf in each partition and every USB drive plugged in when you ran it. These folders protect your drives from future infection. After that, reboot your computer.

the virus isn’t from a usb drive though as i havn’t put one in for the last few days and the virus alert onoly started showin up today.

That programs will clean the fixed disks c: and d: (hard disks) also.

I also suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster.
  8. Check if you have insecure applications with Secunia Software Inspector.

heres the hijackthis log file in the attachment

does anyone see what the problem is from the log file?

Gee you’re impatient.

The Sun Java is down level but that’s not the problem I don’t think.

Go to Add/Remove Programs and un-install all Sun Java installs.

The latest Sun Java is Runtime Environment 1.6.0.14
http://filehippo.com/download_java_runtime

Looks like the system is infected with DNS Changer
O17 - HKLM\System\CCS\Services\Tcpip..{483E6976-B351-4980-B960-E165A697E9D5}: NameServer = 85.255.112.113,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip..{796DECB5-83D9-40CF-850F-D3358EBE12EB}: NameServer = 85.255.112.113,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip..{DD0776BD-5582-4A88-A0E6-56CD9FDCF422}: NameServer = 85.255.112.113,85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.113,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.113,85.255.112.175
O

ok updated the java.

with that autorun eater program i keep getting the message:

error deleting suspicious autorun.inf file from OS(c:)

what should i do about the DNS changer then?

See my previous response.

Follow the advice given by Tech in 3.

You have a lot of 017 entries registered to Ukraine- very suspicious!

Also using P2P is a very easy way to get your system infected:
Perils of P2P File Sharing
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/305923-perils-p2p-file-sharing.html

what are those ukraine entries and why are they suspicious

Here’s what they are:

http://www.bleepingcomputer.com/tutorials/tutorial42.html#O17Diag

Why are they suspicious?

Because they’re in the Ukraine.

http://voices.washingtonpost.com/securityfix/2008/03/ukranian_cybercrime_boss_leads.html

One of these men is a Ukrainian cyber crime boss and the other is a Ukrainian politician.

::slight_smile:

The only difference I can see is one is on top of the other, but I don’t think that matters. :cry: ::slight_smile:

ok so ive done all the steps in post 3 except secunia which doesnt want to work for me

what should i do now?

now i keep getting this message whenever i open intener explorer or i open a new tab or link. that message is followed by another message saying java has stopped working.

im getting really fed up now >:( >:( >:( >:(

For my curiosity, download rootrepeal, and copy/paste the scan results

http://www.malwarebytes.org/forums/index.php?showtopic=12709

see attachment for rootrepeal file

Sorry, that looks gibberish on my pc. Copy/paste the log in your next post