hi ppl,
first sorry my english.
my computer is infected with BV:AutoRun-E [Wrm], avast detect it, but don’t remove it. It creates a autorun.inf in all my hard disks. Avast shows that found it every 2 minutes. I don’t know what to do to remove it. I also search internet for solutions, but nothig was found that can really help. Please, if someone knows how to remove it i’ll apreciate.
Thanks in advance.
BR
Nuno
You also need to clean your USB flash drives or they would try to reinfect and that is what avast is trying to block.
You chould try the freware “Flash Disinfector” program, at http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
Also see this post, http://forum.avast.com/index.php?topic=34095.msg285331#msg285331.
hi, many thanks for your anwser. But, the file “autorun.inf”, the virus itself, exists in all my hard drives. If i remove it from my removable hard disk, it keep exists in my other hard drives. But, i will try that to see if it works.
BR
Nuno
Read the Blue text in the quote above, the tool creates an autorun.inf hidden folder on your hard disk partitions and a folder has priority over a file with the same name and that should prevent the autorun.ini from running.
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
Or boot into safe mode and delete the autorun.inf files on your hard disk partitions.
Thanks David, i’ll try that. Later i’ll post here the results. Let me first backup my important data.
BR
Nuno
After i use the Flash Drive Disinfector, the virus keep exits, but only on the drice C:, The folder “autorun.inf”, was not created in that drive.
It is a hidden folder.
Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.
Did you read the link to the other forum topic in my first reply ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
thanks for trying to help me.
no, i didn’t read it, sorry. i’ll read it now, and trying with the programs you provided. I’ll post the result later.
Once again, many thanks.
i did it all you said, and i did all the things in the topic forum you provieded. Nothing worked, the virus still in my computer. i don’t now what more can i do…
I have edited my last post I forgot to attach the image showinf how to show hidden files and folders.
I also suggested a boot-time scan did you do that ?
I also suggested you run both those programs from safe mode did you run them from safe mode ?
You said you would post the results of the scans ?
If oyu have one of the autorun.inf files, right click on it and select Open With, select Notepad. That file should contain some commands to run files, what are the names and locations to those files, e.g. (C:\windows\system32\infected-file-name.xxx) ?
in safe mode, no. I’m backup my data first, then i will restart and do de boot-time scan, and run the programs in safe mode.
here are the lines in the “autorun.inf” file:
[autorun]
shellexecute=“resycled\boot.com c:”
shell\Open\command=“resycled\boot.com c:”
shell=Open
in 30minutes i will restart and do the tasks above. once again, thanks.
From safe mode -
a) Try renaming autorun.inf to no-run.inf
b) See if you can find resycled folder (hopefully the unhide bit will help) and rename these files to something like killboot.com
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.
Hi I just got the same thing and it took me forever to get rid of it. Seems mine also opened porn every 2 minutes >.< Anyways, I ran system restore (Start>>Programs>>Accessories>>System Tools>>System Restore) and restored my computer to a week before. Then I ran the USB Disinfector and all is well =) Hope this helps!
here is the log oh hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:15:05, on 29-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\LogMeIn\x86\LogMeInSystray.exe
C:\Programas\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programas\Java\jre1.6.0_07\bin\jusched.exe
C:\Programas\Windows Live\Family Safety\fsui.exe
E:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\Programas\Windows Live\Messenger\msnmsgr.exe
C:\Programas\RocketDock\RocketDock.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe
C:\Programas\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Programas\Netropa\Onscreen Display\OSD.exe
C:\Programas\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Live\Family Safety\fsssvc.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
C:\Programas\LogMeIn\x86\RaMaint.exe
C:\Programas\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Programas\LogMeIn\x86\LMIGuardian.exe
C:\Programas\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Programas\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
D:\Jogos\Need for Speed ProStreet\PB\PnkBstrA.exe
C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programas\Windows Live\Contacts\wlcomm.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe
C:\Programas\PC Connectivity Solution\ServiceLayer.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Programas\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Microsoft Office\Office12\OUTLOOK.EXE
D:\Revista\eMule\emule.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Programas\Yahoo!\Widgets\YahooWidgets.exe
C:\Programas\Yahoo!\Widgets\YahooWidgets.exe
C:\Programas\Yahoo!\Widgets\YahooWidgets.exe
C:\Programas\Yahoo!\Widgets\YahooWidgets.exe
C:\Programas\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Programas\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Programas\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programas\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Revista\Free Download Manager\iefdm2.dll
O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programas\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programas\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] “C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [MULTIMEDIA KEYBOARD] C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM..\Run: [GrooveMonitor] “C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM..\Run: [LogMeIn GUI] “C:\Programas\LogMeIn\x86\LogMeInSystray.exe”
O4 - HKLM..\Run: [Adobe Photo Downloader] “E:\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Programas\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [NBKeyScan] “C:\Programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\Programas\Ficheiros comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [fssui] “C:\Programas\Windows Live\Family Safety\fsui.exe” -autorun
O4 - HKLM..\Run: [StartCCC] “C:\Programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” MSRun
O4 - HKLM..\Run: [Acrobat Assistant 8.0] “E:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe”
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FICHEI~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [QuickTime Task] “C:\Programas\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Programas\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] “D:\Revista\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKLM..\Run: [C:\WINDOWS\system32\kdlif.exe] C:\WINDOWS\system32\kdlif.exe
O4 - HKLM..\RunOnce: [Malwarebytes’ Anti-Malware] D:\Revista\Malwarebytes’ Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU..\Run: [MsnMsgr] “C:\Programas\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [RocketDock] “C:\Programas\RocketDock\RocketDock.exe”
O4 - HKCU..\Run: [MSMSGS] “C:\Programas\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [Nokia.PCSync] “C:\Programas\Nokia\Nokia PC Suite 6\PCSync2.exe” /NoDialog
O4 - HKCU..\Run: [AlcoholAutomount] “C:\Programas\Alcohol Soft\Alcohol 120\axcmd.exe” /automount
O4 - HKCU..\Run: [SUPERAntiSpyware] D:\Revista\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVIÇO LOCAL’)
O4 - HKUS\S-1-5-19..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘SERVIÇO LOCAL’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Serviço de rede’)
O4 - HKUS\S-1-5-20..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘Serviço de rede’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘Default user’)
O4 - Startup: Yahoo! Widgets.lnk = C:\Programas\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Programas\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programas\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All Files by HiDownload - D:\Revista\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - D:\Revista\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Transferir com FDM - file://D:\Revista\Free Download Manager\dllink.htm
O8 - Extra context menu item: Transferir todos com FDM - file://D:\Revista\Free Download Manager\dlall.htm
O8 - Extra context menu item: Transferir vídeo com FDM - file://D:\Revista\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Transferência seleccionada pelo FDM - file://D:\Revista\Free Download Manager\dlselected.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - D:\Revista\HiDownload\hidownload.exe (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programas\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip..{1659EA2F-3024-4B7F-A191-42B83163A7A4}: NameServer = 85.255.112.133;85.255.112.196
O17 - HKLM\System\CCS\Services\Tcpip..{C84EBBDE-3945-45B5-A9F7-A2FAACFFF2A6}: NameServer = 85.255.112.133;85.255.112.196
O17 - HKLM\System\CS1\Services\Tcpip..{1659EA2F-3024-4B7F-A191-42B83163A7A4}: NameServer = 85.255.112.133;85.255.112.196
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programas\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Revista\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Programas\Ficheiros comuns\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Programas\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Programas\LogMeIn\x86\LogMeIn.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Programas\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NBService - Nero AG - C:\Programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - D:\Jogos\Need for Speed ProStreet\PB\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SureThing Labelflash service - MicroVision Development, Inc. - C:\Programas\Ficheiros comuns\SureThing Shared\stllssvr.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programas\RealVNC\VNC4\WinVNC4.exe
–
End of file - 18226 bytes
after the restart in safe mode i’ll rename the autorun.inf to no-run.inf as you said.
“See if you can find resycled folder”, did you men Recyclebin folder?
sorry for the many posts. 1, was not enouth for the hijackthis log.
HI sh3r3d3r please do the following ; Do you use a router ?
Please download the OTMoveIt3 by OldTimer.
[*] Save it to your desktop.
[*] Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes
explorer.exe
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1659EA2F-3024-4B7F-A191-42B83163A7A4}]
"NameServer"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C84EBBDE-3945-45B5-A9F7-A2FAACFFF2A6}]
"NameServer"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1659EA2F-3024-4B7F-A191-42B83163A7A4}]
"NameServer"=-
:Files
C:\resycled
:Commands
[purity]
[emptytemp]
[*] Return to OTMoveIt3, right click in the “Paste Instructions for Items to be Moved” window (under the yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
THEN
[list]
[*]NOTE: You will need to temporarily disable any programs you have running that will block attempts to edit the registry. As FixIEDef calls REGEDIT to delete registry keys added by Zlob, Trojan.Downloader.Delf, AntiSpyPro, and IE Defender.
[*]Download FixIEDef.exe by ShadowPuterDude to the Desktop.
Note: FixIEDef now supports Non-English Language Systems
[*]Double-click FixIEDef.exe:
http://www.geekstogo.com/misc/guide_icons/fixiedef_zip.png
[*]That will open the About FixIEDef screen. Click OK to continue:
http://www.geekstogo.com/misc/guide_icons/fixiedef/about_fixiedef.png
[*]Next, press the Scan! button:
http://www.geekstogo.com/misc/guide_icons/fixiedef/press_scan.png
[*]FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click OK to continue:
http://www.geekstogo.com/misc/guide_icons/fixiedef/fixiedef_alert.png
[*]Wait for the scan to finish. It shouldn’t take very long:
http://images.malwareteks.com/IEDefender/FixIEDef_FileScan.png
http://www.geekstogo.com/misc/guide_icons/fixiedef/fixiedef_scanning.png
[*]WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.
[*]After the !!! All Finished !!! message is displayed, click Exit:
http://www.geekstogo.com/misc/guide_icons/fixiedef/all_finished.png
[*]Post the FixIEDef log file, located on the Desktop.
[i]Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”. It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user.
See: http://www.beyondlogic.org/consulting/proc...processutil.htm[/i]
Mirrors: Alternate official download locations for FixIEDef.exe
http://it-mate.co.uk/downloads/fixiedef/fixiedef.exe
http://hosts-file.net/download/fixiedef/fixiedef.exe
http://avant.it-mate.co.uk/?c=Download&f=Tools/FixIEDef
http://archives.mysteryfcm.co.uk/?f=Securi…pyware/FixIEDef
Thanks for the input.
I’m afraid you have more trust in system restore than I have, whilst this worked in your case, it is far from infallible and can have unexpected results. I trust in my drive imaging software to give me an exact image of my HDD at the time of the image over system restore any day.
@DavidR:
True, my computer can do the same; however, I am lax in actually MAKING backups regularly like I should. :
When we will learn… :
I’ve learned… I think… at least monthly a full backup of all partitions of my HDD 8)