hello ^^ I’ve already tried bootscan 3 times…but it still shows up on all 3 drives (which includes my external HD)
its rather annoying…ive tried deleting it, moving to chest…still wont go away…

and here’s the logfile…
please help me thank you…

also, is it true it sends log in information to hackers??

[b]EDIT: I downloaded the latest version of HJT … here’s the log file ^^[1]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:01 AM, on 1/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: C:\WINDOWS\MyMP3.vbs
O4 - HKLM..\Run: [RemoteControl8] “C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe”
O4 - HKLM..\Run: [PDVD8LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [OpenDNS Update] “C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{D5A66560-A23D-4836-BF7A-BD644986956F}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

–
End of file - 5828 bytes

1. /b ↩︎

Why can’t you remove it, e.g. file is in use, it keeps coming back, etc. try to be more detailed ?

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

1. SUPERantispyware On-Demand only in free version.
2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Your copy of HJT is out of date so it would be best to install the latest version (after running the above programs) FileHippo Download - HiJackThis and post the results.

You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?

Suspect:
O4 - HKLM\..\Run: [ ] C:\WINDOWS\MyMP3.vbs
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)


HJT ACTIONS
Suspect: Upload the file/s to VirusTotal, Send a sample to avast if multiple detections at VT and Fix in HJT (see below)
####
Check the suspect file/s at: [url=http://www.virustotal.com/][b]VirusTotal - Multi engine on-line virus scanner[/b][/url] and report the findings here in the topic. 

Send the sample to [b]virus@avast.com[/b] zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.
####

Welcome to the forums, asrai.

You have used an old version of HJT which may show incomplete or non-correct entries.

Please download HijackThis from the link below. Do not download HJT to the desktop but instead download it into it’s own folder on the hard drive.

http://filehippo.com/download_hijackthis/

I posted the new log file … thank you ^^

The file keeps on coming back…when I tried to bootscan it removed a ton of these in my registries etc…
then when I open my computer again the warning says I have a virus @ (C:\autorun.inf, D:\autorun.inf, F:\autorun.inf) << I have 2 drives and 1 external HD.

I use the windows firewall.

Here is what I suggest (at least to start with):
1] Disable system restore
2] Disable autorun
3] Do NOT attach any removable drive (drive, thumbnail, etc)
4] Run a bootscan with avast and have it check ALL files (yes, this can take a while to finish)
5] Run CCleaner
6] Reboot (to make sure all changes have been applied)
7] Search your system for autorun*.* files and delete ALL it finds (make sure showing system/hidden files is enabled)
8] Attache any removable storage device and run a full scan on it. Have Avast clean everything it can.

Check out these tools, you should disinfect all usb drives and the external HDD after doing the internal HDD.

• “Flash Disinfector” program, see See http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/ - alt download location at http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

• USB Virus Scan - http://blog.didierstevens.com/programs/usbvirusscan/

The Windows XP’s firewall is better than no firewall but, it lulls you into a false sense of protection, it doesn’t provide outbound protection. Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

• There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

I run the 2 spyware software you recommended…did it on safe mode…and I cant find any log file ~_~ but SuperAntiSpyware detected 3 adware tracking cookie…its gone now~

When I went back from safe mode … Avast virus warning still pops up…uploaded the suspect files to virustotal and got this:

[1] MyMP3.vbs >> http://www.virustotal.com/analisis/abb58b6142d10af802d468d64949ae8a
[2] dimsntfy.dll >> http://www.virustotal.com/analisis/2cd9aa4b56caffb07b92713c7517bf91

…next is doing another scan in HJT and sending the files to avast right??

edit: fixed the MyMP3.vbs file in HJT…virus still pops up a warning for C:autorun.inf and D:autorun.inf … ~__~

It normally displays the log on completion, run it again and click the Logs tab and select the relevant log.

Tracking cookies are a minor issue and not really a security one, I disable that option in the scanning settings. Don’t allow third party cookies (normally associated with tracking) in your browser and periodically clear out your cookies.

Yes, send the MyMP3.vbs to avast the other which isn’t detected by any scanner I would hold off on sending the dimsntfy.dll file.

Have you downloaded and run the Flash Disinfector tool I gave the link for ?

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.[*] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.[*] Wait until it has finished scanning and then exit the program.[*] Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.

uwah…the virus is gone!!! ;D sorry… tried the HJT fix thingie again on safe mode…hehehe >_<

will now disinfect my external HD …

thank you thank you again… ;D

ermm… should I still run SUPERAntispyware and Malwarebytes along with AVAST, Spywareblaster (this is the one I use for spyware…) and firewall (will download later)? …

You’re welcome.

Yes the two on-demand anti-spyware scanners compliment avast and if you haven’t noticed, check my signature below my posts ;D.

SpywareBlaster is not an anti-spyware applications, it is passive, you can’t run on-demand scans and was a total passenger in this as it isn’t something it is even immunising against.