hi
before some time my computer was infected with some mallware . now my antivirus detect autorun.inf file in every drive even after i delete it i have lost folder option tab from my computer. plz guid me wht should i do now??
OK Autorun.inf should be cleared by this
Please download ComboFix from Here or Here to your Desktop.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop
[]Please, never rename Combofix unless instructed.
[]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.
[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.
Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall
hey
thanks thanks thanks…thanks a ton …man this actualy worked…
Could you post the log as there may be other elements to remove
ComboFix 08-04-16.5 - user1 2008-04-17 17:21:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.642 [GMT 5.5:30]
Running from: H:\ComboFix.exe
- Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\autorun.ini
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\x64
.
((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.
2008-04-17 17:13 . 2008-04-17 17:13 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-16 13:39 . 2007-10-06 03:11 d–hs---- C:\ntdetec1
2008-03-29 19:40 . 2008-03-29 20:00 131,072 --a------ C:\ct.mdb
2008-03-29 13:24 . 2007-10-08 14:05 227,587 -rahs---- C:\WINDOWS\system32\scvhosts.exe
2008-03-29 13:24 . 2007-10-08 14:05 227,587 --a------ C:\WINDOWS\scvhosts.exe
2008-03-29 13:24 . 2007-10-08 14:05 227,587 --a------ C:\WINDOWS\hinhem.scr
2008-03-28 16:28 . 2008-03-28 16:30 1,308,730 --a------ C:\WINDOWS\system32\pr.wav
2008-03-27 12:19 . 2008-03-27 12:19 d-------- C:\Documents and Settings\user1\Application Data\CyberLink
2008-03-27 12:17 . 2008-03-27 12:17 d-------- C:\Documents and Settings\user1\Application Data\DivX
2008-03-19 21:59 . 2008-04-17 17:20 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-19 21:58 . 2008-03-19 22:18 d-------- C:\Program Files\Spyware Doctor
2008-03-19 21:58 . 2008-03-19 21:58 d-------- C:\Program Files\Google
2008-03-19 21:58 . 2008-03-19 21:58 d-------- C:\Documents and Settings\user1\Application Data\PC Tools
2008-03-19 21:58 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-19 21:58 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-19 21:58 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-19 21:58 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 06:52 --------- d-----w C:\Documents and Settings\user1\Application Data\COWON
2008-03-04 12:32 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVG7
2008-03-03 04:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-23 12:26 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Corel
2008-02-23 12:24 --------- d-----w C:\Program Files\Common Files\Corel
2008-02-23 12:22 --------- d-----w C:\Program Files\Corel
2007-10-08 08:35 227,587 --sha-r C:\WINDOWS\system32\scvhosts.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:56 15360]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2008-03-19 21:58 171448]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-04 01:06 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-07-11 09:37 131072]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-07-11 09:37 155648]
“Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-07-11 09:37 131072]
“RTHDCPL”=“RTHDCPL.EXE” [2007-07-11 09:37 16132608 C:\WINDOWS\RTHDCPL.exe]
“SkyTel”=“SkyTel.EXE” [2007-07-11 09:37 1826816 C:\WINDOWS\SkyTel.exe]
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2003-12-13 06:20 33792]
“NeroCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 03:20 155648]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe” [2006-05-03 02:56 36975]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
“winlogon”= C:\ntdetec1\run.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\jdk1.3\bin\java.exe”=
R2 OracleOraHome81TNSListener;OracleOraHome81TNSListener;F:\Oracle\Ora81\BIN\TNSLSNR
R2 OracleWebAssistant0;OracleWebAssistant0;F:\Oracle\Ora81\BIN\OWASTSVR.EXE [1999-01-20 14:10]
S3 OracleOraHome81Agent;OracleOraHome81Agent;F:\Oracle\Ora81\bin\dbsnmp.exe [2007-12-22 15:09]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;F:\Oracle\Ora81\BIN\ONRSD.EXE [1999-02-11 23:16]
S3 OracleOraHome81DataGatherer;OracleOraHome81DataGatherer;F:\Oracle\Ora81\bin\vppdc.exe [2007-12-22 15:09]
S3 SQLWriter;SQL Server VSS Writer;“C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe” [2005-10-14 03:53]
Start Pending2 OracleServiceA;OracleServiceA;f:\oracle\ora81\bin\ORACLE.EXE A
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{97cd0191-b94d-11dc-ad57-0019d1f83562}]
\Shell\AutoRun\command - I:\ntdetec1.exe
\Shell\explore\Command - I:\ntdetec1.exe
\Shell\open\Command - I:\ntdetec1.exe
Newly Created Service - CATCHME
.
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 17:21:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OracleOraHome81TNSListener]
“ImagePath”="F:\Oracle\Ora81\BIN\TNSLSNR "
.
Completion time: 2008-04-17 17:21:59
ComboFix-quarantined-files.txt 2008-04-17 11:51:56
Pre-Run: 31,842,578,432 bytes free
Post-Run: 31,869,243,392 bytes free
Hi :
Your Log is showing an extremely outdated Sun Java, a serious security risk .
Should uninstall ALL Versions of this program you have; the latest version,
which is the ONLY One that should ever be on the computer, is available at
www.java.com .