« previous next »
Pages: [1]   Go Down

Author Topic: plzzzzzzzzzzzzzzzz help me out  (Read 3972 times)

0 Members and 1 Guest are viewing this topic.

anoop

  • Guest
plzzzzzzzzzzzzzzzz help me out
« on: February 29, 2008, 07:48:40 AM »
hi
before some time my computer was infected with some mallware . now my antivirus detect autorun.inf file in every drive even after i delete it i have lost folder option tab from my computer. plz guid me wht should i do now??
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: plzzzzzzzzzzzzzzzz help me out
« Reply #1 on: February 29, 2008, 05:09:07 PM »
OK Autorun.inf should be cleared by this

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you. 
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Logged

anoop

  • Guest
Re: plzzzzzzzzzzzzzzzz help me out
« Reply #2 on: March 01, 2008, 06:03:22 AM »
hey

thanks thanks thanks...thanks a ton  ...man this actualy worked.. :)
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: plzzzzzzzzzzzzzzzz help me out
« Reply #3 on: March 01, 2008, 01:26:56 PM »
Could you post the log as there may be other elements to remove
Logged

anoop

  • Guest
Re: plzzzzzzzzzzzzzzzz help me out
« Reply #4 on: June 19, 2008, 07:03:01 AM »
ComboFix 08-04-16.5 - user1 2008-04-17 17:21:08.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.642 [GMT 5.5:30]
Running from: H:\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\autorun.ini
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\x64

.
(((((((((((((((((((((((((   Files Created from 2008-03-17 to 2008-04-17  )))))))))))))))))))))))))))))))
.

2008-04-17 17:13 . 2008-04-17 17:13   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-16 13:39 . 2007-10-06 03:11   <DIR>   d--hs----   C:\ntdetec1
2008-03-29 19:40 . 2008-03-29 20:00   131,072   --a------   C:\ct.mdb
2008-03-29 13:24 . 2007-10-08 14:05   227,587   -rahs----   C:\WINDOWS\system32\scvhosts.exe
2008-03-29 13:24 . 2007-10-08 14:05   227,587   --a------   C:\WINDOWS\scvhosts.exe
2008-03-29 13:24 . 2007-10-08 14:05   227,587   --a------   C:\WINDOWS\hinhem.scr
2008-03-28 16:28 . 2008-03-28 16:30   1,308,730   --a------   C:\WINDOWS\system32\pr.wav
2008-03-27 12:19 . 2008-03-27 12:19   <DIR>   d--------   C:\Documents and Settings\user1\Application Data\CyberLink
2008-03-27 12:17 . 2008-03-27 12:17   <DIR>   d--------   C:\Documents and Settings\user1\Application Data\DivX
2008-03-19 21:59 . 2008-04-17 17:20   <DIR>   d-a------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-19 21:58 . 2008-03-19 22:18   <DIR>   d--------   C:\Program Files\Spyware Doctor
2008-03-19 21:58 . 2008-03-19 21:58   <DIR>   d--------   C:\Program Files\Google
2008-03-19 21:58 . 2008-03-19 21:58   <DIR>   d--------   C:\Documents and Settings\user1\Application Data\PC Tools
2008-03-19 21:58 . 2007-12-10 14:53   81,288   --a------   C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-19 21:58 . 2007-12-10 14:53   66,952   --a------   C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-19 21:58 . 2008-02-01 12:55   42,376   --a------   C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-19 21:58 . 2007-12-10 14:53   29,576   --a------   C:\WINDOWS\system32\drivers\kcom.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 06:52   ---------   d-----w   C:\Documents and Settings\user1\Application Data\COWON
2008-03-04 12:32   ---------   d-----w   C:\Documents and Settings\Guest\Application Data\AVG7
2008-03-03 04:58   ---------   d-----w   C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-23 12:26   ---------   d-----w   C:\Documents and Settings\Administrator\Application Data\Corel
2008-02-23 12:24   ---------   d-----w   C:\Program Files\Common Files\Corel
2008-02-23 12:22   ---------   d-----w   C:\Program Files\Corel
2007-10-08 08:35   227,587   --sha-r   C:\WINDOWS\system32\scvhosts.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-19 21:58 171448]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-11 09:37 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-11 09:37 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-11 09:37 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-11 09:37 16132608 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-07-11 09:37 1826816 C:\WINDOWS\SkyTel.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 06:20 33792]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 03:20 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56 36975]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"winlogon"= C:\ntdetec1\run.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\jdk1.3\\bin\\java.exe"=

R2 OracleOraHome81TNSListener;OracleOraHome81TNSListener;F:\Oracle\Ora81\BIN\TNSLSNR  []
R2 OracleWebAssistant0;OracleWebAssistant0;F:\Oracle\Ora81\BIN\OWASTSVR.EXE [1999-01-20 14:10]
S3 OracleOraHome81Agent;OracleOraHome81Agent;F:\Oracle\Ora81\bin\dbsnmp.exe [2007-12-22 15:09]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;F:\Oracle\Ora81\BIN\ONRSD.EXE [1999-02-11 23:16]
S3 OracleOraHome81DataGatherer;OracleOraHome81DataGatherer;F:\Oracle\Ora81\bin\vppdc.exe [2007-12-22 15:09]
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
Start Pending2 OracleServiceA;OracleServiceA;f:\oracle\ora81\bin\ORACLE.EXE A []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97cd0191-b94d-11dc-ad57-0019d1f83562}]
\Shell\AutoRun\command - I:\ntdetec1.exe
\Shell\explore\Command - I:\ntdetec1.exe
\Shell\open\Command - I:\ntdetec1.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 17:21:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OracleOraHome81TNSListener]
"ImagePath"="F:\Oracle\Ora81\BIN\TNSLSNR "
.
Completion time: 2008-04-17 17:21:59
ComboFix-quarantined-files.txt  2008-04-17 11:51:56

Pre-Run: 31,842,578,432 bytes free
Post-Run: 31,869,243,392 bytes free
Logged

Spiritsongs

  • Guest
outdated Sun Java
« Reply #5 on: June 19, 2008, 07:15:29 PM »
 :)  Hi :

 Your Log is showing an extremely outdated Sun Java, a serious security risk .
 Should uninstall ALL Versions of this program you have; the latest version,
 which is the ONLY One that should ever be on the computer, is available at
 www.java.com .
Logged
Pages: [1]   Go Up
« previous next »