TechSpot

Many problems: autorun.inf/computer date 2 years back/etcetc

By brownstar
Jun 29, 2007
  1. Hey, my computer has recently gone haywire.
    1) Double clicking C/D from My Computer leads to some sort of autoplay and won't actually open anything (but I can open with right click)
    2) My internet has problems connecting at times
    3) My computer date keeps resetting to 2005, the time and day is right, but it resets to 2005.

    I've been trying to fix it, I've run numerous spyware programs, I've tried hijackthis (although I don't know what it did, lol), I've tried to alter the date in the BIOS, which only worked temporarily, I've emptied temp files and have tried to delete autorun.inf, but it just keeps reappearing! Any help would be greatly appreciated.

    I use nod32 for antivirus and agnitum outpost for a firewall. I've run spysweeper and hijackthis analyzer, I've also tried going into windows/temp and windows/prefetch and deleting everything.

    I've attached a hijackthis log!
     
  2. raybay

    raybay TS Evangelist Posts: 7,241   +9

    First, I would replace the CMOS battery... $3.25 at Wal-Mart.
    Looks like you are doing everything right... Momok and Howard can probably see a lot of stuff I cannot.
    Are all your Microsoft updates tuned to the latest stuff?
    On some of your actions, re-do them in Safe Mode.
     
  3. brownstar

    brownstar TS Rookie Topic Starter

    Update

    Found a way to delete the autorun.inf through cmd by just doing a -s -r whatchamacallit. Here's the new log though, ah.exe (which was linked to by the autorun that used to exist) is still on both my drives.
     

    Attached Files:

  4. jobeard

    jobeard TS Ambassador Posts: 9,322   +622

  5. momok

    momok TS Rookie Posts: 2,265

    Hi,

    #You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    ALCMTR
    anhao
    lsass


    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    ALCMTR.EXE

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [anhao] C:\WINDOWS\system32\config\svchost.exe
    O23 - Service: lsass - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\services.exe (file missing)

    Close HJT.

    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\Program Files\Common Files\Microsoft Shared\MSINFO\services.exe
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\system32\config\svchost.exe

    Reboot into normal mode and rehide your protected OS files.

    Please continue with the instructions as jobeard provided.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of brownstar only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. jobeard

    jobeard TS Ambassador Posts: 9,322   +622

    oops; you want to KEEP the LSASS process.
     
  7. brownstar

    brownstar TS Rookie Topic Starter

    OK, so I did a bunch of stuff, some of the steps didn't work, but so far my comp seems to be running a lot better already. Although there is still a file called ah.exe that looks sketchy and is hidden on my harddrive.

    Here are various logs. I really appreciate all the help! Hopefully I'm close to resolving this issue!

    Note: the combofix log thing isn't working, it just says that it's almost done for over an hour, while the system is doing nothing, so i just pasted an older log of it and something else i found on c:\
     
  8. jobeard

    jobeard TS Ambassador Posts: 9,322   +622

    AVG Anti-Spyware report shows clearly NO ACTION TAKEN, but would have done
    some work if properly configured!
     
  9. brownstar

    brownstar TS Rookie Topic Starter

    hey, i'm pretty sure my avg is properly configured, i ran it a few times before and it found 1.exe but thats not in this log. Is there anything I should change? I ran it exactly as it said on that other thread,
     
  10. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Since the only detected things are cookies, we'll use ccleaner to get rid of them. Please download and run CCleaner via step 9 of the instructions HERE.

    Please fix this entry in HijackThis.

    O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

    Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.
    Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of brownstar only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. brownstar

    brownstar TS Rookie Topic Starter

    Hey, I forgot to mention, I don't think hijackthis etc, checked my second drive (drive D), because it also contains hidden files ah.exe and autorun.inf. Here are the fresh logs after combo, avg, and hijack though.

    AVG didn't find anything...
     
  12. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Unhide your system files and folders and delete this file:
    C:\FOUND.004

    Could you provide the details of the D:\ files? Apparently they do not show up in ComboFix because they have not been active in the past 3 months. I presume your AVG scan was a full scan which included all secondary drives too?


    Regards,
    Your friendly momok =)

    This thread is for the use of brownstar only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. brownstar

    brownstar TS Rookie Topic Starter

    hey thanks for all your help momok, I fiddled around with that combofix-do txt you sent me and just changed files to D:\ah.exe and D:\autorun.inf so here are the quarintine log and a fresh HJT, everything seems fine now, but I guess I can never be sure?
     
  14. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I must say that was a wee bit dangerous, but I see that you got it right.

    Your logs look clean now.

    Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    You may also delete the C:\QooBox and C:\VundoFix Backups folder and its contents.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of brownstar only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. brownstar

    brownstar TS Rookie Topic Starter

    lol, sorry about taking that step without advice, but I do appreciate all your help! Thanks so much!
     
  16. momok

    momok TS Rookie Posts: 2,265

    No problems, glad to be of help =)
     
  17. brownstar

    brownstar TS Rookie Topic Starter

    Hey, it's me, back again, suddenly, I got the old 2005 problem out of nowhere. Any suggestions? I've attached my hijackthis log, I'm praying right now that it's just a hiccup.
     
  18. momok

    momok TS Rookie Posts: 2,265

    Hi,

    It appears you got your system infected with the same thing previously. I've tried researching on this process but it turns up only techspot and tonnes of chinese entries (my chinese has detiorated so terribly after I stopped taking it 4 years ago) I can't quite make out what the process actually does. Please read the following.

    Very Important: Malware infections can possibly lead to identity theft, loss of funds from bank accounts, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

    Also, please let me know the results of the AVG Antirootkit scan


    Regards,
    Your friendly momok =)

    This thread is for the use of brownstar only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...