Virus disabled safe mode, keeps closing tsk manager, msconfig and anything related to anti virus

BullGuard Antivirus Forum > Virus > Virus Questions > Virus disabled safe mode, keeps closing tsk manager, msconfig and anything related to anti virus

Forum Quick Jump

28 posts in this thread.
Viewing Page : 1 2

[ << Previous Thread | Next Thread >> ]

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-7-2007 1:16 (GMT +1)

hi, ive searched thru the forums and ive only found the solution to stop the virus from closing the tASk manager. the solution given was to load windows in safe mode with networking and to install all those free softwares(ccleaner, hijackthis)..

my problem is, windows won't load in safe mode.. when i select any of the three options to start in safe mode, the screen displays drivers loading and then it stops there not doing anything and i have to push the reset button to start again..

btw, windows loads just fine.. i can do the stuff i used to do before except that i have no anti virus running (because it closes it) and i can,t open the task manager and msconfig or regedit.. the virus closes any window that is related with an anti virus (eg. when i open the folder containing the antivirus program) or even if i instll a new one..

help please....

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-7-2007 1:38 (GMT +1)

Hi soulji

Let´s hope You can run hijackthis and post a logfile -

1. Get this version of Hijackthis from http://danborg.org/spy/hjt/alternativ.exe

2 Save it in a permanent folder of your choice, such as C:\HJT\. To create this specific folder on your hard drive: Double click the 'My Computer' icon on your desktop, then under the category hard disk drives: double click Local Disk:, then select file->New -> Folder and name it HJT

3 Run hijackthis. (alternativ exe).

Choose the "Do a system scan and save a log file" option to perform your scan.

HijackThis will analyze your system, and automatically open a notepad textfile containing the HijackThis log when the scan is finished.

Open the text files containing the logs with a text editor and click Edit -> Select All, followed by Edit -> Copy.
From within the browser window and with the message body text box selected, click Edit -> Paste.

Post hijackthis log

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-7-2007 2:34 (GMT +1)

oh man.. this virus is tough...

it also closes alternativ HJT... although i was able to scan a little but it did not have time to finish.. i was doing it like fifty times but the virus wsa too fast... also before that, i had to download msvbvm60.dll because it was missing ang hJT cant start..

i can't even access this website (because its related to an antivirus software) to post a reply.. its closes the browser automatcally...

btw, i was able to peek in the task manager and there was lsass.exe, services.exe, winlogon.exe and some other .exe (some are numbers so i cant memorise it) run by my username aside from the ones ran by the system... ive been infected by this before )i think it was brontok or explorasi but i was able to clean it with AVG Free but now i can' even open it... also, i can see two "desktop" named folders but actually application (size is 42kb)

good thing a have a PC (its my laptop who got infected)

what should i do??? please help..

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-7-2007 2:49 (GMT +1)

It sounds like a rootkit You´ve got.

Please Download: Gmer Zip:

http://fbeej.dk/gmer/gmer.htm

Unzip/extract it to desktop

Run gmer.exe, select Rootkit tab and click the "Scan" button.

When scan have finished, click on Copy button, and post this log

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

Post Edited (Touch) : 1/7/2007 1:50:38 PM GMT

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-7-2007 5:08 (GMT +1)

hi.

uhmm.. the gmer.exe did run and was able to scan but everytime it scans on \Device\{576D289D-F42A-4212-97E7-6EB65DB53672} it gets stuck... its still responding but its no moving on...

btw, on the processes tab, i can see the virus running and its brontok about 7 of them...

Process: C:\WINDOWS\system32\n5883\winlogon.exe Parameters: ~Brontok~Is~The~Best~

C:\WINDOWS\system32\n5883\services.exe ~Brontok~Serv~

C:\WINDOWS\system32\n5883\csrss.exe ~Brontok~SpreadMail~

C:\WINDOWS\system32\n5883\lsass.exe ~Brontok~Network~

C:\WINDOWS\Ja13386\ib6207.exe ~Brontok~Back~Log~

C:\WINDOWS\system32\n5883\b6207.exe ~Brontok~Back~Log~

C:\WINDOWS\system32\n5883\lsass.exe ~Brontok~To~LoadingInfo~

and also, theres a kill process option in the program... should i select all these virus and kill the process? and then run a Virus scan? would it harm my laptop if i do this?

thanks for all the help...

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-7-2007 5:38 (GMT +1)

I´m not sure about these files, as they looks like legal files

It´s better You download and catchme exe from:

http://fbeej.dk/gmer/gmer.htm

run catchme exe:
Post the log/s it produce in this thread

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-7-2007 6:30 (GMT +1)

i think they'r not legal files because duplicates of these programs are also running at the same time but without the "brontok" in the parameters and are directly located in the system32 folder and not within another folder like n5883...

anyway.. heres the log file

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\system.sav\CTO.TXT 4096 bytes
C:\system.sav\CTOHW.TXT 16 bytes
C:\system.sav\DAYLGSAV.reg 320 bytes
C:\system.sav\delink.log 200 bytes
C:\system.sav\dnetwork.log 224 bytes
C:\system.sav\DNSP1.LOG 16384 bytes
C:\system.sav\highgost.flg 32 bytes
C:\system.sav\info.bom 16384 bytes
C:\system.sav\INFO.US 4096 bytes
C:\system.sav\ISLOGCHK.LOG 4096 bytes
C:\system.sav\logoff.bat 112 bytes
C:\system.sav\logoff.reg 288 bytes
C:\system.sav\Logs
C:\system.sav\Logs\Cia.ini 77824 bytes
C:\system.sav\Logs\Info.bom 16384 bytes
C:\system.sav\Logs\Install.log 335872 bytes
C:\system.sav\Logs\Preinchk.log 4096 bytes
C:\system.sav\Logs\Sysinfo.log 311296 bytes
C:\system.sav\mszone.log 16384 bytes
C:\system.sav\PREINCHK.log 4096 bytes
C:\system.sav\REBOOT.ME 48 bytes
C:\system.sav\REGDEV.LOG 40 bytes
C:\system.sav\REGFLUSH.LOG 4096 bytes
C:\system.sav\RegionCF
C:\system.sav\RegionCF\euro.reg 216 bytes
C:\system.sav\RegionCF\SFr.reg 232 bytes
C:\system.sav\RmDev.log 8192 bytes
C:\system.sav\SYSINFO.LOG 311296 bytes
C:\system.sav\util
C:\system.sav\util\AppEvBk1.old 65536 bytes
C:\system.sav\util\bcr.cmd 232 bytes
C:\system.sav\util\bootldr.flg 0 bytes
C:\system.sav\util\BOOTSEC.NT4 512 bytes
C:\system.sav\util\brand.exe 184320 bytes
C:\system.sav\util\BrandIt.Log 12288 bytes
C:\system.sav\util\BRAND_1.FLG 16 bytes
C:\system.sav\util\CHKIMAGE.exe 122880 bytes
C:\system.sav\util\CIA.CDC 65536 bytes
C:\system.sav\util\CIA.INI 77824 bytes
C:\system.sav\util\CLEARTYP.REG 496 bytes
C:\system.sav\util\CMDOOBE.CMD 72 bytes
C:\system.sav\util\CMDSWSET.CMD 64 bytes
C:\system.sav\util\cpqci.dll 122880 bytes
C:\system.sav\util\cpqsm.exe 86016 bytes
C:\system.sav\util\cvacompg.exe 118784 bytes
C:\system.sav\util\cvacompg.tmp 168 bytes
C:\system.sav\util\delcia.flg 32 bytes
C:\system.sav\util\DelDir.exe 36864 bytes
C:\system.sav\util\delmodem.bat 128 bytes
C:\system.sav\util\delmodem.ini 184 bytes
C:\system.sav\util\DelWLAN.reg 320 bytes
C:\system.sav\util\DETECTOS.EXE 98304 bytes
C:\system.sav\util\DETECTOS.INI 408 bytes
C:\system.sav\util\dmiuia.cmd 136 bytes
C:\system.sav\util\DNSP1.LOG 16384 bytes
C:\system.sav\util\DQM_MRK.exe 323584 bytes
C:\system.sav\util\EISDTICON.log 32 bytes
C:\system.sav\util\EISFE.log 32 bytes
C:\system.sav\util\FB_EIS.log 32 bytes
C:\system.sav\util\hpqnt.dll 77824 bytes
C:\system.sav\util\infobomg.exe 172032 bytes
C:\system.sav\util\INSTALL.LOG 335872 bytes
C:\system.sav\util\ISLOGCHK.EXE 110592 bytes
C:\system.sav\util\ISLOGCHK.INI 4096 bytes
C:\system.sav\util\make_rtr.flg 136 bytes
C:\system.sav\util\mobproc.flg 136 bytes
C:\system.sav\util\oobe.min 144 bytes
C:\system.sav\util\oobe.wpe 4096 bytes
C:\system.sav\util\osexclude.txt 176 bytes
C:\system.sav\util\PININST.INI 120 bytes
C:\system.sav\util\PININST.LOG 168 bytes
C:\system.sav\util\POSTOOBE.CMD 4096 bytes
C:\system.sav\util\POSTOOBE.LOG 24 bytes
C:\system.sav\util\postproc.ini 552 bytes
C:\system.sav\util\powerset.log 88 bytes
C:\system.sav\util\PREINCHK.BAT 216 bytes
C:\system.sav\util\PREINFO.INI 152 bytes
C:\system.sav\util\PREINFO2.EXE 102400 bytes
C:\system.sav\util\qlb.log 176 bytes
C:\system.sav\util\random.ini 40 bytes
C:\system.sav\util\REGDEV.EXE 106496 bytes
C:\system.sav\util\REGDEV.INI 560 bytes
C:\system.sav\util\RMDEV.CMD 512 bytes
C:\system.sav\util\RMIRDEV.CMD 112 bytes
C:\system.sav\util\RunCType.REG 392 bytes
C:\system.sav\util\SecEvBk1.old 65536 bytes
C:\system.sav\util\sedinst.log 168 bytes
C:\system.sav\util\SWSETDIR.exe 118784 bytes
C:\system.sav\util\SWSETUP.BTO 424 bytes
C:\system.sav\util\SWSETUP.CMD 136 bytes
C:\system.sav\util\SWSET_B.INI 4096 bytes
C:\system.sav\util\SysEvBk1.old 65536 bytes
C:\system.sav\util\touchpad.log 192 bytes
C:\system.sav\util\uiadump32.exe 32768 bytes
C:\system.sav\util\uiautil.exe 57344 bytes
C:\system.sav\util\WINDVD.LOG 168 bytes
C:\system.sav\util\WMI.BAT 48 bytes
C:\system.sav\WINDVD.LOG 168 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 98

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-7-2007 7:54 (GMT +1)

It looks You´re right smile

Please download:

http://swandog46.geekstogo.com/avenger.zip

by Swandog46 to your Desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.

Quote:

Files to delete:
C:\WINDOWS\system32\n5883\winlogon.exe

C:\WINDOWS\system32\n5883\services.exe

C:\WINDOWS\system32\n5883\csrss.exe

C:\WINDOWS\system32\n5883\lsass.exe

C:\WINDOWS\Ja13386\ib6207.exe

C:\WINDOWS\system32\n5883\b6207.exe

C:\WINDOWS\system32\n5883\lsass.exe

Folders to delete:

C:\WINDOWS\system32\n5883

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

After the reboot,

After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

Please copy/paste the content of C:\avenger.txt into your reply and tell how things are runng now

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-8-2007 7:20 (GMT +1)

hi! remember the plan i had to kill the process with brontok using gmer.exe? well i did that and it did stop those virus running so i was able to run task manager again and my anti virus program... i was able to run HJT and scan the PC.. i used AVG Free but it did not find any viruses so i installed kaspersky.. and it did find those viruses and was able to delete it.. BUT theres another big big problem!! i cant log in to any of the usernames!! i click one fo the names and its says logging in.. but it eventually logs out without displaying any icon or the task bar... its back on the welcome screen again... i can see the Kaspersky anti virus running on the upper right corner of the screen... help!

this is the HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 1:58:26 PM, on 1/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\gmer.exe
C:\hjt\alternative.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/wdgt3/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.upm.edu.ph:3128
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\o4307927.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\j6307922.exe
O1 - Hosts: 127.0.0.22 mcafee.com
O1 - Hosts: 127.0.0.22 www.mcafee.com
O1 - Hosts: 127.0.0.22 mcafee.net
O1 - Hosts: 127.0.0.22 www.mcafee.net
O1 - Hosts: 127.0.0.22 mcafee.org
O1 - Hosts: 127.0.0.22 www.mcafee.org
O1 - Hosts: 127.0.0.22 mcafeesecurity.com
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.com
O1 - Hosts: 127.0.0.22 mcafeesecurity.net
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.net
O1 - Hosts: 127.0.0.22 mcafeesecurity.org
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.org
O1 - Hosts: 127.0.0.22 mcafeeb2b.com
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.com
O1 - Hosts: 127.0.0.22 mcafeeb2b.net
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.net
O1 - Hosts: 127.0.0.22 mcafeeb2b.org
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.org
O1 - Hosts: 127.0.0.22 nai.com
O1 - Hosts: 127.0.0.22 www.nai.com
O1 - Hosts: 127.0.0.22 nai.net
O1 - Hosts: 127.0.0.22 www.nai.net
O1 - Hosts: 127.0.0.22 nai.org
O1 - Hosts: 127.0.0.22 www.nai.org
O1 - Hosts: 127.0.0.22 vil.nai.com
O1 - Hosts: 127.0.0.22 www.vil.nai.com
O1 - Hosts: 127.0.0.22 vil.nai.net
O1 - Hosts: 127.0.0.22 www.vil.nai.net
O1 - Hosts: 127.0.0.22 vil.nai.org
O1 - Hosts: 127.0.0.22 www.vil.nai.org
O1 - Hosts: 127.0.0.22 grisoft.com
O1 - Hosts: 127.0.0.22 www.grisoft.com
O1 - Hosts: 127.0.0.22 grisoft.net
O1 - Hosts: 127.0.0.22 www.grisoft.net
O1 - Hosts: 127.0.0.22 grisoft.org
O1 - Hosts: 127.0.0.22 www.grisoft.org
O1 - Hosts: 127.0.0.22 kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 kaspersky.com
O1 - Hosts: 127.0.0.22 www.kaspersky.com
O1 - Hosts: 127.0.0.22 kaspersky.net
O1 - Hosts: 127.0.0.22 www.kaspersky.net
O1 - Hosts: 127.0.0.22 kaspersky.org
O1 - Hosts: 127.0.0.22 www.kaspersky.org
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 download.mcafee.com
O1 - Hosts: 127.0.0.22 www.download.mcafee.com
O1 - Hosts: 127.0.0.22 download.mcafee.net
O1 - Hosts: 127.0.0.22 www.download.mcafee.net
O1 - Hosts: 127.0.0.22 download.mcafee.org
O1 - Hosts: 127.0.0.22 www.download.mcafee.org
O1 - Hosts: 127.0.0.22 norton.com
O1 - Hosts: 127.0.0.22 www.norton.com
O1 - Hosts: 127.0.0.22 norton.net
O1 - Hosts: 127.0.0.22 www.norton.net
O1 - Hosts: 127.0.0.22 norton.org
O1 - Hosts: 127.0.0.22 www.norton.org
O1 - Hosts: 127.0.0.22 symantec.com
O1 - Hosts: 127.0.0.22 www.symantec.com
O1 - Hosts: 127.0.0.22 symantec.net
O1 - Hosts: 127.0.0.22 www.symantec.net
O1 - Hosts: 127.0.0.22 symantec.org
O1 - Hosts: 127.0.0.22 www.symantec.org
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.net
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.net
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.org
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.org
O1 - Hosts: 127.0.0.22 liveupdate.symantec.com
O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.com
O1 - Hosts: 127.0.0.22 liveupdate.symantec.net
O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.net
O1 - Hosts: 127.0.0.22 liveupdate.symantec.org
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [A4893r] "C:\WINDOWS\j6307922.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [y1992Jas] "C:\WINDOWS\system32\n5883\sv711243830r.exe"
O4 - Startup: Startup.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

and this is the AVENGER log file: i used avenger but the virus kept running after a restart... i used this before i did HJT..

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 1813

//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kpsgcwsv

*******************

Script file located at: \??\C:\Program Files\iqgonnyd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\n5883\winlogon.exe deleted successfully.
File C:\WINDOWS\system32\n5883\services.exe deleted successfully.
File C:\WINDOWS\system32\n5883\csrss.exe deleted successfully.
File C:\WINDOWS\system32\n5883\lsass.exe deleted successfully.
File C:\WINDOWS\Ja13386\ib6207.exe deleted successfully.
File C:\WINDOWS\system32\n5883\b6207.exe deleted successfully.

File C:\WINDOWS\system32\n5883\lsass.exe not found!
Deletion of file C:\WINDOWS\system32\n5883\lsass.exe failed!

Could not process line:
C:\WINDOWS\system32\n5883\lsass.exe
Status: 0xc0000034

Folder C:\WINDOWS\system32\n5883 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-8-2007 8:18 (GMT +1)

Before we continue, please tell - can You boot to safe mode now ?

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-8-2007 8:38 (GMT +1)

no.. oh my... does it really takes long to boot in safe mode? do i have to wait?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-8-2007 8:50 (GMT +1)

Never mind, we´ll some of the infections manually -

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.upm.edu.ph:3128

<<If You don´t use proxy server

----------------------------------------
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\o4307927.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\j6307922.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [A4893r] "C:\WINDOWS\j6307922.exe"

O4 - HKCU\..\Run: [y1992Jas] "C:\WINDOWS\system32\n5883\sv711243830r.exe"
O4 - Startup: Startup.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.

Quote:

Files to delete:
C:\WINDOWS\o4307927.exe

C:\WINDOWS\j6307922.exe

C:\WINDOWS\j6307922.exe

C:\WINDOWS\system32\n5883\sv711243830r.exe

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

After the reboot,

After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

Please copy/paste the content of C:\avenger.txt into your reply along with a fresh HJT log and tell how things are running

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-8-2007 9:24 (GMT +1)

uhmm. you seem to forgot that i cannot log in? so i cant run HJT.. how do i get in? pleaaseeeee.........

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-8-2007 9:46 (GMT +1)

No I have not forget it, just curios - how can You post a hiajckthis log, if You can´t run it ?

Run the avenger part

Reboot and tell how things are running now

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-8-2007 9:52 (GMT +1)

i was able to run it before im not able to log in.. i ran hijack this then saved the log file on my usb then posted it on the other PC then i ran kaspersky anti virus.. then it deleted those virus.. then it automatically restarted (maybe to fully delete some viruses) after that i cant log in anymore so now im stuck at the welcome page with usernames....

(edited)

oh.. a window comes up just after i click a username its says SAS window: winlogon.exe - Corrupt file the file or directory C: is corrupt and unreadable. Please run the Chkdsk utility.

this message flashed even before.. when im still running gmer.exe and killed the processes... eg. gmer.exe - corrupt file as the heading with the same message but this did not do anything strange.. it popped up a couple of times but gmer is still running... i was even able to restart when i installed kaspersky... but as i said, this started after i ran a scan on the critical areas...

Post Edited (soulji) : 1/8/2007 8:54:24 AM GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-8-2007 10:00 (GMT +1)

I hate that anti spam filter skull

Sorry, I should have read Your last post more carefully. The infections can have corrupted some systemfiles, that´s why You can´t log in. I therefore suggest You do a repair without loss of data -

http://www.michaelstevenstech.com/XPrepairinstall.htm

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-8-2007 11:05 (GMT +1)

hi. i followed the repair instructions an was able to run the repair until it tells me to reboot... so i did.. the instructions says NOT to press any key to boot from CD when asked.. so i followed it and then windows loaded and im back in the welcome page but i still can't log in... the instructions says on no.6 setup will continue as if it were doing a clean install, but your applications will remain intact... this did not happen... so what will i do now? do the repair again?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-8-2007 1:46 (GMT +1)

Unfortunality have I bad news for You -

"Some infections are specifically designed to hide the activities of other viruses and worms, and compromise the operating system so that it may not be repaired. If your machine is infected with such an infection, you will very likely not be able to regain complete control of the system. Reinstallation is highly recommended."

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-8-2007 2:09 (GMT +1)

ohh... well do you have any suggestion how to recover my files? please...
would it work if id get the hard drive from my laptop and buy an external case so that i could just plug it in to my PC and recover my files?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-8-2007 2:36 (GMT +1)

To tell the truth - I don´t know shakehead

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-8-2007 2:42 (GMT +1)

oh man...

well.. thank you for all your help..

its been a tough battle but i guess we lost..

at least now i have some things to guard myself for future attacks...

ill be posting some other issues soon...

thanks again...

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-9-2007 8:59 (GMT +1)

hi touch.

great news! im back on the track again! i managed to run system repair and was able to log in again and destroy all the remaining viruses...

heres what i did..

remember that my 2nd to the last post was that i was unable to run repair succesfully and that it did nothing so i gave up.. well i searched the internet about the log in-log out problem and it turns out that im not the only one having it.. they gave me some instructions on how to fix it and i followed one of them.. it was the one to copy userinit.exe to wsaupdater.exe in recovery console.. i did that but i still wasnt able to log in.. but it did something good instead.. i am now able to boot in safe mode (unlike before) and the chkdsk before the windows logo displays disappeared... i tried logging in in safe mode but it still didnt work.. but now i tried system repair again and it was succesful!! now i can log in again..

the brontokvirus duplicated itself in all of my folders so it was about 400 of them deleted..

im not sure if theres something more left so i run hijack this to see if you can see anything bad on my computer..

btw, during scanning, a message pop out telling me that my Pc has too many hijacked files.. that its best to delete something something (i forgot)

here the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 3:36:31 PM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\hjt\alternative.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.upm.edu.ph:3128
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,%SystemRoot%\system32\userinit.exe,
O1 - Hosts: 127.0.0.22 mcafee.com
O1 - Hosts: 127.0.0.22 www.mcafee.com
O1 - Hosts: 127.0.0.22 mcafee.net
O1 - Hosts: 127.0.0.22 www.mcafee.net
O1 - Hosts: 127.0.0.22 mcafee.org
O1 - Hosts: 127.0.0.22 www.mcafee.org
O1 - Hosts: 127.0.0.22 mcafeesecurity.com
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.com
O1 - Hosts: 127.0.0.22 mcafeesecurity.net
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.net
O1 - Hosts: 127.0.0.22 mcafeesecurity.org
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.org
O1 - Hosts: 127.0.0.22 mcafeeb2b.com
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.com
O1 - Hosts: 127.0.0.22 mcafeeb2b.net
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.net
O1 - Hosts: 127.0.0.22 mcafeeb2b.org
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.org
O1 - Hosts: 127.0.0.22 nai.com
O1 - Hosts: 127.0.0.22 www.nai.com
O1 - Hosts: 127.0.0.22 nai.net
O1 - Hosts: 127.0.0.22 www.nai.net
O1 - Hosts: 127.0.0.22 nai.org
O1 - Hosts: 127.0.0.22 www.nai.org
O1 - Hosts: 127.0.0.22 vil.nai.com
O1 - Hosts: 127.0.0.22 www.vil.nai.com
O1 - Hosts: 127.0.0.22 vil.nai.net
O1 - Hosts: 127.0.0.22 www.vil.nai.net
O1 - Hosts: 127.0.0.22 vil.nai.org
O1 - Hosts: 127.0.0.22 www.vil.nai.org
O1 - Hosts: 127.0.0.22 grisoft.com
O1 - Hosts: 127.0.0.22 www.grisoft.com
O1 - Hosts: 127.0.0.22 grisoft.net
O1 - Hosts: 127.0.0.22 www.grisoft.net
O1 - Hosts: 127.0.0.22 grisoft.org
O1 - Hosts: 127.0.0.22 www.grisoft.org
O1 - Hosts: 127.0.0.22 kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 kaspersky.net
O1 - Hosts: 127.0.0.22 www.kaspersky.net
O1 - Hosts: 127.0.0.22 kaspersky.org
O1 - Hosts: 127.0.0.22 www.kaspersky.org
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 download.mcafee.com
O1 - Hosts: 127.0.0.22 www.download.mcafee.com
O1 - Hosts: 127.0.0.22 download.mcafee.net
O1 - Hosts: 127.0.0.22 www.download.mcafee.net
O1 - Hosts: 127.0.0.22 download.mcafee.org
O1 - Hosts: 127.0.0.22 www.download.mcafee.org
O1 - Hosts: 127.0.0.22 norton.com
O1 - Hosts: 127.0.0.22 www.norton.com
O1 - Hosts: 127.0.0.22 norton.net
O1 - Hosts: 127.0.0.22 www.norton.net
O1 - Hosts: 127.0.0.22 norton.org
O1 - Hosts: 127.0.0.22 www.norton.org
O1 - Hosts: 127.0.0.22 symantec.com
O1 - Hosts: 127.0.0.22 www.symantec.com
O1 - Hosts: 127.0.0.22 symantec.net
O1 - Hosts: 127.0.0.22 www.symantec.net
O1 - Hosts: 127.0.0.22 symantec.org
O1 - Hosts: 127.0.0.22 www.symantec.org
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.net
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.net
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.org
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.org
O1 - Hosts: 127.0.0.22 liveupdate.symantec.com
O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.com
O1 - Hosts: 127.0.0.22 liveupdate.symantec.net
O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.net
O1 - Hosts: 127.0.0.22 liveupdate.symantec.org
O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.org
O1 - Hosts: 127.0.0.22 update.symantec.com
O1 - Hosts: 127.0.0.22 www.update.symantec.com
O1 - Hosts: 127.0.0.22 update.symantec.net
O1 - Hosts: 127.0.0.22 www.update.symantec.net
O1 - Hosts: 127.0.0.22 update.symantec.org
O1 - Hosts: 127.0.0.22 www.update.symantec.org
O1 - Hosts: 127.0.0.22 securityresponse.symantec.com
O1 - Hosts: 127.0.0.22 www.securityresponse.symantec.com
O1 - Hosts: 127.0.0.22 securityresponse.symantec.net
O1 - Hosts: 127.0.0.22 www.securityresponse.symantec.net
O1 - Hosts: 127.0.0.22 securityresponse.symantec.org
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

thanks for all the help!

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-9-2007 1:23 (GMT +1)

That´s a really good job You have done smile

Let´s see if we can find more infections -

Please download free Trial of Superantispyware

Superantispyware

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.

close the program

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Download and install DrWebCureit:

drweb-cureit.exe

to your desktop.

Please download and run HOSTER.ZIP

http://www.funkytoad.com/download/hoster.zip

Save it to a new folder on your desktop > open the new folder and unzip the file hoster.zip > run Hoster.exe > if your host file is marked as "read only", click the button "Make Hosts Writable" > click the "Restore Original Hosts" button > press OK to restore the original Hosts file > click OK > close The Hoster.

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.

Click fix checked.

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.

Reboot into Safe Mode

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".

It will first make a quick scan of your system, let it clean what it find, and when it says "done"

Click on the green screwdriver-

Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Report

Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Start Superantispyware/rightclick on the black/yellow bug in tray.

Hit - Scan Your Computer - button

Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next

it will scan now. When scan have finished, put a checkmark with all items it found. Next, after cleaning, let it Reboot

Start Superantispyware again –

Click Preferences and then click the statistics/logs tab.

Click the dated log and press view log and a text file will appear.

Post this log along with fresh hijackthis log, DrWeb.csv log and tell how things are running

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

soulji
New Member

Date Joined Jan 2007
Total Posts : 12

Posted 1-12-2007 1:20 (GMT +1)

hi.

sorry for the long delay... my ac adapter broke down so i cant open my laptopand i have to find a replacement...

here is the fresh logs..

HJT: no pop up message! smilewinkgrin

Logfile of HijackThis v1.99.1
Scan saved at 7:52:30 PM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\hjt\alternative.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.upm.edu.ph:3128
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,%SystemRoot%\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Superantispyware:

SUPERAntiSpyware Scan Log
Generated 01/12/2007 at 07:35 PM

Application Version : 3.4.1000

Core Rules Database Version : 3161
Trace Rules Database Version: 1173

Scan type : Complete Scan
Total Scan Time : 19:38:43

Memory items scanned      : 330
Memory threats detected   : 0
Registry items scanned    : 7024
Registry threats detected : 5
File items scanned        : 37742
File threats detected     : 0

Adware.HBHelper
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32#ThreadingModel
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID

dr.webcureit:

crack.exe;C:\Documents and Settings\Daryl\My Documents\UP Medchoir\noteworthycomposer1.75crackngen;Tool.GameCrack;;

A0003463.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP7;Win32.HLLM.Brontok;Deleted.;

A0003464.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP7;Win32.HLLM.Brontok;Deleted.;

A0003465.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP7;Win32.HLLM.Brontok;Deleted.;

A0003466.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP7;Win32.HLLM.Brontok;Deleted.;

A0003467.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP7;Win32.HLLM.Brontok;Deleted.;

A0003468.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP7;Win32.HLLM.Brontok;Deleted.;

A0003469.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP7;Win32.HLLM.Brontok;Deleted.;

A0003470.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP7;Win32.HLLM.Brontok;Deleted.;

A0003471.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP7;Win32.HLLM.Brontok;Deleted.;

A0003472.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP7;Win32.HLLM.Brontok;Deleted.;

A0003473.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP7;Win32.HLLM.Brontok;Deleted.;

the laptops doing fine!! smilewinkgrin

but i still saw i txt file called "Baca Bro!!!" in the C drive during the scan which i deleted before... the scans did not detect it as a virus but i deleted it myself.. ill be posting if it returns...

thank you so much for all the help!!

btw, what do i do with the programs i downloaded? should i keep them forever?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-14-2007 7:42 (GMT +1)

You can delete these:
alternativ.exe
Gmer Zip
catchme
Avenger
Hoster.exe
drweb-cureit.exe
HOSTER.ZIP

I suggest You run AVG Antispyware, it should remove all instance of - Baca Bro!!!" /Brontok -

http://www.f-secure.com/v-descs/brontok_n.shtml

Download AVG Anti-Spyware from HERE. Save the file to your desktop so you can locate it. Double-click the AVG Anti-Spyware icon on the desktop launch the set up program.
The installation will require a restart of the computer.

Launch AVG Anti-Spyware to update to the latest definition files.
On the main screen select the "Update" icon
Click "Start Update". The update will start and a progress bar will show the updates being installed.
If you have problems with the updater, you can use this link to manually update AVG Anti-Spyware -- AVG manual updates

AVG Anti-Spyware Settings
Select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
In the Settings screen click "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
DE-Select "Only if threats were found"

Lauch AVG Anti-Spyware by double-clicking the icon on the desktop.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning,
it may interfere with the scanning proccess.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"

AVG Anti-Spyware will now begin the scanning process. Be patient as this may take a little time.

While scanning AVG Anti-Spyware will list any infections found on the left side.

When the scan is completed, the recommended action should be set to Quarantine.
If not, click Recommended Action and set it there. Click the Apply all actions button.
AVG Anti-Spyware will display "All actions have been applied" on the right side.

Click on "Save Report", then "Save Report As".
This will create a text file.
Make sure you know where to find this file again (like on the Desktop).

Close AVG Anti-Spyware.

Reboot and post log from AVG

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

28 posts in this thread.
Viewing Page : 1 2

Forum Information

Currently it is Saturday, November 21, 2009 2:47 PM (GMT +1)
There are a total of 73.032 posts in 17.116 threads.
In the last 3 days there were 14 new threads and 69 reply posts. View Active Threads