| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 70829 | 2006-07-17 19:11:00 | help, removing brontok | citizen_78g (10758) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 471606 | 2006-07-17 19:11:00 | I need help in trying to fix my PC; I would really appreciate any help . I named the title brontok because that was what i ws notified by bitdefender . Though I am not sure if this is realy the case . 1 . When I open a file folder, I can see that a folder of the same name has been created inside; when I clicked that folder it opened to My Documents folder . As I looked inside my other folders I can see that almost all of it has the same problem . I tried deleting it but it just keeps coming back . 2 . Further browsing of my folder I discovered in the My Pictures an image with the file name “about . Brontok . A” . when I viewed the details this is what I se; size: 1kb, type: HTML Document I clicked the image and it opened to an internet browser . 3 . I went to the internet to find a solution, I tried to conduct a Scan On-line through the bitdefender . com (which was recommended by a friend), after downloading the “BitDefender –Brontok Removal Tool” I then proceeded as prompted . The process has identified and has told me that it has deleted the infected files except for one which I don’t know which one . After the process I thought that I have removed and have it fixed but after sometime I discovered that it was sill there . I also tried to go to the start>run> and typed msconfig but then suddenly my pc shutdown and restarts . I then tried typing “regedit” and after clicking “ok” I get a notification that says: “Registry editing has been disabled by your administrator” then my pc shutdown just like before . The PC is mine and there is no administrator . I don’t know if these info are necessary any way: I am using an XP, and there are 3 users, the PC is partitioned in to 2, I am also connecting through the internet via a dial-up . |
citizen_78g (10758) | ||
| 471607 | 2006-07-18 00:50:00 | Hi Was this the program you tried ? www.softpedia.com Also try the tips on this page. forums.thatcomputerguy.us Hth |
johnboy (217) | ||
| 471608 | 2006-07-18 01:05:00 | Get into the default Administrator's account by using Safe Mode . Boot into Safe Mode after you shut off System Restore . System Restore is a good place for malware to hide and re-infect over and over again . You will need to run HiJackThis from here: . tomcoyote . org/hjt/#Top" target="_blank">www . tomcoyote . org (being sure to place it in a permanent file area, not the temp files! It cannot generate a registry backup if it's in the temp area) Make a folder on the desktop with the c/p results from HJT in it, and access it later when you reboot in normal mode and send the results here for Sir Speedy or Pancake to check out for you . |
SurferJoe46 (51) | ||
| 471609 | 2007-02-24 09:52:00 | Hi, I have a similar problem. I had all the above symptoms including that my computer would restart whenever i tried downloading a file so i was told to download 3 programs: AVG Free Edition Spybot Search and Destroy SUperAntiSpyware Having downloaded these on a different pc and then installed on mine, i ran a full system scan and the following virus was found 645 times on my computer: "I-Worm/Brontok.C". I was then told to switch off system restore and delete all the infected files which were now stored in the virus vault of AVG. I then restarted my computer... Since then, my pc is definitely running smoother but the virus is not completely gone. At random times (approximately every hour). a warning pops up from AVG saying that a threat is detected in the following paths: C:\Documents and Settings\All Users\Documents\Data XXX.exe (XXX = is my name but for privacy reasons i have disclosed it as XXX) C:\Documents and Settings\All Users\Documents\SharedDocs.exe C:\Documents and Settings\All Users\Documents\My Music\My Music.exe C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\16568289\16568289.exe C:\Documents and Settings\All Users\Documents\My Pictures\My Pictures.exe C:\Documents and Settings\All Users\Documents\My Pictures\My Pictures.exe These are the only paths where the virus stays and having then sent them to the virus vault and deleting them again from there, the threat re-appears every time from the same destinations... The symptoms of it creating identical folders within other folders has however disappeared and I am able to download things from the internet but the latter problem is really irritating and hope anybody can help me out... Thanks for your time and looking forward to a reply |
parci36 (10759) | ||
| 471610 | 2007-02-24 09:58:00 | Download and run Hijackthis from here www.tomcoyote.org and post log back on forum. Trevor :) |
Trev (427) | ||
| 471611 | 2007-02-24 12:07:00 | Hi, hope this is the right thing... Thanks for your quick reply! Logfile of HijackThis v1.99.1 Scan saved at 01:59:46 PM, on 2007/02/24 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\taskswitch.exe C:\WINDOWS\system32\HotfixQ0306270.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Parc\Desktop\hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.mecer.co.za O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe |
parci36 (10759) | ||
| 471612 | 2007-02-24 12:57:00 | If you're waiting for another quick reply, parci36 (and you're in the northern hemisphere) just to say this forum is based in New Zealand, where the time is currently 1.50am Sunday morning/Saturday night. You'll get better luck when this country wakes up for breakfast. Meanwhile, welcome to Press F1. |
Laura (43) | ||
| 471613 | 2007-02-24 15:05:00 | Nothing really bad in the HJT scan...a few broken things, but I don't see anything dangerous...you can clean up the little stuff later.... This is gonna need a little different cleaning though.....wait for a while others will be here...as Laura says..they are all asleep in Upsidedown Land. |
SurferJoe46 (51) | ||
| 471614 | 2007-02-24 17:18:00 | Thanks, hope they can find some solution.... | parci36 (10759) | ||
| 471615 | 2007-02-24 20:29:00 | Unzip HJT put it in its own folder then run HJT again . Tick these entries then tick fix checked . Close browser/s first . O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\ . . \Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1 . 5 . 0_10\bin\jusched . exe" - uninstall this and ALL previous versions of Sun Java . The link is in my sig below . Yup, everything else looks ok . I would also install a firewall . Ummm, try one of the programs in my sig below . Or see if Trojan remover picks anything up . |
Speedy Gonzales (78) | ||
| 1 2 3 | |||||