Double Folders appearing on 'My Documents' , Brontok virus.

View previous topic View next topic Go down

Solved Double Folders appearing on 'My Documents' , Brontok virus.

Post by xiiaoboy on 30th July 2008, 10:56 am

There is a problem with my computer lately , there are double folders appearing on my documents when i clicked on them. Just because i've clicked on a link which i thought would lead me to a download link but then restarted my computer instantly.
Here is my HijackThis Log ...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:05 PM, on 7/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\winlogon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\services.exe
C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\lsass.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\ping.exe
C:\WINDOWS\system32\ping.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\xiiaoboy\My Documents\My Received Files (Application installation)\HiJackThis.exe
C:\WINDOWS\system32\ping.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky-labs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 symantec.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.4.7.4 liveupdate.symantec.com
O1 - Hosts: 127.4.7.4 update.symantec.com
O1 - Hosts: 127.4.7.4 securityresponse.symantec.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pandasoftware.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 forum.vaksin.com
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB001" /M "Stylus C67"
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\smss.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\NetworkService\Local Settings\Application Data\smss.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')
O4 - Startup: Empty.pif = ?
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 11043 bytes


Yup , and there is also another link which i've found out in my pictures folder.
And i believe that this is another virus or bug in the computer as well , but it doesnt seem to do any harm to my computer though ;o ..
this is the virus : about.Brontok.A.html

Hope you could help me ;DDD
Thanks.

xiiaoboy
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2008-04-23
Points Points : 31520
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Double Folders appearing on 'My Documents' , Brontok virus.

Post by Doctor Inferno on 30th July 2008, 5:17 pm

‡‡Please print out or copy this page to Notepad since you cannot have any browsers open while you are fixing this and try to follow it as closely as possible taking it step by step.



‡‡Update your Antivirus program.



‡‡Please download Spybot Search and Destroy install it and update the program.

[You must be registered and logged in to see this link.]



‡‡Please download VundoFix.exe to your desktop. Ignore the AntiVirus warnings and download it anyway because you need to run it. Wait on installation and running.

[You must be registered and logged in to see this link.]



‡‡Download CleanUp! and install it. Wait on installation and running.

[You must be registered and logged in to see this link.]



‡‡Please download following program CWSHREDDER. Wait on installation and running.

[You must be registered and logged in to see this link.]



‡‡Download about:Buster and save it to your desktop. When it has finished downloading, unzip the folder to your desktop as well. You should now be left with an aboutbuster folder on your desktop.Wait on installation and running.

[You must be registered and logged in to see this link.]



‡‡I would suggest though that you download CCleaner. It is a great little program that I use every time I close my browser to get rid of temporary files. I usually just run the cleaner part every time I'm done with the browser.During the install there will be check marks for checking for updates that part I do not use and also to install a tool bar for yahoo or something. Make sure those are unchecked unless you want another tool bar, It is a very safe program and it is free.(CCleaner Quick Setup: Go to > Options > Advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware. files!)

[You must be registered and logged in to see this link.]

_____________________________________________________________

‡‡Now make sure no files are hidden. To do this:
For XP go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
For Vista go to the Control Panel->Appearance and Personalization
Under the Folder Options, click Show Hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.
You may change the above options back after your log is clean.




‡‡Turn off system restore.

Steps to turn off System Restore for XP:
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
After a few moments, the System Properties dialog box closes.
Steps to turn off System Restore for Vista:
1. Control Panel -> System Maintenance -> Back Up and Restore Center
2. On the right column, click on "create a restore point or change settings" (this requires administrator's password if set)
3. Uncheck all drives.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
After a few moments, the System Properties dialog box closes.




‡‡Do all steps below in safe mode except for at the end when you generate a new HiJackThis log.



‡‡Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (Repeatedly).

3) Instead of Windows loading as normal, a menu should appear

4) Use the up arrow key to highlight Safe Mode and press Enter.





‡‡Please run HijackThis and click "Scan". Place checks next to the following entries if still present in the code and close all browser and other windows except for HijackThis, and click "Fix Checked".



Code:


C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\winlogon.exe

C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\services.exe

C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\lsass.exe

O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky-labs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 symantec.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.4.7.4 liveupdate.symantec.com
O1 - Hosts: 127.4.7.4 update.symantec.com
O1 - Hosts: 127.4.7.4 securityresponse.symantec.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pandasoftware.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 forum.vaksin.com

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"

O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\smss.exe"

O4 - HKUS\S-1-5-18\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\NetworkService\Local Settings\Application Data\smss.exe" (User 'SYSTEM')

O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')

O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')

O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')

O4 - Startup: Empty.pif = ?

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1




‡‡Run your Antivirus and do a full scan remember this is all in safe mode.



‡‡Run Spybot Search and Destroy and do a full scan remember this is all in safe mode.



‡‡Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

*Click "Options..."

*Move the arrow down to "Custom CleanUp!"

*Only Check the following for now:

-Empty Recycle Bins

-Delete Cookies

-Delete Prefetch Files

-Clean up All Users

*Uncheck the following:

-Delete Newsgroup cache

-Delete Newsgroup Subscriptions

*Press the Temporary Files Tab and check.

-Scan drives for files matching

Click OK

Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup or MOVE THEM out of the Temp folder before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.




‡‡Install and run CWSHREDDER

Close all browser windows, open cwshredder.exe then click "Fix" and let it run.




‡‡Double-click on the AbouBuster.exe icon.

Click Begin scan. Close when completed.

It is advised that you run the AbouBuster twice in a row to make sure you get all the infections.




_____________________________________________________________



‡‡Double-click VundoFix.exe to run it(Do this a few times until nothing shows up).



‡‡Then install CCleaner but note it installs the Yahoo Toolbar as an option which IS check marked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option.

Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours

Then select the items you wish to clean up.




In the Windows Tab:



* Clean all entries in the "Internet Explorer" section except Cookies.

* Clean all the entries in the "Windows Explorer" section.

* Clean all entries in the "System" section.

* Clean all entries in the "Advanced" section.

* Clean any others that you choose.




In the Applications Tab:



* Clean all except cookies in the Firefox/Mozilla section if you use it.

* Clean all in the Opera section if you use it.

* Clean Sun Java in the Internet Section.

* Clean any others that you choose.




Click the "Run Cleaner" button.

A pop-up box will appear advising this process will permanently delete files from your system.

Click "OK" and it will scan and clean your system.

Click the "Issues" button.

Click the "Scan For Issues" button.

Click the "Fix Selected Issues" button.

Click the "Fix All Selected Issues" button.

Click "OK"

Click "Close" when done.





‡‡Reboot into Normal Mode. Turn System Restore back on and create a restore point.

Steps to turn on System Restore For XP:
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
4. Click OK.

After a few moments, the System Properties dialog box closes.

To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.

To create a Restore point for Vista:
1.Control Panel – System Maintenance – Back Up and Restore Center. On the right column, click on "Create A Restore Point Or Change Settings" (This requires Administrator's password if set.) Put a check on the drive your OS is on. Then click on the Create button. Type in a name and then click OK.




‡‡Do another scan with HiJackThis in normal windows mode and post your new log file here for final verification. Make sure it is a new log file.

Also let me know how the systems overall condition is now.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Double Folders appearing on 'My Documents' , Brontok virus.

Post by xiiaoboy on 1st August 2008, 5:58 am

I couldn't find the hidden files.
Here is the new LogFile ;DD

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:17 PM, on 8/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\xiiaoboy\My Documents\My Received Files (Application installation)\Detective.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky-labs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 symantec.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.4.7.4 liveupdate.symantec.com
O1 - Hosts: 127.4.7.4 update.symantec.com
O1 - Hosts: 127.4.7.4 securityresponse.symantec.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pandasoftware.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 forum.vaksin.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB001" /M "Stylus C67"
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\smss.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 11643 bytes

..Don't think it have changed much.
Here is the Uninstall List.

Adobe Flash Player ActiveX
Adobe® Photoshop® Album Starter Edition 3.0
Atheros Communications Inc.(R) L2 Fast Ethernet Driver
CCleaner (remove only)
CleanUp!
EVEREST Home Edition v2.20
Free Download Manager 2.5
Free WMA to MP3 Converter 1.16
Freecorder Toolbar
Freecorder Toolbar 3.01 Application
FreeRIP v3.07
Garena
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Hamachi 1.0.2.5
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Home Media Server 4.1.4.0067
iMesh
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 6
LG PC Suite
LG USB Modem driver
Linksys Wireless-G USB Network Adapter
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Standard
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0)
MSXML 6.0 Parser
Nokia Connectivity Cable Driver
Nokia Lifeblog 2.5
Nokia NSeries Application Installer
Nokia NSeries Content Copier
Nokia NSeries Multimedia Player
Nokia NSeries Music Manager
Nokia NSeries One Touch Access
Nokia NSeries System Utilities
Nokia Software Launcher
Nokia Software Updater
PC Connectivity Solution
PIF DESIGNER
PSP ISO Compressor
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Software Informer 1.0 BETA
Spybot - Search & Destroy
SpywareBlaster 4.1
Update for Windows XP (KB942763)
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Install Manager
Yahoo! Toolbar

..Hope it's useful ;o ..
Hope this would solve the problem ;DD

xiiaoboy
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2008-04-23
Points Points : 31520
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Double Folders appearing on 'My Documents' , Brontok virus.

Post by Doctor Inferno on 1st August 2008, 9:03 am

‡‡Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (Repeatedly).

3) Instead of Windows loading as normal, a menu should appear

4) Use the up arrow key to highlight Safe Mode and press Enter.



‡‡Please rename HijackThis.exe to geekpolice.exe. Run it and click "Scan". Place checks next to the following entries if still present in the code and close all browser and other windows except for HijackThis, and click "Fix Checked".


Code:

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"

O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky-labs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 symantec.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.4.7.4 liveupdate.symantec.com
O1 - Hosts: 127.4.7.4 update.symantec.com
O1 - Hosts: 127.4.7.4 securityresponse.symantec.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pandasoftware.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 forum.vaksin.com

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB001" /M "Stylus C67"

O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\smss.exe"

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Double Folders appearing on 'My Documents' , Brontok Virus

Post by xiiaoboy on 1st August 2008, 9:40 am

I did what you told me to ;o
Is this it? ;DD


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:42 PM, on 8/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\winlogon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\services.exe
C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\lsass.exe
C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\inetinfo.exe
C:\Documents and Settings\xiiaoboy\My Documents\My Received Files (Application installation)\Geekpolice.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky-labs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 symantec.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.4.7.4 liveupdate.symantec.com
O1 - Hosts: 127.4.7.4 update.symantec.com
O1 - Hosts: 127.4.7.4 securityresponse.symantec.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pandasoftware.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 forum.vaksin.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\smss.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\NetworkService\Local Settings\Application Data\smss.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')
O4 - Startup: Empty.pif = ?
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 11375 bytes

xiiaoboy
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2008-04-23
Points Points : 31520
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Double Folders appearing on 'My Doucments' , Brontok Virus

Post by xiiaoboy on 1st August 2008, 12:20 pm

sorry about the previous post , i din't do what you said in your first post ;x ..
here's the new LogFile .. though it seemed the same -.-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:17 PM, on 8/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\xiiaoboy\Desktop\GeekPolice.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky-labs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 symantec.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.4.7.4 liveupdate.symantec.com
O1 - Hosts: 127.4.7.4 update.symantec.com
O1 - Hosts: 127.4.7.4 securityresponse.symantec.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pandasoftware.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 forum.vaksin.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\smss.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')
O4 - Startup: Empty.pif = ?
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 11338 bytes

I've followed your every step that you wrote in your first post.
hope it helps ;D

xiiaoboy
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2008-04-23
Points Points : 31520
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Double Folders appearing on 'My Documents' , Brontok virus.

Post by Doctor Inferno on 3rd August 2008, 1:43 am

I would like you to download this free tool provided by Kaspersky Labs, extract the file with either WinRAR or WinZip and execute the"klwk" MS-DOS application. Hopefully it will remove the infection.

[You must be registered and logged in to see this link.]

I would also like to confirm that you have done a full virus scan with Avast Antivirus? Boot into safe-mode while attempting to remove the HijackThis entries? And how did you know that you got the brontok infection?


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Double Folders appearing on 'My Documents' , Brontok virus.

Post by xiiaoboy on 3rd August 2008, 3:18 pm

o.O .. it writes that there is nothing that is infected at all.
and about the brontok virus , it was on 'my pictures' folder giving me a link to it.
i search it using yahoo and everywhere about it was virus/worm. so it should be it right? LOL
hmm . i didnt try using the avast antivirus ;o
though i didnt had any antivirus programme running in my computer.
so do you have other ideas? and yes i did everything in safe mode.
after i clear is using hijackthis , i tried the other programmes that you told me to use and it was empty. no virus showed up , but after i restarted my computer in a normal boot.
everything just comes up again . D;

xiiaoboy
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2008-04-23
Points Points : 31520
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Double Folders appearing on 'My Documents' , Brontok virus.

Post by Doctor Inferno on 4th August 2008, 5:00 am

You have to run the antivirus so that I can proceed from there.

The rename of HijackThis is incorrect. rename it to geekpolice and remove the ".exe"

We also noticed that you have been infected by the WORM_RONTOKBRO.Y Trojan (eksplorasi.exe).

This nefarious process enables attackers to gain access to your system from remote locations; many passwords, internet banking details and personal data have been lost because of the crippling effectiveness of eksplorasi.exe.

And post back with a new log.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Double Folders appearing on 'My Documents' , Brontok Virus

Post by xiiaoboy on 4th August 2008, 9:00 am

eh. i have've done with the antivirus this time round.
but even after i have done everything in safe mode , i still see double folders even after deleting them off. and i tried to reboot it in normal mode and run the hijackthis. So the eksplorasi.exe is starting to get on my nerves ._. ..

Here is the new LogFile. IT DIDNT change at all D; only abit.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:40 PM, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Documents and Settings\xiiaoboy\Desktop\GeekPolice.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky-labs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 symantec.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.4.7.4 liveupdate.symantec.com
O1 - Hosts: 127.4.7.4 update.symantec.com
O1 - Hosts: 127.4.7.4 securityresponse.symantec.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pandasoftware.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 forum.vaksin.com
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\smss.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10374 bytes



and no matter how i try to delete the other programmes with the host numbers on it , it just keeps coming back after normal rebooting.
Hope this would help ._. ..

xiiaoboy
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2008-04-23
Points Points : 31520
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Double Folders appearing on 'My Documents' , Brontok virus.

Post by Doctor Inferno on 4th August 2008, 2:01 pm

To help in proper removal of bad items, temporarily disable these helper programs. Here's how to do that:

[You must be registered and logged in to see this link.]

After that, Reboot to make those changes take effect.

‡‡Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (Repeatedly).

3) Instead of Windows loading as normal, a menu should appear

4) Use the up arrow key to highlight Safe Mode and press Enter.




‡‡Please run HijackThis and click "Scan". Place checks next to the following entries if still present in the code and close all browser and other windows except for HijackThis, and click "Fix Checked".



Code:
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"

O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky-labs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 kaspersky.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 symantec.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.4.7.4 liveupdate.symantec.com
O1 - Hosts: 127.4.7.4 update.symantec.com
O1 - Hosts: 127.4.7.4 securityresponse.symantec.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pandasoftware.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.4.7.4 forum.vaksin.com

O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\xiiaoboy\Local Settings\Application Data\smss.exe"
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Double Folders appearing on 'My Documents' , Bronktok Virus

Post by xiiaoboy on 4th August 2008, 2:53 pm

hmm .. okok . finally there's something good responding from hijackthis ;D
erm , heres the new LogFile.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:07 PM, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Documents and Settings\xiiaoboy\Desktop\GeekPolice.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 6309 bytes


err , are there still other viruses found in this LogFile?
and many thanks for your help ;DDD

xiiaoboy
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2008-04-23
Points Points : 31520
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Double Folders appearing on 'My Documents' , Brontok virus.

Post by Doctor Inferno on 5th August 2008, 4:30 am

Because your system has been severely compromised, I would recommend a format and clean install of the OS as the attacker has no doubt left numerous 'backdoor' entries in order to gain re-access and it would be impossible to find them all. But that is up to you.

In order to prevent future malware attacks, please read below.

Upgrading Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.


Use a Firewall:

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: [You must be registered and logged in to see this link.]or [You must be registered and logged in to see this link.]here
Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.




Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
[You must be registered and logged in to see this link.]






After that your log is clean.

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

[You must be registered and logged in to see this link.]-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

[You must be registered and logged in to see this link.] - Great prevention tool to keep nasties from installing on your system.

[You must be registered and logged in to see this link.]-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

[You must be registered and logged in to see this link.]- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

[You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

[You must be registered and logged in to see this link.] To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Double Folders appearing on 'My Documents' , Brontok virus.

Post by Digitalocksmith on 5th August 2008, 8:45 am

This is very informative information and great advice that all members should be aware of, and follow, in order to remain protected at all times!

Nice work Doc in tracking down, identifying, and removing this nasty infection for xiiaoboy.

3 cheers for Doctor Inferno Hooray! Hooray! Hooray!



Digitalocksmith
Leader
Leader

Posts Posts : 625
Joined Joined : 2007-12-22
Gender Gender : Male
OS OS : Windows 7 Ultimate x64 beta 1 (build 7048) - Testing Bluewhite64 Linux 12.2
Points Points : 48951
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum