Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help me about.Brontok.A


  • Please log in to reply

#1
mordecai

mordecai

    Member

  • Member
  • PipPip
  • 23 posts
Hi it sees that i am in troble . i have come in contact with a virus or a trojan i thik its called about.Brontok.A. This pops up everytime i use the internet. I am not able to download anything form internet explorer without the computer restarts. I get unnessaray popup wen using internet exploer. and this happens also when i enter a website on the address bar. The internet exploer frezes. i cant install anyting without the computer restarting. sometimes i am not able to install thing fully. hense me not have a antivirus softwear. My computer is also running incredibly slow. Also when ever i put a usb into my computer the virus is copyed on to it. It Names itslef the target folder that it is in and it makes itl's icon a folder icon fooling you into clicking it. please could you help me. as soon as pssible. I INTEND TO MAKE A LARGE DONTION AS SOON AS IT IS FIXED. PLEASE THE FASTER THAT IT COULD BE FIXED THE LARGER THE DONATION. thANK YOU IN ADVANCE AND MAY GOD BLESS.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:36:52, on 30/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Documents and Settings\Mum\Local Settings\Application Data\winlogon.exe
C:\Documents and Settings\Mum\Local Settings\Application Data\services.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mum\Local Settings\Application Data\lsass.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Morde\Desktop\brontok-washer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [3cecc874] rundll32.exe "C:\WINDOWS\system32\xdbxlele.dll",b
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"
O4 - HKLM\..\Run: [BM3fdffbe8] Rundll32.exe "C:\DOCUME~1\Morde\LOCALS~1\Temp\malqbsgx.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\DOCUME~1\Mum\LOCALS~1\Temp\E_S10.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\Mum\Local Settings\Application Data\smss.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-823518204-492894223-839522115-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Morde')
O4 - HKUS\S-1-5-21-823518204-492894223-839522115-1005\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Morde')
O4 - HKUS\S-1-5-21-823518204-492894223-839522115-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Morde')
O4 - HKUS\S-1-5-21-823518204-492894223-839522115-1005\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h (User 'Morde')
O4 - HKUS\S-1-5-21-823518204-492894223-839522115-1005\..\Run: [Auto EPSON Stylus DX6000 Series on HOMESERVER] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_S4.tmp" /EF "HKCU" (User 'Morde')
O4 - HKUS\S-1-5-21-823518204-492894223-839522115-1005\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Morde')
O4 - HKUS\S-1-5-21-823518204-492894223-839522115-1005\..\Run: [MSServer] rundll32.exe C:\DOCUME~1\Morde\LOCALS~1\Temp\wvUljGAs.dll,#1 (User 'Morde')
O4 - HKUS\S-1-5-21-823518204-492894223-839522115-1005\..\Run: [cmds] rundll32.exe C:\DOCUME~1\Morde\LOCALS~1\Temp\ssqrq.dll,c (User 'Morde')
O4 - HKUS\S-1-5-21-823518204-492894223-839522115-1005\..\Run: [BM3fdffbe8] Rundll32.exe "C:\DOCUME~1\Morde\LOCALS~1\Temp\malqbsgx.dll",s (User 'Morde')
O4 - HKUS\S-1-5-21-823518204-492894223-839522115-1005\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\Morde\Local Settings\Application Data\smss.exe" (User 'Morde')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')
O4 - S-1-5-21-823518204-492894223-839522115-1005 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Morde')
O4 - S-1-5-21-823518204-492894223-839522115-1005 Startup: Empty.pif = ? (User 'Morde')
O4 - S-1-5-21-823518204-492894223-839522115-1005 User Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Morde')
O4 - S-1-5-21-823518204-492894223-839522115-1005 User Startup: Empty.pif = ? (User 'Morde')
O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')
O4 - Startup: Empty.pif = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://us.bookmarks....m/YbConvFav.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Documents and Settings\Morde\My Documents\Dnld\frontpage\Ares\chatServer.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\NavNT\defwatch.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9615 bytes
  • 0

Advertisements


#2
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hello mordecai and welcome to G2G. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
  • 0

#3
mordecai

mordecai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
there you go i did what u asked

Attached Files


  • 0

#4
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi mordecai. The scan does not include the drivers. Please rerun the scan with the options that were outlined in the instructions.

Cheers.

OT
  • 0

#5
mordecai

mordecai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
IVe followed all the instruction that u gave and her is the new attachement :)

Attached Files


  • 0

#6
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi mordecai. Let's see what we can do with this. Follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemdrive%\autoexec.bat
%systemdrive%\documents and settings\morde\local settings\temp\ssqrq.dll
%systemdrive%\documents and settings\networkservice\local settings\application data\lsass.exe
%systemdrive%\documents and settings\networkservice\local settings\application data\services.exe
%systemdrive%\documents and settings\networkservice\local settings\application data\winlogon.exe
%systemroot%\bm3fdffbe8.xml
%systemroot%\shellnew\bronstab.exe
%systemroot%\system32\elelxbdx.ini
%systemroot%\system32\esmvhyjv.exe
%systemroot%\system32\evrajjwi.ini
%systemroot%\system32\gqkdenei.dll
%systemroot%\system32\hvftxtgf.dll
%systemroot%\system32\ihhmbuqr.exe
%systemroot%\system32\iwjjarve.dll
%systemroot%\system32\lxqyggyb.dll
%systemroot%\system32\mxlheswh.dll
%systemroot%\system32\prkuygmg.dll
%systemroot%\system32\pwofurjt.dll
%systemroot%\tasks\applesoftwareupdate.job
%systemroot%\tasks\at1.job
%userprofile%\local settings\application data\bron.tok.a9.em.bin
%userprofile%\local settings\application data\dcbc2a71-70d8-4dan-ehr8-e0d61dea3fdf.ini
%userprofile%\local settings\application data\lsass.exe
%userprofile%\local settings\application data\services.exe
%userprofile%\local settings\application data\smss.exe
%userprofile%\local settings\application data\winlogon.exe
%userprofile%\start menu\programs\startup\empty.pif
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
Folders to delete:
%userprofile%\local settings\application data\bron.tok-9-20
%userprofile%\local settings\application data\bron.tok-9-21
%userprofile%\local settings\application data\bron.tok-9-27
%userprofile%\local settings\application data\bron.tok-9-31
%userprofile%\local settings\application data\loc.mail.bron.tok

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> winlogon.exe -> %UserProfile%\Local Settings\Application Data\winlogon.exe
YY -> services.exe -> %UserProfile%\Local Settings\Application Data\services.exe
YY -> lsass.exe -> %UserProfile%\Local Settings\Application Data\lsass.exe
YY -> winlogon.exe -> %SystemDrive%\Documents and Settings\NetworkService\Local Settings\Application Data\winlogon.exe
YY -> services.exe -> %SystemDrive%\Documents and Settings\NetworkService\Local Settings\Application Data\services.exe
YY -> lsass.exe -> %SystemDrive%\Documents and Settings\NetworkService\Local Settings\Application Data\lsass.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> 3cecc874 -> %SystemRoot%\system32\iwjjarve.dll [rundll32.exe "C:\WINDOWS\system32\iwjjarve.dll",b]
YY -> BM3fdffbe8 -> %SystemRoot%\system32\pwofurjt.dll [Rundll32.exe "C:\WINDOWS\system32\pwofurjt.dll",s]
YY -> Bron-Spizaetus -> %SystemRoot%\ShellNew\bronstab.exe ["C:\WINDOWS\ShellNew\bronstab.exe"]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> EPSON Stylus DX6000 Series -> %SystemRoot%\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU C:\DOCUME~1\Mum\LOCALS~1\Temp\E_S10.tmp [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\DOCUME~1\Mum\LOCALS~1\Temp\E_S10.tmp" /EF "HKCU"]
YY -> Tok-Cirrhatus -> %UserProfile%\Local Settings\Application Data\smss.exe ["C:\Documents and Settings\Mum\Local Settings\Application Data\smss.exe"]
< Mum Startup Folder > -> C:\Documents and Settings\Mum\Start Menu\Programs\Startup
YY -> ~EmptyValue -> %UserProfile%\Start Menu\Programs\Startup\Empty.pif
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> {E6FB5E20-DE35-11CF-9C87-00AA005127ED} [HKEY_LOCAL_MACHINE] -> [WebCheck]
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YN -> Explorer.exe "C:\WINDOWS\eksplorasi.exe" -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions -> 1
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 1
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableCMD -> 0
< Drives - Autoruns > -> 
NY -> AUTOEXEC.BAT [pause | ] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {24E01188-A129-4EBE-983D-FA65A13D46AB} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\Documents and Settings\Morde\Local Settings\Temp\ssqrq.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {514A5C49-0C7D-42c3-A71B-38864A269B7A} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\prkuygmg.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {6aa6ef62-4486-48b1-b537-02f4ee530301} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\lxqyggyb.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} [HKEY_LOCAL_MACHINE] -> [EpsonToolBandKicker Class]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {EE5D279F-081B-4404-994D-C6B60AAEBA6D} [HKEY_LOCAL_MACHINE] -> [EPSON Web-To-Page]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\DOCUME~1\Morde\LOCALS~1\Temp\ssqrq.dll -> %SystemDrive%\Documents and Settings\Morde\Local Settings\Temp\ssqrq.dll
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\Ares\Ares.exe -> D:\Program Files\Ares\Ares.exe [D:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Morde\My Documents\Ares\Ares.exe -> %SystemDrive%\Documents and Settings\Morde\My Documents\Ares\Ares.exe [C:\Documents and Settings\Morde\My Documents\Ares\Ares.exe:*:Enabled:Ares p2p for windows]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Morde\My Documents\voeh\VeohClient.exe -> %SystemDrive%\Documents and Settings\Morde\My Documents\voeh\VeohClient.exe [C:\Documents and Settings\Morde\My Documents\voeh\VeohClient.exe:*:Enabled:Veoh Client]
[Files/Folders - Created Within 30 days]
NY -> elelxbdx.ini -> %SystemRoot%\System32\elelxbdx.ini
NY -> esmvhyjv.exe -> %SystemRoot%\System32\esmvhyjv.exe
NY -> evrajjwi.ini -> %SystemRoot%\System32\evrajjwi.ini
NY -> gqkdenei.dll -> %SystemRoot%\System32\gqkdenei.dll
NY -> hvftxtgf.dll -> %SystemRoot%\System32\hvftxtgf.dll
NY -> ihhmbuqr.exe -> %SystemRoot%\System32\ihhmbuqr.exe
NY -> iwjjarve.dll -> %SystemRoot%\System32\iwjjarve.dll
NY -> lxqyggyb.dll -> %SystemRoot%\System32\lxqyggyb.dll
NY -> mxlheswh.dll -> %SystemRoot%\System32\mxlheswh.dll
NY -> prkuygmg.dll -> %SystemRoot%\System32\prkuygmg.dll
NY -> pwofurjt.dll -> %SystemRoot%\System32\pwofurjt.dll
NY -> BM3fdffbe8.xml -> %SystemRoot%\BM3fdffbe8.xml
NY -> W?nSxS -> %SystemRoot%\WіnSxS
NY -> 9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> At1.job -> %SystemRoot%\tasks\At1.job
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> Bron.tok-9-20 -> %UserProfile%\Local Settings\Application Data\Bron.tok-9-20
NY -> Bron.tok-9-21 -> %UserProfile%\Local Settings\Application Data\Bron.tok-9-21
NY -> Bron.tok-9-27 -> %UserProfile%\Local Settings\Application Data\Bron.tok-9-27
NY -> Bron.tok-9-31 -> %UserProfile%\Local Settings\Application Data\Bron.tok-9-31
NY -> Bron.tok.A9.em.bin -> %UserProfile%\Local Settings\Application Data\Bron.tok.A9.em.bin
NY -> DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
NY -> ?racle -> %CommonProgramFiles%\Оracle
[Files/Folders - Modified Within 30 days]
NY -> 4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> elelxbdx.ini -> %SystemRoot%\System32\elelxbdx.ini
NY -> esmvhyjv.exe -> %SystemRoot%\System32\esmvhyjv.exe
NY -> evrajjwi.ini -> %SystemRoot%\System32\evrajjwi.ini
NY -> gqkdenei.dll -> %SystemRoot%\System32\gqkdenei.dll
NY -> hvftxtgf.dll -> %SystemRoot%\System32\hvftxtgf.dll
NY -> ihhmbuqr.exe -> %SystemRoot%\System32\ihhmbuqr.exe
NY -> iwjjarve.dll -> %SystemRoot%\System32\iwjjarve.dll
NY -> lxqyggyb.dll -> %SystemRoot%\System32\lxqyggyb.dll
NY -> mxlheswh.dll -> %SystemRoot%\System32\mxlheswh.dll
NY -> prkuygmg.dll -> %SystemRoot%\System32\prkuygmg.dll
NY -> pwofurjt.dll -> %SystemRoot%\System32\pwofurjt.dll
NY -> 9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> BM3fdffbe8.xml -> %SystemRoot%\BM3fdffbe8.xml
NY -> W?nSxS -> %SystemRoot%\WіnSxS
NY -> AppleSoftwareUpdate.job -> %SystemRoot%\tasks\AppleSoftwareUpdate.job
NY -> At1.job -> %SystemRoot%\tasks\At1.job
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> Bron.tok-9-20 -> %UserProfile%\Local Settings\Application Data\Bron.tok-9-20
NY -> Bron.tok-9-21 -> %UserProfile%\Local Settings\Application Data\Bron.tok-9-21
NY -> Bron.tok-9-27 -> %UserProfile%\Local Settings\Application Data\Bron.tok-9-27
NY -> Bron.tok-9-31 -> %UserProfile%\Local Settings\Application Data\Bron.tok-9-31
NY -> Bron.tok.A9.em.bin -> %UserProfile%\Local Settings\Application Data\Bron.tok.A9.em.bin
NY -> DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
NY -> Loc.Mail.Bron.Tok -> %UserProfile%\Local Settings\Application Data\Loc.Mail.Bron.Tok
NY -> ?racle -> %CommonProgramFiles%\Оracle
[Extra Files]
Purity
[Extra Registry Entries]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell|reg_sz:Explorer.exe /e  -> 
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Step #5

Post the following back here by copy/pasting them into the reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)

Attach the following back here in the reply:
  • The new OTScanIt scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
  • 0

#7
mordecai

mordecai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Am doing the steps that you have mentioned but when i copy the code to the OTScanIt the computer frezzed yesterday. so i decieded to do it today and the exploer for the computer was not ther when i loged on. so when i loaded it manuley (c:\windows\exploer.exe) via the new task in the task mannager the start bar and the desktop did not load. so i had to run the fix it again now and its seems to be doing the same thing the program frezzes but i dont know if its still running hte fix because that waht is says its doing. should i just leave it because it seems to be taking a long time.
  • 0

#8
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi mordecai. Depending on how much stuff it has to clean it can take a while. Indications that it is still running are the status bar of the program and the hard drive light flashing.

Just let it run.

Cheers.

OT
  • 0

#9
mordecai

mordecai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Hi mordecai. Depending on how much stuff it has to clean it can take a while. Indications that it is still running are the status bar of the program and the hard drive light flashing.

Just let it run.

Cheers.

OT


Am afraid that i am not able to do it. when i copy the code and run the fix it just freezes ive done it sevral times. even once for 9 hours and it still didt load. is ther anyway you could help me please i have tryed sevral times and its not working.
  • 0

#10
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi mordecai. Post back the Avenger.txt file and try running the OTScanIt fix again. Make sure that all of the text is selected and not missing any of the lines or parts of the lines. If it stops, write down what it says on the status bar and post that back here so I can see where it is stopping.

Cheers.

OT
  • 0

Advertisements


#11
mordecai

mordecai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
here is the avernger reaprot

Attached Files


  • 0

#12
mordecai

mordecai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
screen_shot.jpg i'v tryed to do it again and once again it freezed i have attached a screen shot to show what happens this was after about 2hours i maded sure that i copyed everything exactly.
  • 0

#13
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi mordecai. Skip that step and finish the rest. Change the new OTSanIt scan to the following:

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Post the Online AnitVirus scan results and attach the new OTScanIt scan results.

Cheers.

OT
  • 0

#14
mordecai

mordecai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I have to have come to an error. everything that i try a step it frezeeas amd also espical when i do anything with the internet so i decided to create a new new user just for virus solving. here are the new fikes firn ist scan and hijackthis ot otc scan.

Attached Files


Edited by mordecai, 05 June 2008 - 02:24 PM.

  • 0

#15
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi mordecai. Ok, let's go thorugh it again. Follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemdrive%\docume~1\morde\locals~1\temp\ssqrq.dll
%systemdrive%\documents and settings\morde\local settings\temp\malqbsgx.dll
%systemroot%\bm3fdffbe8.xml
%systemroot%\shellnew\bronstab.exe
%systemroot%\tasks\at1.job
%userprofile%\desktop\shortcut to ares.lnk
%userprofile%\local settings\application data\bron.tok.a9.em.bin
%userprofile%\local settings\application data\lsass.exe
%userprofile%\local settings\application data\services.exe
%userprofile%\local settings\application data\smss.exe
%userprofile%\local settings\application data\winlogon.exe
%userprofile%\start menu\programs\startup\empty.pif
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
Folders to delete:
%userprofile%\local settings\application data\ares
%userprofile%\local settings\application data\bron.tok-9-5
%userprofile%\local settings\application data\loc.mail.bron.tok
%userprofile%\local settings\application data\ok-sendmail-bron-tok

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> winlogon.exe -> %UserProfile%\Local Settings\Application Data\winlogon.exe
YY -> services.exe -> %UserProfile%\Local Settings\Application Data\services.exe
YY -> lsass.exe -> %UserProfile%\Local Settings\Application Data\lsass.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> BM3fdffbe8 -> %SystemDrive%\Documents and Settings\Morde\Local Settings\Temp\malqbsgx.dll [Rundll32.exe "C:\DOCUME~1\Morde\LOCALS~1\Temp\malqbsgx.dll",s]
YY -> Bron-Spizaetus -> %SystemRoot%\ShellNew\bronstab.exe ["C:\WINDOWS\ShellNew\bronstab.exe"]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Tok-Cirrhatus -> %UserProfile%\Local Settings\Application Data\smss.exe ["C:\Documents and Settings\virus clean\Local Settings\Application Data\smss.exe"]
< virus clean Startup Folder > -> C:\Documents and Settings\virus clean\Start Menu\Programs\Startup
YY -> ~EmptyValue -> %UserProfile%\Start Menu\Programs\Startup\Empty.pif
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YN -> Explorer.exe "C:\WINDOWS\eksplorasi.exe" -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions -> 1
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {2E9A67D6-12B6-4F4E-B2AB-6ADC181D5AA9} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\DOCUME~1\Morde\LOCALS~1\Temp\ssqrq.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {514A5C49-0C7D-42c3-A71B-38864A269B7A} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\prkuygmg.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {6aa6ef62-4486-48b1-b537-02f4ee530301} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\lxqyggyb.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {B22464DD-8981-498B-A834-E39220C36CCC} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\DOCUME~1\Morde\LOCALS~1\Temp\ssqrq.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\DOCUME~1\Morde\LOCALS~1\Temp\ssqrq.dll -> %SystemDrive%\DOCUME~1\Morde\LOCALS~1\Temp\ssqrq.dll
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\Ares\Ares.exe -> D:\Program Files\Ares\Ares.exe [D:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Morde\My Documents\Ares\Ares.exe -> %SystemDrive%\Documents and Settings\Morde\My Documents\Ares\Ares.exe [C:\Documents and Settings\Morde\My Documents\Ares\Ares.exe:*:Enabled:Ares p2p for windows]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Morde\My Documents\voeh\VeohClient.exe -> %SystemDrive%\Documents and Settings\Morde\My Documents\voeh\VeohClient.exe [C:\Documents and Settings\Morde\My Documents\voeh\VeohClient.exe:*:Enabled:Veoh Client]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\virus clean\Desktop\Ares.exe -> %UserProfile%\Desktop\Ares.exe [C:\Documents and Settings\virus clean\Desktop\Ares.exe:*:Enabled:Ares p2p for windows]
[Files/Folders - Created Within 30 days]
NY -> BM3fdffbe8.xml -> %SystemRoot%\BM3fdffbe8.xml
NY -> W?nSxS -> %SystemRoot%\WіnSxS
NY -> 9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> At1.job -> %SystemRoot%\tasks\At1.job
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> Ares -> %UserProfile%\Local Settings\Application Data\Ares
NY -> Bron.tok-9-5 -> %UserProfile%\Local Settings\Application Data\Bron.tok-9-5
NY -> Loc.Mail.Bron.Tok -> %UserProfile%\Local Settings\Application Data\Loc.Mail.Bron.Tok
NY -> Ok-SendMail-Bron-tok -> %UserProfile%\Local Settings\Application Data\Ok-SendMail-Bron-tok
NY -> Shortcut to Ares.lnk -> %UserProfile%\Desktop\Shortcut to Ares.lnk
NY -> ?racle -> %CommonProgramFiles%\Оracle
[Files/Folders - Modified Within 30 days]
NY -> 4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> BM3fdffbe8.xml -> %SystemRoot%\BM3fdffbe8.xml
NY -> W?nSxS -> %SystemRoot%\WіnSxS
NY -> At1.job -> %SystemRoot%\tasks\At1.job
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> Ares -> %UserProfile%\Local Settings\Application Data\Ares
NY -> Bron.tok-9-5 -> %UserProfile%\Local Settings\Application Data\Bron.tok-9-5
NY -> Bron.tok.A9.em.bin -> %UserProfile%\Local Settings\Application Data\Bron.tok.A9.em.bin
NY -> Loc.Mail.Bron.Tok -> %UserProfile%\Local Settings\Application Data\Loc.Mail.Bron.Tok
NY -> Ok-SendMail-Bron-tok -> %UserProfile%\Local Settings\Application Data\Ok-SendMail-Bron-tok
NY -> Shortcut to Ares.lnk -> %UserProfile%\Desktop\Shortcut to Ares.lnk
NY -> ?racle -> %CommonProgramFiles%\Оracle
[Extra Files]
Purity
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's try a different scan. Download Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and then Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options and Change settings
  • Choose the Scan tab and remove the mark at Heuristic analysis.
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click File and choose Save Report List
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.

Step #5

Copy/paste the following back here in your next reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The Dr.Web CureIt scan report

Attach the following back here in your next reply:
  • The new OTScanIt scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP