Solved SecurityCenterAlert found "Win32.Brontok"

[Resolved] SecurityCenterAlert found "Win32.Brontok "

referring to the tittle, Security Center Alert notify me this worm and i could only choose one option, "Enable Protection ".
After i click on it, Perfect Defender 2009 Installer pop up.
After installation and scanning, this program scan out another 4 virus/trojan/worm and i can't remember the name.
Its only able to remove the virus if i purchase the lisence -.- "
And i make a full check with AVG8.5 and the scan result is nothing! squeky clean!


So, i would like to rectify and reconfirm wheter my pc have infection and much appreciate if someone enlighthen me how to rid of this viruses.

below are my log. 1st. DDS, 2nd. Attach.

DDS (Ver_09-06-26.01) - NTFSx86
Run by User at 16:58:24.43 on Fri 07/24/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.126 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ngsrv\ngslotd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Feitian\ePass2000_FT11_CIMB\epsng_certd_malaysia_cimb.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Documents and Settings\User\Application Data\Google\ocprg23017248.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hakka.gov.tw/mp.asp?mp=1
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mWinlogon: System=kdggk.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [SiS Tray] c:\windows\system32\sistray.EXE
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [epsng_certd_malaysia_cimb] c:\program files\feitian\epass2000_ft11_cimb\epsng_certd_malaysia_cimb.exe -r
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
mRun: [upxdnd] c:\windows\upxdnd.exe
mRun: [MsIMMs32] c:\windows\MsIMMs32.exE
mRun: [NVDispDrv] c:\windows\vddbdn.exe
mRun: [SSLDyn] c:\windows\ukztjw.exe
mRun: [Kvsc3] c:\windows\Kvsc3.exE
mRun: [cmdbcs] c:\windows\cmdbcs.exe
mRun: [msccrt] c:\windows\msccrt.exe
mRun: [AVPSrv] c:\windows\AVPSrv.exE
mRun: [MsPrint32D] c:\windows\MsPrint32D.exe
mRun: [DbgHlp32] c:\windows\DbgHlp32.exe
mRun: [PTSShell] c:\windows\PTSShell.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [realteks] "c:\documents and settings\user\application data\google\ocprg23017248.exe" 2
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.115.155 85.255.112.128
TCP: {B32DD829-6EA7-469A-B924-9FBEC692F6D7} = 85.255.115.155,85.255.112.128
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-10 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-10 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-10 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-10 298776]
R2 ngSlotD;ngSlotDaemon;c:\program files\ngsrv\ngslotd.exe [2007-6-27 55808]
S2 54D4452F;54D4452F;c:\windows\system32\b0f402df.exe -k --> c:\windows\system32\B0F402DF.EXE -k [?]
S2 Visual WEB;NetworSVSA;c:\windows\system32\wnipsvr.exe -run --> c:\windows\system32\wnipsvr.exe -Run [?]
S2 WZCSRVC;Wireless Service;c:\windows\system32\rundll32.exe netsrvcs.dll,input --> c:\windows\system32\rundll32.exe netsrvcs.dll,input [?]

=============== Created Last 30 ================

2009-07-24 11:26 4,956,408 a------- c:\docume~1\user\applic~1\pdinstall.exe
2009-07-13 12:59 <DIR> --d----- c:\docume~1\user\applic~1\IObit
2009-07-13 12:59 <DIR> --d----- c:\program files\IObit
2009-07-13 10:00 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-10 17:35 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-10 17:35 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-10 17:35 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-10 17:35 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-10 17:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-10 17:34 <DIR> --d----- c:\program files\AVG
2009-07-10 17:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-10 17:20 <DIR> --d----- c:\program files\VS Revo Group

==================== Find3M ====================

2009-07-10 12:32 63,464 a------- c:\windows\Sysvxd.exe
2001-11-23 12:08 712,704 a------- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 16:58:42.64 ===============

-------------------------------------------------------------------------

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/1/1987 2:14:13 PM
System Uptime: 7/24/2009 2:12:35 PM (2 hours ago)

Motherboard: | | K7S41GX
Processor: AMD Sempron(tm) 2200+ | Socket-A | 1505/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 67.481 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP188: 4/23/2009 10:14:08 AM - System Checkpoint
RP189: 4/27/2009 10:03:16 AM - System Checkpoint
RP190: 4/29/2009 1:35:35 PM - System Checkpoint
RP191: 5/4/2009 10:47:57 AM - System Checkpoint
RP192: 5/5/2009 3:42:14 PM - System Checkpoint
RP193: 5/8/2009 9:55:21 AM - System Checkpoint
RP194: 5/9/2009 9:55:49 AM - System Checkpoint
RP195: 5/12/2009 1:27:18 PM - System Checkpoint
RP196: 5/16/2009 9:57:34 AM - System Checkpoint
RP197: 5/18/2009 10:33:21 AM - System Checkpoint
RP198: 5/20/2009 9:33:47 AM - System Checkpoint
RP199: 5/22/2009 9:53:09 AM - System Checkpoint
RP200: 5/25/2009 3:06:19 PM - System Checkpoint
RP201: 6/1/2009 4:10:53 PM - System Checkpoint
RP202: 6/4/2009 3:12:23 PM - System Checkpoint
RP203: 6/9/2009 10:02:00 AM - System Checkpoint
RP204: 6/10/2009 2:38:35 PM - Installed Java(TM) 6 Update 13
RP205: 6/11/2009 2:58:28 PM - System Checkpoint
RP206: 6/15/2009 9:54:56 AM - System Checkpoint
RP207: 6/17/2009 3:08:17 PM - System Checkpoint
RP208: 6/19/2009 12:27:20 PM - System Checkpoint
RP209: 6/23/2009 2:54:31 PM - System Checkpoint
RP210: 7/2/2009 4:59:42 PM - System Checkpoint
RP211: 7/4/2009 3:06:05 PM - System Checkpoint
RP212: 7/6/2009 9:55:49 AM - System Checkpoint
RP213: 7/10/2009 5:21:42 PM - Revo Uninstaller's restore point - Mystery of Shark Island (remove only)
RP214: 7/10/2009 5:23:40 PM - Revo Uninstaller's restore point - Doggie Dash (remove only)
RP215: 7/10/2009 5:24:24 PM - Revo Uninstaller's restore point - Chocolatier (remove only)
RP216: 7/10/2009 5:25:13 PM - Revo Uninstaller's restore point - Chessmaster Challenge (remove only)
RP217: 7/10/2009 5:26:43 PM - Revo Uninstaller's restore point - Turbo Combo (remove only)
RP218: 7/10/2009 5:27:25 PM - Revo Uninstaller's restore point - Wedding Dash (remove only)
RP219: 7/10/2009 5:28:01 PM - Revo Uninstaller's restore point - Yahoo! Toolbar
RP220: 7/10/2009 5:28:45 PM - Revo Uninstaller's restore point - AVG 7.5
RP221: 7/10/2009 5:29:39 PM - Removed AVG 7.5
RP222: 7/10/2009 5:30:37 PM - Installed AVG 7.5
RP223: 7/10/2009 5:34:49 PM - Installed AVG Free 8.5
RP224: 7/11/2009 10:33:27 AM - Avg8 Update
RP225: 7/13/2009 9:54:35 AM - System Checkpoint
RP226: 7/14/2009 11:37:51 AM - System Checkpoint
RP227: 7/15/2009 5:35:18 PM - System Checkpoint
RP228: 7/17/2009 12:53:21 PM - System Checkpoint
RP229: 7/18/2009 1:25:59 PM - System Checkpoint
RP230: 7/21/2009 2:07:53 PM - System Checkpoint
RP231: 7/22/2009 2:24:21 PM - System Checkpoint
RP232: 7/24/2009 11:59:07 AM - Revo Uninstaller's restore point - Uninstall Perfect Defender 2009

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 6.0
AVG Free 8.5
C-Media 3D Audio
ePassNG (ePass2000_FT11) (Remove only)
Google Chrome
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Lose Your Marbles
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Nero PhotoShow Express
Nero Suite
PowerDVD
Readiris Pro 10
Revo Uninstaller 1.83
Samsung SCX-4200 Series
SiS 661FX_760_741_M661FX_M760_M741
SiS 900 PCI Fast Ethernet Adapter Driver
Smart Defrag 1.20
SmarThru 4
The Print Shop Deluxe III
WebFldrs XP
Zuma Deluxe RA

==== Event Viewer Messages From Past Week ========

7/22/2009 2:32:23 PM, error: Dhcp [1002] - The IP address lease 192.168.1.5 for the Network Card with network address 000B6ACDA005 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/21/2009 11:17:13 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Wireless Service service to connect.
7/21/2009 11:17:13 AM, error: Service Control Manager [7000] - The 54D4452F service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ========================

Thanks in advance!

 

Hi and welcome


Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================

Please download Malwarebytes' Anti-Malware to your desktop

Additional Link
Here also

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



In your next reply post:
Malwarebytes' Anti-Malware log
New DDS log

 

1st MBAM log, i abort it in 1min. Scan with full scan.

2nd log, quick scan.

now comes with DDS log

and thank you so much for the fast reply juliet!
so am i clean now?

PS. AVG8.5 *****! it only able to detect virus when MBAM scan thru it.
izit worth it to purchase the lisence or using the trial was just enough?

 

No, not clean yet.

The free version of AVG will work well. The infection was able to work around it and do it's damage but, after this next set of instructions you should see a big difference.


Please download OTM

• Save it to your desktop.
• Double click the icon on your desktop. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below
  [*]Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  . ( Make sure you include rocesses )

Code:

:Processes
explorer.exe
:Files
c:\windows\system32\wnipsvr.exe
c:\windows\upxdnd.exe
c:\windows\MsIMMs32.exE
c:\windows\vddbdn.exe
c:\windows\ukztjw.exe
c:\windows\Kvsc3.exE
c:\windows\cmdbcs.exe
c:\windows\msccrt.exe
c:\windows\AVPSrv.exE
c:\windows\MsPrint32D.exe
c:\windows\DbgHlp32.exe
c:\windows\PTSShell.exe
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "upxdnd "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "MsIMMs32 "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "NVDispDrv "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "SSLDyn "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Kvsc3 "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "cmdbcs "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "msccrt "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "AVPSrv "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "MsPrint32D "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "DbgHlp32 "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "PTSShell "=-
:services
54D4452F
Visual WEB
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

• Paste the following code under the area. Do not include the word "Code "
  
  
  

• - Close ALL open windows (especially Internet Explorer!)-
• Click Push the large button.
• Copy/Paste the contents under the line here in your next reply.
  
• If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  
  
• Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can also be found here:

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.
Where mmddyyyy_hhmmss is the date of the tool run.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`


NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, so please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.



Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Ensure your external and/or USB/Flash or Pen drives are inserted during the scan.


Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
OTM log
Kaspersky log
New DDS log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.


Please tell me how the computer is doing now.

 

sry for the late reply >.<
OTM

Kapersky

DDS

ATTACH

 

Welcome back


The below older versions of Java are exploitable and need to be removed.

Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

Allow this current version to stay
Java(TM) 6 Update 13




NEXT**
Download Combofix© by sUBs from any of the links below.

Save it to your desktop.

Link 1
Link 2

• If you are using Firefox, make sure that your download settings are as follows:
• Tools->Options->Main tab
• Set to "Always ask me where to Save the files ".

--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html

Please leave the flash drive plugged in while completing the following.

Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

​

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

phew.... so much steps and procedure to be taken eh... -.- "

Umm, is HJTlog means dds.scr? I search in google and download this Trendmicro HiJackThis from download.com

there.... phew...

 

Welcome back

I'm sorry about that. I work on different forums where other tools are used and that was out of habit.


There is a lot of work left to do, roll up your sleeves.


Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.


Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
• Select - Show hidden files and folders.
• Uncheck- Hide protected operating system files (recommended) option.
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
• Click OK. (Remember to Hide files and folders once done)

Please go to: VirusTotal

• 
  
  
  
  
  
• Click the Browse button and search for the following file: c:\documents and settings\User\Application Data\Help\mario.exe
• Click Open
• Then click Send File
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now "

Please also have these next files scanned as well since I cannot find any information.

c:\documents and settings\User\Application Data\Ahead\xl12.exe
c:\documents and settings\User\Application Data\Identities\pingo.dll
c:\documents and settings\User\Application Data\Help\mario.exe
c:\documents and settings\User\Application Data\IObit\flamiks32.exe
c:\documents and settings\User\Application Data\Adobe\norigami.dll

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NEXT**
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O23 - Service: ngSlotDaemon (ngSlotD) - ^_^ - C:\Program Files\ngsrv\ngslotd.exe
O23 - Service: NetworSVSA (Visual WEB) - Unknown owner - C:\WINDOWS\system32\wnipsvr.exe (file missing)


~~~~~~~~~~~~~~~~~~~~~~~~~~~``


Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

File:: 
c:\windows\system32\wnipsvr.exe
c:\program files\ngsrv\ngslotd.exe
Driver::
Visual WEB
ngSlotD
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
 "%windir%\\system32\\drivers\\svchost.exe "=-

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, so please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.



Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Ensure your external and/or USB/Flash or Pen drives are inserted during the scan.


Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Files requested scanned
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run

You may need several replies to post the requested logs, otherwise they might get cut off.


Please give me an update on how the computer is at the moment.

 

roll up sleeves? I already took of my cloth and prepare to take this blardy viruses down! >.< grrr...

now i'm posting all the scan files, if there is any result from any anti virus, i will paste in, if there is non, i will skip it and post out the description only

HJTlog!!!!

COMBOFIX LOG

KAPERSKY SCAN (gosh, 80+ infected? -.-)

HJTlog after all scans

phew.....

 

Welcome back

Don't worry over the items found by Kaspersky, those are for now held in quarantine and we will fix those in final clean up.

How's your computer?


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O23 - Service: NetworSVSA (Visual WEB) - Unknown owner - C:\WINDOWS\system32\wnipsvr.exe (file missing)



Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
  
• Select - Show hidden files and folders.
  
• Uncheck- Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK. (Remember to Hide files and folders once done)

Using Windows Explorer (right-click your "Start" button and select "Explore "), please navigate to and delete the following files/folders in bold

c:\documents and settings\User\Application Data\Help\mario.exe <--delete this file

C:\Program Files\ngsrv<--delete this folder


Empty the recycle bin.
~~~~~~~~~~~~~~~~~~~~~~~~`

Copy this to notepad and save it to your desktop as the steps will require a reboot.

Goto Start Menu > Run > and type (or copy and paste) the following in bold.

sc delete Visual WEB

Press OK and you will just notice the cmd screen open and then close.

You need to restart the computer to reset the registry.



Please post a new HJT log.

 

HJTlog

-.-

 

How's your computer?

 

ummm... just like normal?
hahaha!

so... am i clean now actually juliet? >.<

 

Yes looking good.


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)


The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SunJavaUpdateSched] \ "C:\Program Files\Java\jre6\bin\jusched.exe\"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

Please reboot your computer to set the registry.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Don't miss or skip this next step, this will remove those malicious files from quarantine and set a clean restore point.

Go to Start > Run > copy and paste the full text path in the run box


"%userprofile%\desktop\combofix.exe" /u


~~~~~~~~~~~~~~~~~~~~~~`


Your good to go, good job!


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware-
Please note that these products can also be run as free without a licience as a scan on demand scanner.

Please read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

 

Juliet! thank you so much.
You are like godsend to me. hahaha!
Really appreciate it, and thanks for the useful links.
May change the topic from active to resolved already then.

thanks again

 

Glad we could help