infected by I-worm/brontok.C Solved

Question

Hello Green Day and thank you very much for your help. I downloaded AVAST from another PC, it was the only thing that worked, and I ran it at startup from the laptop via a USB stick. Well, I think it worked. Unless I'm mistaken, the antivirus couldn't delete the files infected by win32: BRONTOK I, but put them in quarantine. These are all local setting files except for a few .exe files like C:\windows\kesenjangansosial.exe. It asks for it at every startup. What is the purpose of this file? Should I delete the files that are in quarantine? I ran a scan with hijack this, and here are the results, what does it say? Anyway, thank you for your valuable help, I think I will avoid formatting!

Logfile of HijackThis v1.99.1 
Scan saved at 22:03:31, on 15/11/2006 
Platform: Windows XP SP2 (WinNT 5.01.2600) 
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes: 
C:\WINDOWS\System32\smss.exe 
C:\WINDOWS\system32\winlogon.exe 
C:\WINDOWS\system32\services.exe 
C:\WINDOWS\system32\lsass.exe 
C:\WINDOWS\system32\Ati2evxx.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\System32\svchost.exe 
C:\WINDOWS\system32\LEXBCES.EXE 
C:\WINDOWS\system32\spoolsv.exe 
C:\WINDOWS\system32\LEXPPS.EXE 
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 
C:\Program Files\Alwil Software\Avast4\ashServ.exe 
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE 
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe 
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE 
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe 
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe 
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe 
C:\WINDOWS\system32\svchost.exe 
C:\Program Files\F-Secure\Common\FSMA32.EXE 
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe 
C:\Program Files\F-Secure\Common\FSMB32.EXE 
C:\Program Files\F-Secure\Common\FCH32.EXE 
C:\Program Files\F-Secure\Common\FAMEH32.EXE 
C:\Program Files\F-Secure\Common\FNRB32.EXE 
C:\Program Files\F-Secure\Common\FIH32.EXE 
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe 
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe 
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe 
C:\WINDOWS\system32\Ati2evxx.exe 
C:\WINDOWS\Explorer.exe 
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe 
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe 
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe 
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 
C:\Program Files\HP\QuickPlay\QPService.exe 
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe 
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe 
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe 
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe 
C:\Program Files\F-Secure\Common\FSM32.EXE 
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe 
C:\WINDOWS\system32\ctfmon.exe 
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe 
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe 
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe 
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE 
C:\Program Files\Internet Explorer\iexplore.exe 
C:\Documents and Settings\BERTHOU Claire\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www8.hp.com/fr/fr/home.html 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www8.hp.com/fr/fr/home.html 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www8.hp.com/fr/fr/home.html 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens 
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\KesenjanganSosial.exe" 
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts: Site Unavailable 
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts: body{text-align:center;} 
O1 - Hosts: .geohead {font-family:Verdana, Arial, Helvetica, sans-serif; font-size:10px;width:750px;margin:10px 0 10px 0;height:35px;} 
O1 - Hosts: .geohead #geologo {width:270px;display:block; float:left; } 
O1 - Hosts: .geohead #rightside {width:480px;display:block; float:right;border-bottom:1px solid #999999; height:27px;} 
O1 - Hosts: .geohead #rightside #welcome {width:50%;display:block; float:left; text-align:left;} 
O1 - Hosts: .geohead #rightside #wlinks {width:50%;display:block; float:right; text-align:right;} 
O1 - Hosts: .ftr { margin:0px; color:#404040; font:x-small Arial,sans-serif; text-align:center; width:750px;} 
O1 - Hosts: .bodywrap{display:block;height:470px;} 
O1 - Hosts: .bodycnt{width:510px; display:block; float:left; background-color:#EEE9F5; height:auto; text-align:left; font-family:Arial, Helvetica, sans-serif;font-size:13px; color:#000000; padding:20px 20px 35px 20px;} 
O1 - Hosts: .title { font-family:Arial, Helvetica, sans-serif; font-weight:bold; font-size:24px; color:#7C56A9} 
O1 - Hosts: .adcnt{width:172px; display:block; float:right; text-align:left;cursor:pointer;cursor:hand;} 
O1 - Hosts: .adcnt td {text-align:left;} 
O1 - Hosts: .adsubt{font-size:10px; font-family:verdana; font-weight:bold; color:#b4b4b4; cursor:default;margin-top:5px;} 
O1 - Hosts: .ybadge { font-family: Verdana, Arial, Helvetica, sans-serif; font-size:10px; color: #666666; margin-top:10px;} 
O1 - Hosts: .ybadge img {margin-top:6px;} 
O1 - Hosts: .adtable {font-family:Verdana, Arial, Helvetica, sans-serif; font-size:10px;border: 1px solid #d6dbe7; background-color:#eff7ff; padding:3px; margin-bottom:10px; width:172px;} 
O1 - Hosts: .adttl{font-weight:bold;margin-bottom:3px;} 
O1 - Hosts: .addescr{color:#6b6b6b; margin-bottom:3px;} 
O1 - Hosts: .adlink a {color:#008200; text-decoration:none;} 
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts: GeoCities Home - Yahoo! - Help 
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts: Sorry, this GeoCities site is currently unavailable. 
O1 - Hosts: The GeoCities web site you were trying to view has temporarily exceeded its data transfer limit. Please try again later.  
O1 - Hosts: Are you the site owner? 
O1 - Hosts: Avoid service interruptions in the future by increasing your data transfer limit! 
O1 - Hosts: Find out how.  
O1 - Hosts: Learn more about data transfer. 
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts: SPONSORED LINKS 
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts: Yahoo! Web Hosting 
O1 - Hosts: $25 Setup Waived 
O1 - Hosts: Reliable plans include domain & 24x7 support. 
O1 - Hosts: webhosting.yahoo.com 
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts: Domain Names from Yahoo! only $9.95/yr 
O1 - Hosts: Includes starter web page, email & domain forwarding, 24x7 support. 
O1 - Hosts: domains.yahoo.com 
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts: Yahoo! Business Email Domain Included 
O1 - Hosts: Setup fee waived. Up to 10 emails, SpamGuard, forwarding & virus scanning. 
O1 - Hosts: smallbusiness.yahoo.com 
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts: Ecommerce from Yahoo! 1 Month Free 
O1 - Hosts: $50 setup fee waived. A reliable ecommerce plan, 24x7 support. 
O1 - Hosts: smallbusiness.yahoo.com 
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts: Get your own web site at Yahoo! GeoCities 
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts: Copyright © 
O1 - Hosts: 2005 Yahoo! Inc. All rights reserved 
O1 - Hosts: Privacy Policy 
O1 - Hosts: - Copyright Policy 
O1 - Hosts: - Guidelines 
O1 - Hosts: - Terms of Service 
O1 - Hosts: - Help 
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O1 - Hosts:  
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll 
O2 - BHO: e-Carte Bleue Browser Helper Object - {2E03C0FD-4C48-43A7-9A54-00240C70FF16} - C:\WINDOWS\system32\BhoECart.dll 
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll 
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll 
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll 
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll 
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll 
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll 
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" 
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe 
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe 
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" 
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start 
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe 
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe 
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe 
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon 
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" 
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash 
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\RakyatKelaparan.exe" 
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe 
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe 
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe 
O4 - HKCU\..\Run: [Tok-Cirrhatus-5226] "C:\Documents and Settings\BERTHOU Claire\Local Settings\Application Data\smss.exe" 
O4 - Global Startup: Démarrage rapide de HP Photosmart Premier.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe 
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe 
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm 
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 
O8 - Extra context menu item: Ouvrir dans un nouvel onglet d'arrière-plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?12cff11c25674581b0100b75f2b36f09 
O8 - Extra context menu item: Ouvrir dans un nouvel onglet de premier plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/230?12cff11c25674581b0100b75f2b36f09 
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll 
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll 
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL 
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe 
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe 
O14 - IERESET.INF: START_PAGE_URL=https://www8.hp.com/fr/fr/home.html 
O16 - DPF: {1F83CD9E-505E-4F87-BECE-0832A763E36F} (Image Uploader 3.0 Control) - http://www.mypixmania.com/importer/MypixUploader.cab 
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab 
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123w.bay123.mail.live.com/mail/resources/MsnPUpld.cab 
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab 
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://www.trendmicro.com/en_us/forHome/products/housecall.html 
O16 - DPF: {D28C3640-A6D7-4668-A53C-07A9CF67D157} (CFnacComposantCtrl Object) - https://www.fnacmusic.com/telechargementFnacmusic/FnacComposant.cab 
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC41BF28-EA0B-4E11-80C5-6062DF9688A7}: NameServer = 213.154.95.126 213.154.64.13 
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL 
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL 
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe 
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

green day · Answer

Oops! I just saw it :)   Please stay on the same thread!   Otherwise, we're going to get lost ;)  Open the file "C:\WINDOWS\system32\drivers\etc\hosts" with Notepad, delete all its content and paste the following text (in bold) in its place:   # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP # for Windows. # # This file contains the mappings of IP addresses to host names. # Each entry should be on a separate line. The IP address should be placed # in the first column, followed by the corresponding host name. The # IP address and the host name must be separated by at least one space. # # Additionally, comments (like this one) may be inserted on # separate lines or after the computer name. They are indicated by the # '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # client host x  127.0.0.1 localhost   Go to "File" > "Save", close everything and restart your PC Then, do a "hijackthis" and post the new report with the results for your initial issue  Next, try to download AVG and run the scan in safe mode  Keep us updated, good luck, @+   **In truth, the path matters little, the will to arrive is all that matters (A. Camus)**

did71 · Answer

re green,  the host will restore all of that!  see you!

green day · Answer

seen ;-)  @+ -- **In truth, the journey matters little, the will to arrive is enough for everything ( A.Camus ) **

did71 · Answer

re,  yes, that’s better!  there are still infections!  green is going to get rid of them!  see you!

green day · Answer

Hello you   Aww Did! You could have continued anyway ;-P  Bretha:  C:\windows\kesenjangansosial.exe. It asks me for it every time I start up. What is this file for?  To answer your question, yes it’s a nasty one! And you need to delete that bolded file!  Please do steps 1/ and 2/ from this link:  virus preliminary disinfection method version en  Catch you later  -- **In truth, the path matters little, the will to arrive is all that matters (A.Camus)**

green day · Answer

Hi   all of this is the quarantine   please post a new hijackthis  ++ -- **We can also build something beautiful with the stones that obstruct the path ( J.W.VON GOETH  )**

did71 · Answer

Good evening you,  sorry Green but I helped with the host file, then I prefer to let the first helper take care of it so as not to confuse things!  see you later

green day · Answer

Good evening Bertha! We're almost there :-) 1) Show system folders and hidden files: Open My Computer - Tools --> Folder Options - View --> Advanced settings - Check: Show hidden files and folders - Check: Show system files - Uncheck: Hide extensions for known file types - Uncheck: Hide protected operating system files (recommended) Respond Yes to the message Click on "Apply to all folders" Click OK 2) Disable System Restore * Click the Start button. * Right-click on My Computer and then click on Properties. * In the System Restore tab, select the option to Disable System Restore or Disable System Restore on all drives (you can reactivate it at the end of the process) 3) Relaunch HijackThis: choose "do a scan only", check the box in front of the lines below and click "fix checked" at the bottom: F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\KesenjanganSosial.exe" O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\RakyatKelaparan.exe" O4 - HKCU\..\Run: [Tok-Cirrhatus-5226] "C:\Documents and Settings\BERTHOU Claire\Local Settings\Application Data\smss.exe" O4 - Global Startup: Quick Launch of Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&xporter to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open in a background tab - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?12cff11c25674581b0100b75f2b36f09 O8 - Extra context menu item: Open in a foreground tab - res://C:\Program Files\Windows Live O16 - DPF: {1F83CD9E-505E-4F87-BECE-0832A763E36F} (Image Uploader 3.0 Control) - http://www.mypixmania.com/importer/MypixUploader.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123w.bay123.mail.live.com/mail/resources/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/ O16 - DPF: {D28C3640-A6D7-4668-A53C-07A9CF67D157} (CFnacComposantCtrl Object) - https://www.fnacmusic.com/telechargementFnacmusic/FnacComposant.cab 4) Search and delete the following bold files: (if present) C:\WINDOWS\KesenjanganSosial.exe C:\WINDOWS\ShellNew\RakyatKelaparan.exe 5) do this: start==> run==> type: regedit then by clicking on the + follow this path HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System HKEY_current_user... etc.. and delete DisableRegedit=1 by right-clicking on it and delete 6) download and run this: * CleanUp40 (which eliminates temporary files + cookies: free) http://pageperso.aol.fr/Balltrap34/CleanUp40.exe tutorial: (thanks to Balltrap) http://pageperso.aol.fr/balltrap34/democleanup.htm * Ccleaner: Download and install this, in the left column click on "errors", check all the boxes, then click on "search for errors" at the bottom, once finished, click on "repair errors" and you will get a message to back up your registry, you say "yes" and then repeat until it finds no more errors. * Relaunch Ccleaner, go to the "cleaner" tab on the left, uncheck the last box (Advanced if it is checked) and then click on "run the cleaning" ccleaner tutorial: https://www.vulgarisation-informatique.com/nettoyer-windows-ccleaner.php ==> click on start < < run and type: Prefetch and delete all the contents of this folder! 7) install a firewall: kerio tutorial: to configure and understand Kerio https://www.vulgarisation-informatique.com/kerio.php 8) post a new hijackthis and specify your issues if any remain don't hesitate to ask questions! good luck, @+ **We can also build something beautiful with the stones that obstruct the way (J.W.VON GOETHE)**

bertha · Answer

Hi Green Day, I was about to finally wrap things up with the instructions you gave me... but I don't understand why I can't find "folder options" in tools, in my computer, or even in the control panel under "appearance and themes." I don't have it. I don't have any problem on the other PC. It might be related to the fact that it's a Home XP and not Pro, as I said at the beginning. I got it wrong; it's the PC that's Pro, while the laptop is Home. Or maybe I'm just really clueless... that could be it too.

bertha · Answer

Hello Green Day, I did all the points except 1, 4, and 5 because I couldn't, a window opens with a message from the system administrator that blocks this action, and 7 because I haven't had the time yet.  Thank you GD     Logfile of HijackThis v1.99.1 Scan saved at 13:04:34, on 17/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)  Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe C:\PROGRA~1\CleanUp!\cleanup.exe C:\Documents and Settings\BERTHOU Claire\Bureau\HijackThis.exe  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www8.hp.com/fr/fr/home.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www8.hp.com/fr/fr/home.html R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www8.hp.com/fr/fr/home.html R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: e-Carte Bleue Browser Helper Object - {2E03C0FD-4C48-43A7-9A54-00240C70FF16} - C:\WINDOWS\system32\BhoECart.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - Global Startup: Quick Start of HP Photosmart Premier.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Open in a new background tab - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?12cff11c25674581b0100b75f2b36f09 O8 - Extra context menu item: Open in a new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/230?12cff11c25674581b0100b75f2b36f09 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menu item: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menu item: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menu item: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=https://www8.hp.com/fr/fr/home.html O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{DC41BF28-EA0B-4E11-80C5-6062DF9688A7}: NameServer = 213.154.95.126 213.154.64.13 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

green day · Answer

Hi  you should have it! For XP Pro and Home, it's the same; the difference is not at that level...  window that opens with a message from the system administrator blocking this action,  do you have an administrator or limited rights session???  ++   -- **We can also build something beautiful with the stones that obstruct the path (J.W. VON GOETHE)**

green day · Answer

Hi Bertha!   It's good work ;-)   Yes, you can hide your folders again...   The Avast scan you mean???   It crashes, what do you mean???   Please post a new HijackThis in normal mode   ++  --  **We can also build something beautiful with the stones that impede the way (J.W. VON GOETHE)**

green day · Answer

re   lol ok !  did you install the firewall??? be careful, it's important!!  we didn't touch a scanner anyway...  what's wrong???  regarding the HP lines, it's better to leave them, they're the updates, quick launch...  ++   -- **We can also build something beautiful with the stones that obstruct the way (J.W. VON GOETHE)**

green day · Answer

Hi  the Windows firewall isn't very useful :)  security the Windows XP firewall  I don't know if it's from Word ...  check this:  go to control panel<system<hardware<device manager and see if there are any yellow "?" or "!" points  if that's the case: right-click and update drivers   and update your Windows!   @+ -- **We can also build something beautiful with the stones that obstruct the path (J.W.VON GOETH)**

green day · Answer

Re-hello :-)  for 07: access to the Registry was blocked: execution of Regedit was restricted by modifying a key in the Registry, by fixing it and deleting the value in the registry, this restriction can be canceled, I don't think it has anything to do with Word...  But did you study that there? Is it your job or a passion? Uh, it might be an awkward question but it's curiosity..   It's not my profession, nor my field of study, just a simple passion ;-)))  it's not an awkward question either lol  a little reading in the meantime:  security protect a computer against internet malware  looking forward to it, happy surfing!   @+   -- **We can also build something beautiful with the stones that obstruct the path (J.W.VON GOETHE)**

green day · Answer

Hi   with a bit of experience, a logic starts to appear ;-))  # Download this: (thanks to S!RI for this little program).  http://siri.urz.free.fr/Fix/SmitfraudFix.zip  Run it, double click on Smitfraudfix.cmd, choose option 1, here's what it looks like: http://siri.urz.free.fr/Fix/SmitfraudFix.php it will generate a report: please copy/paste it on the post.  ++ -- **We can also build something beautiful with the stones that obstruct the way (J.W.VON GOETHE)**

green day · Answer

re   still presente  yes :-)  Restart the PC in safe mode: tap the F8 key on your keyboard (or F5) and choose safe mode)  - Open the "SmitfraudFix" folder and double-click on "Smitfraudfix.cmd", select option 2 and answer yes to everything.  Save the report and then copy/paste the report on the forum please.   @+ -- **We can also build something beautiful with the stones that obstruct the way (J.W.VON GOETHE  )**

green day · Answer

re   LOL!!! IT is not a field reserved for men! No way, lol ( or maybe it is less and less... )   look now if you have found the style of XP  ++  -- **We can also build something beautiful with the stones that block the way ( J.W.VON GOETH  )**

green day · Answer

re  ok,  download this and unzip it http://pageperso.aol.fr/Balltrap34/luna.zip  then place it in C:\WINDOWS\Resources\Themes\Luna and double click on it  Then try again to revert to the XP style  ++ -- **We can also build something beautiful with the stones that obstruct the path (J.W. VON GOETHE  )**

green day · Answer

I am really happy for you ;-)))  Dakar: it must be nice ^^  ISPs are not responsible for this avalanche of malware, are they? It’s people like you and me who have fun creating these programs or bits of programs solely to ruin our lives and violate our privacy...  However, I think ISPs could make an effort regarding prevention and the risks of malware...   An idea of what already exists:  different types of malware   a bit more reading:  https://sebsauvage.net/safehex.html  security protecting a computer against internet malware  happy surfing!  @+   -- **We can also build something beautiful with the stones that block the way (J.W. VON GOETHE)**

invincible · Answer

I advise you to download Kaspersky, it's the number one in the world, it's the best...

gnagnagna · Answer

Hello,  I have a friend who has a PC that was unprotected and we discovered it was infected with Brontok.C !!  I followed the instructions by running CCLANER, then I wanted to install AVG SPYWARE: the worm restarted the PC... Upon restarting, I clicked on the Bitdefender link, launched the scan and then I wanted to install HijackThis and the same problem occurred: the worm restarts the PC...  Thank you for your help!!!

green day · Answer

Hello  try to do the following:   Download SDFix to your desktop  http://downloads.andymanchesta.com/RemovalTools/SDFix.exe  Double click on SDFix.exe and choose Install to extract it to a dedicated folder on the Desktop. Restart your computer in Safe Mode Open the SDFix folder that has just been created on the Desktop and double click on RunThis.bat to start the script. Press Y to begin the cleaning process. It will remove the services and registry entries of certain trojans found and then ask you to press a key to restart. Press a key to restart the PC. Your system will take longer to restart than usual as the tool will continue to run and delete files. After the Desktop loads, the tool will finish its work and display Finished. Press a key to complete the execution of the script and load your Desktop icons. Once the Desktop icons are displayed, the SDFix report will open on the screen and will also be saved in the SDFix folder as Report.txt. Finally, copy/paste the content of the Report.txt file into your next response on the forum, along with a new Hijackthis log!  ++  -- The way to love a thing is to say that you might lose it (Gilbert Keith Chesterton)

Infected by I-worm/brontok.C

23 réponses

Texture issues in enshrouded

Canon mb5350 - cartridge replacement impossible

Football manager (club management game)

Select next line csh foreach

Win32 kamso then rootkit detection

Win32:spyware-gen [trj] detected by avast

Unknown video error on the freebox player

Make it or break it

How to open a cbr file

Please log in with manager privileges.