Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32.Brontok


  • This topic is locked This topic is locked
3 replies to this topic

#1 s_dog_1

s_dog_1

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 05 May 2009 - 05:03 AM

I am getting a popup window indicating I have been infected with Win32.Brontok. Firefox will crash or not open - also sometimes I can't log on as admin.

When I try to use IE I get directed to a page that says:

Insecure Internet activity. Threat of virus attack
Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, register your antivirus software.


The following is the DDS File:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 5:41:27.62 on Tue 05/05/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.42 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\twext.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ares Lite Edition\AresLite.exe
"C:\WINDOWS\system32\drivers\svchost.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: {9BE4EF3E-479F-3AA5-5E72-26ECE73FCE10} - No File
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.4000.1001\en-ca\msntb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.4000.1001\en-ca\msntb.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {39F02A6A-7880-DE96-1183-7D53755260F7} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [A00F162261C.exe] c:\docume~1\owner\locals~1\temp\_A00F162261C.exe
uRun: [A00F2F6446EA.exe] c:\docume~1\owner\locals~1\temp\_A00F2F6446EA.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [areslite] "c:\program files\ares lite edition\AresLite.exe" -h
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
mRun: [PRONoMgr.exe] "c:\program files\intel\ncs\proset\PRONoMgr.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [EPSON Stylus CX3200] "c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE" /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [realteks] "c:\documents and settings\owner\application data\google\sxkzw965566.exe" 2
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: brightonbeachpower.com\mail
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} - hxxp://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.photolab.ca/Upload/ImageUploader4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://blacks.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
Notify: __c00B3C05 - c:\windows\system32\__c00B3C05.dat

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ttv2nenc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-8 55152]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2002-3-20 14448]

=============== Created Last 30 ================

2009-05-04 19:06 41,644 a------- c:\windows\system32\drivers\svchost.exe
2009-05-03 09:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ArcSoft
2009-04-14 19:18 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 19:18 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 19:18 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 19:18 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 19:18 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 19:18 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 19:18 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 19:18 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 19:18 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 19:16 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 19:16 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 19:16 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-13 16:25 129,520 -------- c:\windows\system32\pxafs.dll
2009-04-13 10:40 <DIR> --d----- c:\program files\uTorrent
2009-04-13 10:40 <DIR> --d----- c:\docume~1\owner\applic~1\uTorrent
2009-04-08 08:11 <DIR> --d----- c:\documents and settings\owner\Tracing
2009-04-08 08:08 55,152 a------- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-04-08 08:02 <DIR> --d----- c:\program files\Microsoft
2009-04-08 08:02 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-04-08 07:52 <DIR> --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-04-15 08:22 162,626 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-01 20:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-01 10:28 76,064 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-13 08:00 129 a---h--- c:\docume~1\owner\applic~1\lakerda1967.sys
2009-02-13 08:00 360,580 a------- c:\windows\eSellerateEngine.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 19:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2008-02-04 20:58 11,771 a------- c:\program files\hijackthis.log
2008-02-04 19:59 1,308,216 a------- c:\program files\HiJackThis_v2.exe
2004-04-23 22:30 5,320 a------- c:\program files\Noun Acid Cast.bin
2008-08-30 08:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat
2008-12-11 04:12 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-12-11 04:12 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-12-11 04:12 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 5:42:09.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:46 PM

Posted 12 May 2009 - 01:54 PM

Hi s_dog_1,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Please download http://OTListIt2 by OldTimer.
  • Save it to your desktop.
  • Double click on the OTListIt2 icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Type or copy and paste in the Custom Scans/Fixes section: drivers32
  • Click Run Scan button.
  • Two reports will open, copy and paste the first log to your reply:
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

[*]Tell me about the current condition of your computer.
[/list]

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:46 PM

Posted 15 May 2009 - 05:57 PM

Are you still there? I'll wait one more day before closing the topic.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:46 PM

Posted 18 May 2009 - 04:09 PM

This thread will now be closed due to lack of activity.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users