Brontok-I virus. Help! please.

[essexboy]

I cannot access that file for some reason so could you attach the csv file or just paste it.  I will do any necessary reformating

[Ltangelic]

Hey essex,

Sorry to come in without your permission, but I cannot PM anyone on this account for some reason. I received your PM and would like to thank you for your help. I'm still waiting for the user to reply.

LT

[essexboy]

Hi  Ltangelic alas due to spammers you need 20 posts before PM's are available.  But you are getting there, and nice to see you putting your talents to work

[Ltangelic]

Hi essex,

Hi  Ltangelic alas due to spammers you need 20 posts before PM's are available.  But you are getting there, and nice to see you putting your talents to work

Thanks for telling me, I was wondering when do I get to PM people.  I'm not really helping much actually cause I will be away for a year to study for my A levels, but yah I will come back after that and continue working like a mad woman.

Nice to see you here too.

[AVastephen]

I just tried to attach it -- .csv is not an allowed file type =\...

here we are! I selected firefox from a list:

Data Noe Chavez.exe;C:\Documents and Settings\All Users\Documents;Win32.HLLM.Generic.440;Deleted.;
SharedDocs.exe;C:\Documents and Settings\All Users\Documents;Win32.HLLM.Generic.440;Deleted.;
My Music.exe;C:\Documents and Settings\All Users\Documents\My Music;Win32.HLLM.Generic.440;Deleted.;
ComboFix.exe.part\32788R22FWJFW\C.bat;C:\Documents and Settings\User\Desktop\ComboFix.exe.part;Probably BATCH.Virus;;
ComboFix.exe.part\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\User\Desktop\ComboFix.exe.part;Program.PsExec.171;;
ComboFix.exe.part;C:\Documents and Settings\User\Desktop;Archive contains infected objects;Moved.;
ComboFix6.exe\32788R22FWJFW\C.bat;C:\Documents and Settings\User\Desktop\ComboFix6.exe;Probably BATCH.Virus;;
ComboFix6.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\User\Desktop\ComboFix6.exe;Program.PsExec.171;;
ComboFix6.exe;C:\Documents and Settings\User\Desktop;Archive contains infected objects;Moved.;
C2152591d01\32788R22FWJFW\C.bat;C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache\C2152591d01;Probably BATCH.Virus;;
C2152591d01\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache\C2152591d01;Program.PsExec.171;;
C2152591d01;C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache;Archive contains infected objects;Moved.;
A0042189.bat;C:\System Volume Information\_restore{90EFDFE9-E588-472C-8CE8-31C37E9DBA7E}\RP282;Probably BATCH.Virus;;
A0042203.EXE;C:\System Volume Information\_restore{90EFDFE9-E588-472C-8CE8-31C37E9DBA7E}\RP282;Program.PsExec.170;;
A0042687.exe\32788R22FWJFW\C.bat;C:\System Volume Information\_restore{90EFDFE9-E588-472C-8CE8-31C37E9DBA7E}\RP283\A0042687.exe;Probably BATCH.Virus;;
A0042687.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{90EFDFE9-E588-472C-8CE8-31C37E9DBA7E}\RP283\A0042687.exe;Program.PsExec.171;;
A0042687.exe;C:\System Volume Information\_restore{90EFDFE9-E588-472C-8CE8-31C37E9DBA7E}\RP283;Archive contains infected objects;Moved.;

yay!
thanks.

[essexboy]

Well that took a few bits out- although most were combofix  

But these were the three bad ones

Data Noe Chavez.exe;C:\Documents and Settings\All Users\Documents;Win32.HLLM.Generic.440;Deleted.;
SharedDocs.exe;C:\Documents and Settings\All Users\Documents;Win32.HLLM.Generic.440;Deleted.;
My Music.exe;C:\Documents and Settings\All Users\Documents\My Music;Win32.HLLM.Generic.440;Deleted.;

Which are no more

How is your computer - any further alerts ?  If they reference system restore I will hit them  next

[AVastephen]

I don't know... I haven't been able to get avast to start its on-access (resident) protection again -- the icon won't show up in the tray, even though the settings box is checked to have it so (and I've restarted the application and my computer several times, and checked the help, which doesn't say anything about turning it back on after it's been turned off, just that it shouldn't be turned off in the first place - hah!).
So alerts have not been forthcoming, though I don't expect them when I'm connected to wireless. They've only showed up at home, when I've been connected to a (slow-ish) network by wire... anyhoo, yeah, trouble with getting the resident protection to start again, and no new alerts.

did some of those files the dr. web scan found already reference the system restore?:

A0042189.bat;C:\System Volume Information\_restore{90EFDFE9-E588-472C-8CE8-31C37E9DBA7E}\RP282;Probably BATCH.Virus;;
A0042203.EXE;C:\System Volume Information\_restore{90EFDFE9-E588-472C-8CE8-31C37E9DBA7E}\RP282;Program.PsExec.170;;

and such? I'm not sure what to do about those -- the program didn't do anything with them, it seems like, except note they were there. I'm glad to hear the bad ones got got though 

Thanks!

[essexboy]

Have you tried a repair of Avast ?

Lets clear the restore points now

A good workman always cleans up after himself so...Download and run this small programme and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
  
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
• Click CREATE
  

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

[AVastephen]

ok, thanks much!

I did all that.
now I'm not sure how to do a repair of Avast... =\
Thanks!

[DavidR]

Repair of avast. From Windows Add Remove programs, select 'avast! Anti-Virus,' click the Change/Remove button and scroll down to Repair, click next and follow.