Win32:Brontok [WRM] + Isass.exe need Help!

Welcome to Major Geeks!

We do not need you to attach HijackThis logs. They are already embedded into MGtools. We do however need you to attach the other two requested logs from SUPERAntiSpyware and Malwarebytes Anti-Malware. Please attach the original logs, not new ones from a second scan. We need to know what was originally found. The original logs should still be there. Definitely the SUPERAntiSpyware one will be the below folder:

C:\Documents and Settings\Jur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs

You need to uninstall Viewpoint Media Player as requested in step 1 of the READ & RUN ME.

What is the below shortcut file?

Code:

"C:\Documents and Settings\All Users\Desktop\"
kŽŒ€‘.lnk    Jul  1 2008        2187  "K®¬¯ á.lnk"

The logs attached thus far do not show signs of a Brontok infection. It you are running anything else (like Brontok Remover) before running our tools you must stop running them. We cannot fix something that we cannot see and you could be masking something from our scans. If Avast is really detecting something, you need to show us a log or tell us exactly where it is detecting it. Is it just in System Volume Information?

Please also run this Running GMER to detect rootkits and attach the requested log.

 

You should not be touching this file!!! lsass.exe is a required Windows System file and if you kill the process, the response will be the 60 seconds to reboot message you have received. Leave this process alone.

Are you actually having any real malware problems at the current time?

 

Note that text logs of what is being found are MUCH MUCH more useful then screen snapshots. I would have to type everything from your snapshot, but from a log I can just cut and paste. Can you please attach a text log?

Did you purchase Kaspersky or is this just a free scanner that does not fix anything? If you bought it, you should be asking them why they do not remove this.

 

I decided to create a fix for you to try but you should still yell at Kaspersky.



Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run this Using BitDefender Online Scan and follow the instructions EXACTLY to create a proper log and attach it. This log (as stated) will contain HTML code and you are just renaming it to have .txt file extension so that it can be attached.

 

It is just things you downloaded. Most of that is just false positives. The keygen is the only real issue. If you want to avoid having malware problems like you are having, stop using kegens, cracks,....etc. Uninstall all illegal software immediately as it may have been compromised and therefore cannot be trust. Continuing to use software like this could make malware removal impossible because any of them could possibly be reinfecting you.

As in illegal? If so, unininstall it now.

You have a load of files in the C:\Program File folder that DO NOT belong here. If you wish to keep them, move them somewhere else. This folder should not be used to store your downloads. Malware stores things here. Thus file being saved here are always suspect and often just removed. Here is some of what I see in this folder

Code:

2008-07-01 06:23 . 2008-07-01 06:23 605,224 --a------ C:\Program Files\WindowsXP-KB951376-v2-x86-ENU.exe
2008-07-01 06:21 . 2008-07-01 06:21 8,723,064 --a------ C:\Program Files\windows-kb890830-v1.42.exe
2008-07-01 05:25 . 2008-07-01 05:25 1,239,875 --a------ C:\Program Files\MGtools.exe
2008-07-01 05:20 . 2008-07-01 05:20 1,704,944 --a------ C:\Program Files\mbam-setup.exe
2007-12-17 17:34 2,274 -c--a-w C:\Program Files\CDmage.ini
2007-07-31 15:04 1,514,496 -c--a-w C:\Program Files\CDmage.exe
2007-04-09 18:56 19,017,163 -c--a-w C:\Program Files\Kaspersky.Antivirus.v6.0.2.614.rar
2007-03-08 06:12 465,919 -c--a-w C:\Program Files\flac113b.exe
2007-01-30 11:20 12,179 ----a-w C:\Program Files\release_notes_en.html
2007-01-29 20:44 29,768 ----a-w C:\Program Files\setup.exe
2007-01-29 20:42 20,593,664 ----a-w C:\Program Files\kav6.en.msi
2006-12-08 22:48 17,674,296 -c--a-w C:\Program Files\avg75free_432a861.exe

Also are the below files you trust? Did you download and save them here?
2008-06-02 20:35 263,744 ----a-w C:\WINDOWS\RADIOHEAD.scr
2008-06-02 20:35 1,528,126 ----a-w C:\WINDOWS\RADIOHEAD.exe




Now we need to use ComboFix again.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!
Now since you have Security Task Manager installed, run it when/if lsass.exe is using all of your CPU and see if STM points anything out. Save a log with it and attach it.

 

You did not address what I requested with Security Task Manager.

Also Kaspersky is still installed. Is it a legal copy?

What about Ad-Aware that you have installed with Ad-Watch..... Is it legal?

 

You're welcome. Everything you need is covered in the link in the last step below.


If you are not having any other malware problems, it is time to do our final steps:

1. You can uninstall SUPERAntiSpyware now.
2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combo-fix" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
5. If we had you run Avenger, you can delete all files related to Avenger now.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
8. Go to add/remove programs and uninstall HijackThis.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!