BrisvA trojan

First you must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer

Do you know what the below folder is for?

Code:

2009-08-14 19:04 . 2009-08-14 13:14 -------- d-----w- c:\program files\nkbcvs[/b]
 
 
Run this [URL="http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html"][B][COLOR=blue]Disable/Remove Windows Messenger[/COLOR][/B][/URL] to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
 
[B]Uninstall the below software:[/B]
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_16
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Viewpoint Media Player [B][COLOR=purple]<-- should have been uninstalled in step 5 of the READ ME[/COLOR][/B]
 

[B]Now we need to use ComboFix to remove a bunch of malware files.[/B] 
[LIST]
[*]Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but [B]Do not run it![/B]
[LIST]
[*]If it is not on your Desktop, the below will not work.
[/LIST]
[*][B][COLOR=darkred]Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly. [/COLOR][/B]
[*]If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
[*]Open Notepad and copy/paste the text [B]in[/B] the below quote box into it:
[/LIST][quote]
KILLALL::
 
 
DirLook::
C:\Program Files\nkbcvs
 
File::
C:\WINDOWS\SwSys1.bmp
C:\WINDOWS\SwSys2.bmp
c:\windows\system32\ldeubxd.exe
 
Folder::
c:\program files\Adobe\Reader 8.0\Reader\bak
c:\program files\Common Files\Real\Update_OB\bak
c:\program files\Common Files\Symantec Shared\bak
c:\program files\Digital Media Reader\bak
c:\program files\dvd43\bak
c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak
c:\program files\Java\jre1.6.0_02\bin\bak
c:\program files\McAfee\SpamKiller\bak
c:\program files\QuickTime\bak
c:\program files\Symantec AntiVirus\bak
c:\documents and settings\KevB\Local Settings\Application Data\AskToolbar
c:\documents and settings\Family\Local Settings\Application Data\AskToolbar
 
Registry::
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AA_SecuHDD"=-
"ldeubxd"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Reminder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe]

[/quote]
[LIST]
[*]Save the above as [B]CFscript.txt [/B]and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
[*]At this point, you [COLOR=darkred][B]MUST EXIT ALL BROWSERS NOW [/B][/COLOR]before continuing!
[*]You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
[*]Now use your mouse to drag [B]CFscript.txt [/B]on top of ComboFix.exe
[*]Follow the prompts.
[*]When it finishes, a log will be produced named c:\combofix.txt
[*]I will ask for this log below
[/LIST][U][B][SIZE=3][COLOR=red]Note:[/COLOR][/SIZE][/B][/U] 
 
[B][COLOR=darkred]Do not mouseclick combofix's window while it is running. That may cause it to stall.[/COLOR][/B]
 
 
After reboot, now install the current version of Sun Java from: [URL="http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html"][B][COLOR=blue]Sun Java Runtime Environment[/COLOR][/B][/URL]
 
[B]Now you need to run MSconfig and put your PC into Normal Startup mode as requested in step 4 of the READ & RUN ME.[/B]
 
[B]Also delete all files and subfolders in the below folders except ones from the current date ([COLOR=purple]Windows will not let you delete the files from the current day[/COLOR]).[/B]
C:\WINDOWS\TEMP
C:\Documents and Settings\Owner.BAKER1\Local Settings\temp
 
[B]Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.[/B]
 
Now run the [COLOR=black][B]C:\MGtools\GetLogs.bat [/B][/COLOR]file by double clicking on it ([B][COLOR=red]Note:[/COLOR] [/B]if using Vista, don't double click, use right click and select Run As Administrator). 
 

[B]Then attach the below logs:[/B]
[LIST]
[*][B][COLOR=darkred]C:\ComboFix.txt[/COLOR][/B]
[*][B][COLOR=darkred]C:\MGlogs.zip[/COLOR][/B]
[/LIST][B]Make sure you tell me how things are working now![/B]

 

Delete the below file:
c:\program files\temp01


Also delete the below folder:
c:\program files\nkbcvs

Attach a log from Symantec that shows exactly what and where this is being detected. If it is in System Volume Information then it is just System Restore.

 

I'm not sure whether this is valid or not. According to Symantec's own website, this infection is found in media files. They don't say anything about temp files. Have you been playing and form of multimedia type files (videos of any form or music)? If so stop for a few days and see if any detections still occur.

Also run Symantec's specialty tool following their instructions. Be sure to disable System Restore as requested.

http://www.symantec.com/security_response/writeup.jsp?docid=2008-072215-0522-99

Does that help?

 

Okay! Let us know if it works or it fails.