Infected with the win32.brontok virus

June 5, 2009 at 14:08:57
Specs: Microsoft Windows XP Professional, 1.828 GHz / 502 MB
Hi, the win32.brontok thing downloaded onto my computer and I closed the browser, only to find that I couldn't open it up again. When I opened it it would change the home page to a warning and it asked me to download security protection. Then a few seconds later it shut down. (I didn't click anything or download anything) AVG Free did not find anything, but Malwarebytes did and I have a log if you want me to post it.

Also, every few minutes a warning would pop up saying that Windows Firewall detected win32.brontok and it could not fix the problem but I could download something that did. (I didn't download it.)

Now it's been about 2 hours and I've just been doing scans, I can get online fine now for some reason, but I want to make sure this thing is gone.

See More: Infected with the win32.brontok virus

Report •

June 5, 2009 at 14:21:11
Post malwarebtyes log.


Report •

June 5, 2009 at 14:23:53
Malwarebytes' Anti-Malware 1.37
Database version: 2234
Windows 5.1.2600 Service Pack 2

6/5/2009 4:54:57 PM
mbam-log-2009-06-05 (16-54-57).txt

Scan type: Quick Scan
Objects scanned: 85831
Time elapsed: 12 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Rose H\Application Data\Google\Shell32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Hanam) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Rose H\application data\Google\Shell32.dll (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\Rose H\application data\Google\afuya1119762.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Rose H\nah_itvd.exe (Trojan.Hanam) -> Quarantined and deleted successfully.

Report •

June 5, 2009 at 14:34:58
1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called inside. Upload that file to and paste the link here.

Image Tutorial

2) Can you also make a new HijackThis log and upload it to HijackThis: Here


Report •

Related Solutions

Report •

June 6, 2009 at 08:18:04
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

SearchRootkit(true, true);
 QuarantineFile('C:\Documents and Settings\Rose H\Application Data\Google\afuya1119762.exe','');
 DeleteFile('C:\Documents and Settings\Rose H\Application Data\Google\afuya1119762.exe');

2) After Reboot. Attach a Combofix log, please review and follow these instructions carefully.

Download it here ->

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs ( Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to and paste the link here.


Report •

Report •

June 6, 2009 at 09:03:24
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ. Your computer will reboot.

SearchRootkit(true, true);
QuarantineFile('c:\documents and settings\Rose H\Application Data\BearShare\kern.dll','');
DeleteFile('c:\documents and settings\Rose H\Application Data\BearShare\kern.dll');
QuarantineFile('c:\documents and settings\Rose H\Application Data\acccore\shalom.exe','');
DeleteFile('c:\documents and settings\Rose H\Application Data\acccore\shalom.exe');
QuarantineFile('c:\documents and settings\Rose H\Application Data\Azureus\msgdi.dll','');
DeleteFile('c:\documents and settings\Rose H\Application Data\Azureus\msgdi.dll');
QuarantineFile('c:\documents and settings\Rose H\Application Data\Adobe\rengo.dll','');
DeleteFile('c:\documents and settings\Rose H\Application Data\Adobe\rengo.dll');
QuarantineFile('c:\documents and settings\Rose H\Application Data\Apple Computer\nomad.exe','');
DeleteFile('c:\documents and settings\Rose H\Application Data\Apple Computer\nomad.exe');
QuarantineFile('c:\documents and settings\Rose H\Application Data\ArcSoft\lego.exe','');
DeleteFile('c:\documents and settings\Rose H\Application Data\ArcSoft\lego.exe');
QuarantineFile('c:\documents and settings\Rose H\Application Data\Amazon\socks1.exe','');
DeleteFile('c:\documents and settings\Rose H\Application Data\Amazon\socks1.exe');

2) After reboot. Run this script in AVZ:


2) A file called should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\ to a filehost such as Then, Private Message me the Download link to the uploaded file.

3) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs ( Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok.


Report •

June 6, 2009 at 19:29:58
Ok, PM sent.

Report •

June 6, 2009 at 19:46:15
PS: Seems like you have caught something rare.

Thanks for the files. Please follow these steps in order numbered and post summary log after each step.

1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: Run a full scan with:

Download and run Kaspersky AVP tool:
Once you download and start the tool:

# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Attach Scan log/Summary to your next message.

Illustrated tutorial:

2) Run a full scan with

# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan archives
    * Scan for potentially unwanted applications (Advance Settings).
    * Enable Anti-Stealth technology (Advance Settings).

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt
# Attach this logfile to your next message.

Illustrated Tutorial:

Note: Turn system restore back on, if you wish; this to remove malware from system volume information files.

3) Scan with SuperAntispyware : . Fix what it detects and post summary scan log.


Report •

June 7, 2009 at 21:26:34
Okay, Kaspersky did not find any threats, but ESET did, here's the link to the log:

I'll do the superantispyware scan when I wake up and I'll post it in another reply.

Report •

June 8, 2009 at 05:39:58
Seems your malware free just run the last scan and post results.


Report •

June 10, 2009 at 20:18:24
I did the Quick scan and fixed the problems, here's the log.
Should I have done the Complete scan instead? I can still do that if it would help.

Report •

June 10, 2009 at 20:25:07
Is your original problem fixed? You malware free just some adware lying around.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

June 12, 2009 at 07:52:01
Yes, the original problem is fixed. I do however think I have a new virus which I will post in a separate thread.

Report •

Ask Question