Hey Guys! Great forum & it has helped me in the past.
But I need assistance on this one. I’m having a major problem removing the Brontok infection. Not sure if starting a new topic is the way to go as I have witnessed previous threads in relation to my problem on this forum in the past. As I understand each individual infection is different. Any help or suggestion would be greatly appreciated.

It began last week, Avast blocked a process from Brontok. I ran a scan straight away, full sysytem, including PUP files. It encountered the infection in three files,removed 2 & was unable to the last. Avast suggested a reboot scan of the registry & I proceeded to do so. I scaned again, after the boot scan. . . . no infections found. Then 5 mins later, Avast blocked the process again. I also have spybot search & destroy on my laptop but a full scan showed nothing. My laptop knowledge is fairly low.

Reading a previous thread on this forum, I downloaded malwarebytes, updated straight away & ran a scan & it found nothing. I turned file sharing off & system restore to avoid the infection making things worse. I have been checking my task manager so see if the process is running but it aint appearing, I guess Avast is stoping it from processing.

Just ran a full sytem scan with avast & it found 1 infected file, as follows. …

C:\Windows\SoftwareDistributor\Datastore\Logs\trz\AF80.tmp

Again any help or further suggestions would be greatly appreciated.
Regards
Ray

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.18.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Win7 :: SILVERSURFER [administrator]

Protection: Enabled

18/07/2012 16:09:33
mbam-log-2012-07-18 (16-09-33).txt

Scan type: Full scan (C:|D:|E:|F:|G:|H:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 361022
Time elapsed: 1 hour(s), 16 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

2012/07/18 02:28:26 +0100 SILVERSURFER Win7 MESSAGE Starting protection
2012/07/18 02:28:31 +0100 SILVERSURFER Win7 MESSAGE Protection started successfully
2012/07/18 02:28:34 +0100 SILVERSURFER Win7 MESSAGE Starting IP protection
2012/07/18 02:28:37 +0100 SILVERSURFER Win7 MESSAGE IP Protection started successfully
2012/07/18 02:41:51 +0100 SILVERSURFER Win7 MESSAGE Executing scheduled update: Daily
2012/07/18 02:42:03 +0100 SILVERSURFER Win7 MESSAGE Scheduled update executed successfully: database updated from version v2012.07.17.15 to version v2012.07.18.01
2012/07/18 02:42:03 +0100 SILVERSURFER Win7 MESSAGE Starting database refresh
2012/07/18 02:42:03 +0100 SILVERSURFER Win7 MESSAGE Stopping IP protection
2012/07/18 02:46:08 +0100 SILVERSURFER Win7 MESSAGE IP Protection stopped
2012/07/18 02:46:12 +0100 SILVERSURFER Win7 MESSAGE Database refreshed successfully
2012/07/18 02:46:12 +0100 SILVERSURFER Win7 MESSAGE Starting IP protection
2012/07/18 02:46:16 +0100 SILVERSURFER Win7 MESSAGE IP Protection started successfully
2012/07/18 04:25:44 +0100 SILVERSURFER Win7 IP-BLOCK 88.85.64.130 (Type: outgoing, Port: 50453, Process: avastsvc.exe)
2012/07/18 04:25:44 +0100 SILVERSURFER Win7 IP-BLOCK 88.85.64.130 (Type: outgoing, Port: 50454, Process: avastsvc.exe)
2012/07/18 13:28:29 +0100 SILVERSURFER Win7 MESSAGE Starting protection
2012/07/18 13:28:32 +0100 SILVERSURFER Win7 MESSAGE Executing scheduled update: Daily
2012/07/18 13:28:33 +0100 SILVERSURFER Win7 MESSAGE Protection started successfully
2012/07/18 13:28:36 +0100 SILVERSURFER Win7 MESSAGE Starting IP protection
2012/07/18 13:28:40 +0100 SILVERSURFER Win7 MESSAGE IP Protection started successfully
2012/07/18 13:28:44 +0100 SILVERSURFER Win7 MESSAGE Starting database refresh
2012/07/18 13:28:44 +0100 SILVERSURFER Win7 MESSAGE Scheduled update executed successfully: database updated from version v2012.07.18.01 to version v2012.07.18.06
2012/07/18 13:28:44 +0100 SILVERSURFER Win7 MESSAGE Stopping IP protection
2012/07/18 13:32:01 +0100 SILVERSURFER Win7 MESSAGE IP Protection stopped
2012/07/18 13:32:04 +0100 SILVERSURFER Win7 MESSAGE Database refreshed successfully
2012/07/18 13:32:04 +0100 SILVERSURFER Win7 MESSAGE Starting IP protection
2012/07/18 13:32:06 +0100 SILVERSURFER Win7 MESSAGE IP Protection started successfully

Ragards
Ray

asw MBR log
Ragards
Ray

I see that you have run combofix, could you attach that log

thanks for response, Just updated Combofix & ran another scan.
Please see file attached.
Note…upon reboot I had no access to files or programes & was prompted by windows… “illegal operation attempted on a registry key that has been marked for deletion”
Just rebooted the laptop & had access again.
Regards
Ray

that is normal after a combofix run

Combofix could have warned me about it though! Got a small fright! :o

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

There is no sign of the Brontok there, is Avast still reporting it ?

Gona full scan right now, will report back when finished.
Thanks for your attention.
Ragards
Ray

Yup sAvast is still reporting it
Same file again, unable to move to chest or delete. . . .
any further help would be appreciated.
Regards
Ray

OK lets give Combofix a shot at removing it

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

File:: C:\Windows\SoftwareDistributor\Datastore\Logs\trz\AF80.tmp

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Combofix Log attached
Ragards
Ray

That should have killed it … Could you run a quickscan now to ensure it is no longer detected

still there

Same file detected

Avast still unable to move infected file to the vault.

“error virus chest server is not running: RPC communication failed. (2147422219)”

Anything else I could try?

OK really big boy on this

1. Please download The Avenger by Swandog46 to your Desktop.

[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
C:\Windows\SoftwareDistributor\Datastore\Logs\trz\AF80.tmp

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

https://dl.dropbox.com/u/73555776/Avenger%20icon.GIF

[*]Accept the disclaimer

https://dl.dropbox.com/u/73555776/Avenger%20disclaim.GIF

[*] Right click on the window under Input script here:, and select Paste.

https://dl.dropbox.com/u/73555776/Avenger%20run.GIF

[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute

[*] Answer “Yes” twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

Not sure if this has worked as the txt file says operation aborted but here is txt file
Just in the process of an Avast scan now to see if there is still infection…
Ragards
Ray

OK that is saying that the command was not copied correctly

You must have all of the following in the Avenger script box

Begin copying here:
Files to delete:
C:\Windows\SoftwareDistributor\Datastore\Logs\trz\AF80.tmp

Ok followed your intructions exactly…
inputed the following command into avenger…

Begin copying here:
Files to delete:
C:\Windows\SoftwareDistributor\Datastore\Logs\trz\AF80.tmp

It restarted & I got the black prompt box again but I cant locate the avenger.txt file in C: drive??
Also no txt document was opened upon reboot. I assume the command is not being performed. have tried it a few times, still no C:\avenger.txt present.
However when I inputed the wrong command (as you pointed out) I got the txt file in C drive.

OK lets now try and take out the folder

I will use Combofix as I will be able to restore any legitimate files in there

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

Folder:: C:\Windows\SoftwareDistributor\Datastore\Logs\trz

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.