attached Combofix file
Regards
Ray
Hmm something new has appeared
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
File:: c:\windows\SysWow64\drivers\lgehbbl.sys c:\windows\SysWow64\drivers\swwvs.sys c:\windows\SysWow64\drivers\flpqf.sys c:\windows\SysWow64\drivers\xfemxp.sys c:\windows\SysWow64\drivers\jaemkh.sys c:\windows\SysWow64\drivers\qtdv.sys c:\windows\SysWow64\drivers\rdicxv.sysSave this as CFScript.txt, in the same location as ComboFix.exeDriver::
akpl
albkeou
ezhsp
jmpubzbq
leokqyi
mvvoriur
oltzxc
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Something new eh? Ok dont like the sound of that!! :o
Attached the combofix txt file
Thanks for your attention again
Regards
Ray
OK they have come back, but the files only not the drivers so lets see if GMER can find the trigger
Scanning with GMER
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here or here.
[*] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
[*] If it gives you a warning about rootkit activity and asks if you want to run scan…click on NO.
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg
Click the image to enlarge it
[] In the right panel, you will see several boxes that have been checked. Uncheck the following …
[] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[] Show All (don’t miss this one)
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “Gmer.txt” or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and attach it in your reply.
Notes:
[I]Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
[i]-- If you encounter any problems, try running GMER in safe mode.
– If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
Ran the scan
Note followed your instruction with regards unticking boxes in Gmer but did not have the option to tick boxes shown in the tutorial image of Gmer.
Log attached.
Regards
Ray
OK no apparent rootkit… Lets take the files out now and see if they respawn
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
File:: c:\windows\SysWow64\drivers\swwvs.sys c:\windows\SysWow64\drivers\flpqf.sys c:\windows\SysWow64\drivers\xfemxp.sys c:\windows\SysWow64\drivers\jaemkh.sys c:\windows\SysWow64\drivers\qtdv.sys c:\windows\SysWow64\drivers\rdicxv.sysSave this as [b]CFScript.txt[/b], in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
combofix log attached
Regards
Ray
I really need a deeper look at this… The av scan part may take an hour or two as it will look at every file on the system
But the analysis is the most important part. As it is in a zip file I would ask you to upload it to a file sharing site for me to download
Download AVPTool from Here to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
Click the cog in the upper right
http://dl.dropbox.com/u/73555776/Kas%20front.JPG
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
http://dl.dropbox.com/u/73555776/Kas%20Scan%20area.JPG
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
http://dl.dropbox.com/u/73555776/kas%20manual.JPG
On completion click the link to locate the zip file to upload and attach to your next post
Was away for a few days . . .
ran the Kaspersky scan but with apparently no threats
therefore was give no command to remove infected files & no log from it but there is a 132mb rather large) log file showing the “clean” full scan. if ya want that uploaded . . plz let me know
link to AV system information mediafire downloads
http://www.mediafire.com/view/?ynhq7xe6nxbwhnb
http://www.mediafire.com/view/?aakcfa67rc6f89x
Regards
Ray
Just ran a full Avast system Scan
The Brontok is still there, dug in like a tic! 
Same file again.
This is intiguing, could you upload the file to Avast as I am now beginning to feel it may be a false positive
Open Avast and go to the virus chest
Right click the blank area and select add
http://dl.dropbox.com/u/73555776/open%20chest.jpg
Navigate to C:\Windows\SoftwareDistributor\Datastore\Logs\trz\AF80.tmp
http://dl.dropbox.com/u/73555776/navigate.JPG
Select the file
http://dl.dropbox.com/u/73555776/select.JPG
Right click the file in the chest and select submit to virus labs
http://dl.dropbox.com/u/73555776/add%20submit.JPG
Once done manually update the virus definitions to send it
Ok ran Avast as admin & follwed your instructions to add a file to the virus vault, located the “infected” file no prob but it wont ley me add it to the vault. Tried another “uninfected” file just to see could I add it . . it wont let me either. suggestions? sorry if I’m missing something basic but I followed your instructions
How large is the reported file ?
512 KB
Can you delete it manually ?
just deleted it manually, however avast may have blocked the process. cant find file now . . . should I run a full system scan with avast to discover new location /or see if the file still exists?
Yes please as temp files do not go until you empty them
After countless scans & malware The worm has finally turned! 
upon full system scan…an infected file was found in recycle bin…
Avast sucessfully allowed me to delete the file.
Then ran another full scan to be sure & all clear ;D
Thanks a million Essexboy for your help & assistance in removing this stubborn worm over the past week!
Goodluck!
Ray
Not a problem it was a nice little brain exercise for me
Once you are happy let me know and I will remove the tools
Ok just ran another full system scan with avast just to be sure & all clean again!
You can remove the tools.
Thanks again Essexboy!