Brontok-I virus. Help! please.

I have a Brontok-I worm.
I noticed it – avast! caught it – for the first time on September 11th. I haven’t been using this computer much as a result, but I really want to clean it up!

It’s preventing me from downloading any brontok removal tools – when I try, it says I can’t modify the contents of my desktop!
It’s been noticed several times by avast! – happily, it’s only when I’m connected to a certain network (my apartment building’s) that it shows up.

Here is a sample of the log viewer’s message that occurs when I’ve connected to that network:
11/3/2008 8:20:20 AM SYSTEM 1948 Sign of “Win32:Brontok-I [Wrm]” has been found in “C:\Documents and Settings\All Users\Documents\My Pictures\My Pictures.exe[MEW]” file.
The first file in which one of those “signs” was found was in [same file path]\Documents\Data Mary.exe, though I can’t see that file.
…anyway, there’s more information in the log viewer (such as different .exe files that it spreads to) – I’m wondering mainly if someone can help me to get rid of it.

I think the Brontok virus also just somehow usurped my ability to use Comodo Firewall – I submitted a couple suspicious .exe files (“Data Noe Chavez” and “SharedDocs”) to Comodo for analysis because avast! could not scan them (“Scan was completed with an error. Error: access was denied”), and now I can’t even open the Comodo program! The icon disappeared from my taskbar, too…

“SharedDocs.exe,” I just noticed, is one of the files where a sign of Brontok-I has been found… So is Data Noe Chavez… weird.

Anybody have advice? I’m guessing that just deleting those files won’t completely remove it…
Other websites have methods relating to cleaning up the registry, etc., but their specifics don’t apply to my case…

Any assistance would be appreciated!

Thanks,
Stephen

Hi there the following programme will remove a lot of the worm but it will need some manual cleaning afterwards

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thank you.

This is the response I get when the file has downloaded from Link 1:

"C:\Documents and Settings\User\Desktop\ComboFix.exe could not be saved, because you cannot change the contents of that folder.

Change the folder properties and try again, or try saving in a different location."

the same message appeared after my other attempts to download virus removal tools I found through Google searches.

When I click the download links, it does not provide an option to select where to save the file – it just provides two buttons: “Save File” or “cancel.”

The files did actually end up getting saved to my desktop, but this message appears when I attempt to open them:
“C:\Documents and Settings\User\Desktop\ComboFix.exe is not a valid Win32 application.”
The file “ComboFix.exe.part” also was saved to my desktop, but a message box pops up saying “windows cannot open this file…” and providing an option to use the Web service to find the appropriate program or select the program from a list (because “windows needs to know what program created” the file in order to open it).
I’m not too worried about that, but it’s not the .exe, and I am wondering if that’s normal – to download ComboFix and have 2 files appear.

Any ideas? Thanks.
Stephen

For some reason, after restarting/messing with the setup properties (a friend did it), I could successfully download/install/run ComboFix. Here is the log: (10000 character limit, so I’ll split it up)

ComboFix 08-11-07.01 - User 2008-11-07 16:52:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.730 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix6.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-03 08:22 . 2008-11-03 08:22 d–h----- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 00:56 --------- d-----w c:\documents and settings\User\Application Data\uTorrent
2008-11-03 04:34 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-09-15 18:30 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2008-09-15 17:58 87,056 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-09-15 17:58 24,208 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2008-09-15 17:58 --------- d-----w c:\program files\COMODO
2008-09-15 17:58 --------- d-----w c:\documents and settings\User\Application Data\Comodo
2008-09-13 01:20 --------- d-----w c:\program files\Unity
2008-09-10 15:53 24 ----a-w c:\documents and settings\User\jagex_runescape_preferences.dat
2008-05-11 17:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051120080512\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-13 15360]
“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-08-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ATIPTA”=“c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-07-13 344064]
“hpWirelessAssistant”=“c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe” [2005-12-13 507904]
“SynTPLpr”=“c:\program files\Synaptics\SynTP\SynTPLpr.exe” [2004-11-04 98394]
“SynTPEnh”=“c:\program files\Synaptics\SynTP\SynTPEnh.exe” [2007-09-15 1015808]
“SynTPStart”=“c:\program files\Synaptics\SynTP\SynTPStart.exe” [2007-09-15 102400]
“TkBellExe”=“c:\program files\Common Files\Real\Update_OB\realsched.exe” [2007-08-19 185632]
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]
“QuickTime Task”=“c:\program files\QuickTime\QTTask.exe” [2008-01-31 385024]
“iTunesHelper”=“c:\program files\iTunes\iTunesHelper.exe” [2008-02-19 267048]
“COMODO Firewall Pro”=“c:\program files\COMODO\Firewall\cfp.exe” [2008-11-07 1797880]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“MySpaceIM”=“c:\program files\MySpace\IM\MySpaceIM.exe” [2007-08-13 5562368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”= c:\windows\system32\guard32.dll

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
–a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
–a–c— 2006-11-16 18:04 139264 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
–a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
–a------ 2008-02-19 12:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
—hs---- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
–a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
–a–c— 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a------ 2008-01-31 22:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a–c— 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
–a------ 2007-08-08 18:59 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
–a------ 2007-08-19 11:40 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“iPod Service”=3 (0x3)
“Apple Mobile Device”=2 (0x2)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Program Files\TVUPlayer\TVUPlayer.exe”=
“c:\Program Files\Mozilla Firefox\firefox.exe”=
“c:\Program Files\Real\RealPlayer\realplay.exe”=
“c:\Program Files\uTorrent\uTorrent.exe”=
“c:\Program Files\Bonjour\mDNSResponder.exe”=
“c:\Program Files\iTunes\iTunes.exe”=
“c:\Program Files\Windows Live\Messenger\msnmsgr.exe”=
“c:\Program Files\Windows Live\Messenger\livecall.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3587:TCP”= 3587:TCP:Windows Peer-to-Peer Grouping
“3540:UDP”= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
“AllowInboundTimestampRequest”= 0 (0x0)
“AllowInboundMaskRequest”= 0 (0x0)
“AllowInboundRouterRequest”= 0 (0x0)
“AllowOutboundDestinationUnreachable”= 0 (0x0)
“AllowOutboundSourceQuench”= 0 (0x0)
“AllowOutboundParameterProblem”= 0 (0x0)
“AllowOutboundTimeExceeded”= 0 (0x0)
“AllowRedirect”= 0 (0x0)
“AllowOutboundPacketTooBig”= 0 (0x0)
“AllowInboundEchoRequest”= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-09-15 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-09-15 24208]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2005-08-22 231424]
S3 p2pgasvc;Peer Networking Group Authentication;c:\windows\system32\svchost.exe [2008-04-13 14336]
S3 p2pimsvc;Peer Networking Identity Manager;c:\windows\system32\svchost.exe [2008-04-13 14336]
S3 p2psvc;Peer Networking;c:\windows\system32\svchost.exe [2008-04-13 14336]
S3 PNRPSvc;Peer Name Resolution Protocol;c:\windows\system32\svchost.exe [2008-04-13 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the ‘Scheduled Tasks’ folder

2008-10-13 c:\windows\Tasks\AppleSoftwareUpdate.job

  • c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
    .
        • ORPHANS REMOVED - - - -

MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-Orb - c:\program files\Winamp Remote\bin\OrbTray.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\wianmpa.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - c:\program files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.1.0.30401.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.


catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 16:59:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\COMODO\Firewall\cmdagent.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\iPod\bin\iPodService.exe
.


.
Completion time: 2008-11-07 17:08:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-08 01:07:59

Pre-Run: 8,425,943,040 bytes free
Post-Run: 8,531,697,664 bytes free

180 — E O F — 2008-09-09 20:17:05

that’s the end of it. thanks!

Intriguing that shows no sign of Brontok

So lets do a deeper scan
To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the OTScanit folder and double-click on OTScanit.exe to start the program.
[*]Check the box that says Scan All User Accounts
[*]Check the Radio button for Rootkit check YES
[*]Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
[]Under Additional Scans check the following:
[
]File - Lop Check
[]Reg - BotCheck
[
]File - Additional Folder Scans
[*]File - Purity Scan

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

hi…this might help…http://www.raymond.cc/blog/archives/2006/12/08/how-to-clean-brontok-virus/

Could you upload the log and I will have a look at it to see what you have. This will show me the contents of various folders and files where it hides plus the registry data

ok, I have uploaded 2 notepad files here:

http://www.mediafire.com/?sharekey=460a9bda131bb208d2db6fb9a8902bda

CatchMe.log and OTScanIt.txt

I may have triggered the wraptext – I went into format, it was unchecked, and I clicked it to see what would happen. something changed, but didn’t appear to change back when I unclicked it. hope that didn’t ruin anything. =)

thanks so much for your help

Again that showed none of the indicators. Lets try an online scan

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
[]Doubleclick the drweb-cureit.exe file and Allow to run the express scan
[
]This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
[]Once the short scan has finished, mark the drives that you want to scan.
[
]Select all drives. A red dot shows which drives have been chosen.
[]Click the green arrow at the right, and the scan will start.
[
]Click ‘Yes to all’ if it asks if you want to cure/move the file.
[]When the scan has finished, in the menu, click file and choose save report list
[
]Save the report to your desktop. The report will be called DrWeb.csv
[*]Close Dr.Web Cureit.

:slight_smile: Hi ALL :

The following was Posted Nov 4, 2008 in the “Comments” section of the
Raymond CC Site :

"
I am a senior IT systems administrator. I have run into this virus that infected an entire network and I have fully removed the virus from all pc’s. Here’s the manual removal instructions. Be careful, this post is for advanced users that must know what they are doing.

Brontok Virus Manual Removal Instructions

  1. Disconnect your computer from the network and disable file sharings, if any exist on the pc.
  2. Disable System Restore (for Windows XP/Windows Me only).

For Windows XP:
a. Click Start.
b. Right-click My Computer, and then click Properties.
c. Click the System Restore tab.
d. Select Turn off System Restore or Turn off System Restore on all drives check box.

  1. Start your machine in Safe mode. Reboot and repeatedly press F8. If you cannot boot into safe mode, you should still be able to get rid of the virus, however, safe mode is recommended.
  2. Update the anti-virus software for any latest updates.
  3. You will have to use the regedit function to remove a lot of infected/newly created values in the registry.
  4. Click Start>Run. Then type regedit, click OK.
  5. If the registry editor fails to open, the threat may have modified the registry to prevent it from opening. You can use a tool to resolve this problem:
    a. You will need to use Internet Explorer to download this file.
    b. Go to http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99 and download the UnHookExec.inf file at the bottom of the page. (you will have to download this file on another pc and save it on a drive and move it over to the infected pc)
    c. Once you have put this file onto the infected pc’s Desktop, Right-click the file and click Install. You won’t really notice anything happen, however, this will enable the regedit function.
  6. Once you can use the regedit function check to see if there is a scheduled task named A1 or something along those lines (scheduled to run at 5:08pm) in All Programs\Accessories\System Tools\Scheduled Tasks. If you can’t reach that location try: Control Pannel in classic view and look for the Scheduled Tasks icon/folder. Delete the task.
  7. Next, before going ahead and deleting anything in the registry. You will need to use this German Brontok Removal tool
    a. The tool can also be found at: http://www.kaer-media.org/penawar-brontok/Download.htm
  8. Click on the link that says: PenawarB.exe and save the file.
  9. Once the file has been saved to the infected pc’s Desktop
    a. Double click the file, click Run
    b. In the bottom right hand corner click the button that says: Percubaan Percuma!
    c. On the next screen click on the button on the left that says: Tidak mengapa, saya hendak cuba dahulu…
    d. On the next screen click the button that says: Scan sekarang!
    e. Once the tool has run it will show the location of all of the infected files
    f. Click the button that says: Buang ! & Repair to delete the infected files
    g. Note: This tool is free so when you click Repair it will delete all of the files except for 10 of them. For the remaining 10 you will have to take not of the infected files’ locations and manually delete them. Also, if there are less than 10 files that are infected to begin with you will have to manually delete all of them.
  10. Once this is done follow the instructions below on deleting all other files and registry values. This step is very important and crucial to the final removal of the virus!

The worm may use various methods to run automatically each time Windows starts. Automatic startup methods that the worm employs may include:
• Placing a copy of itself in the user’s startup folder, i.e. %homepath%\Start Menu\Programs\Startup\Empty.pif. Delete the file.
• Adding a scheduled task to run %homepath%\Templates\A.kotnorB.com each day at 5:08 pm. Also check to see if there is a scheduled task named A1 or something along those lines in All Programs\Accessories\System Tools\Scheduled Tasks. If you can’t reach that location try: Control Pannel in classic view and look for the Scheduled Tasks icon/folder. Delete the task.
• Adding a registry value: “Tok-Cirrhatus”
With data:
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the key.
• Adding registry value: “Bron-Spizaetus”
with data:
in subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Delete the key.
• Adding registry value: Shell
with data: “explorer.exe ”
in registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon. Delete the key.
• Modifies registry value: AlternateShell
with data:
in registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
Note: the default setting for this key is “AlternateShell”=”cmd.exe”

Win32/Brontok may attempt to lower security settings by making the following changes:

• Prevents the user from accessing the Registry Editor by making the following registry edit:
Adds value: DisableRegistryTools
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System. Change the Data to 0.
• Prevents the display of files and folders with the ‘hidden’ attribute set:
Adds value: Hidden
With data: 0
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Change the Data to 1.
• Prevents the display of Windows system files:
Adds value: ShowSuperHidden
With data: 0
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Change the Data to 1.
• Prevents the display of executable file extensions:
Adds value: HideFileExt
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Change the Data to 0.
• Prevents access to the Folder Options menu:
Adds value: NoFolderOptions
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Change the Data to 0.
• Modifies the Windows HOSTS file to prevent access to certain Internet sites, the majority of which are antivirus or security-related.
• Attempts ping attacks against certain Web sites, presumably to launch a form of denial of service (DoS) attack.
• Terminates applications or restarts Windows when the title of the active window contains certain strings, many of which may be representative of antivirus or system tools that might ordinarily be used to detect or remove the worm.
• Overwrites the autoexec.bat file with the word “pause”, causing systems that employ the autoexec.bat file to pause on bootup. Some variants of Win32/Brontok may modify the autoexec.bat in order to display a message during bootup.

  1. You will also want to go into msconfig. Start>Run, type msconfig. And disable any startup items (under the startup tab) that look suspicious; you may have to run an internet search to determine which are normal processes and which may be a threat.
  2. Once this has been done, restart the pc, and check over everything in the following order:
    a. make sure the scheduled task is no longer there
    b. make sure you can open regedit
    c. re-run the scanner for any infected files. If it finds anything delete them, restart the pc, and then re-run the scanner and delete files until nothing shows up again.
    d. Make sure the registry is back to normal and that you can view hidden files and folders. "

Perhaps this Info will be helpful to Essexboy as he tries to help !?

um, the link won’t work for me… I guess I won’t know if I need to take the Brontok removal steps until something confirms it, eh?
um… thanks, do you recommend I download dr. web cureit from a Google search?? thanks.

Use this link
ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

ok, thanks. DrWeb has scanned my system. I chose complete scan rather than custom, and I’ve saved the report to my desktop. What’s up now?
it found signs of “probably BATCH.virus,” and some others.

here’s a mediafire link for the .csv report: http://www.mediafire.com/?jgnly4dinyz
but my computer is unable to read .csv, it appears.

When I click to close the program, a message appears:
“No operations performed with some objects in list. Exit program?”

and I’m unsure whether to close it or not, so I’m going to leave it open until I have further instructions… I hope that’s OK. =]

Thanks so much!
Stephen

(I’m only able to use this computer about once a week these days because of school/homework… though tomorrow I’ll be on again)

I cannot access that file for some reason so could you attach the csv file or just paste it. I will do any necessary reformating

Hey essex,

Sorry to come in without your permission, but I cannot PM anyone on this account for some reason. I received your PM and would like to thank you for your help. I’m still waiting for the user to reply. :slight_smile:

LT

Hi Ltangelic alas due to spammers you need 20 posts before PM’s are available. But you are getting there, and nice to see you putting your talents to work

Hi essex,

Thanks for telling me, I was wondering when do I get to PM people. :smiley: I’m not really helping much actually cause I will be away for a year to study for my A levels, but yah I will come back after that and continue working like a mad woman. :stuck_out_tongue:

Nice to see you here too.

I just tried to attach it – .csv is not an allowed file type =.…

here we are! I selected firefox from a list:

Data Noe Chavez.exe;C:\Documents and Settings\All Users\Documents;Win32.HLLM.Generic.440;Deleted.;
SharedDocs.exe;C:\Documents and Settings\All Users\Documents;Win32.HLLM.Generic.440;Deleted.;
My Music.exe;C:\Documents and Settings\All Users\Documents\My Music;Win32.HLLM.Generic.440;Deleted.;
ComboFix.exe.part\32788R22FWJFW\C.bat;C:\Documents and Settings\User\Desktop\ComboFix.exe.part;Probably BATCH.Virus;;
ComboFix.exe.part\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\User\Desktop\ComboFix.exe.part;Program.PsExec.171;;
ComboFix.exe.part;C:\Documents and Settings\User\Desktop;Archive contains infected objects;Moved.;
ComboFix6.exe\32788R22FWJFW\C.bat;C:\Documents and Settings\User\Desktop\ComboFix6.exe;Probably BATCH.Virus;;
ComboFix6.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\User\Desktop\ComboFix6.exe;Program.PsExec.171;;
ComboFix6.exe;C:\Documents and Settings\User\Desktop;Archive contains infected objects;Moved.;
C2152591d01\32788R22FWJFW\C.bat;C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache\C2152591d01;Probably BATCH.Virus;;
C2152591d01\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache\C2152591d01;Program.PsExec.171;;
C2152591d01;C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache;Archive contains infected objects;Moved.;
A0042189.bat;C:\System Volume Information_restore{90EFDFE9-E588-472C-8CE8-31C37E9DBA7E}\RP282;Probably BATCH.Virus;;
A0042203.EXE;C:\System Volume Information_restore{90EFDFE9-E588-472C-8CE8-31C37E9DBA7E}\RP282;Program.PsExec.170;;
A0042687.exe\32788R22FWJFW\C.bat;C:\System Volume Information_restore{90EFDFE9-E588-472C-8CE8-31C37E9DBA7E}\RP283\A0042687.exe;Probably BATCH.Virus;;
A0042687.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information_restore{90EFDFE9-E588-472C-8CE8-31C37E9DBA7E}\RP283\A0042687.exe;Program.PsExec.171;;
A0042687.exe;C:\System Volume Information_restore{90EFDFE9-E588-472C-8CE8-31C37E9DBA7E}\RP283;Archive contains infected objects;Moved.;

yay!
thanks.