Can I remove Brontok virus with Avast

My Friend’s computer is infected with Win32 Brontok so I installed Avast and did a boot time scan and deleted all the brontok viruses Then When I scanned the computer again Avast still detects brontok Can Avast remove brontok virus?

Your problem is likely not to be brontok as avast is continually detecting it but with an undetected or hidden element that is either restoring it or downloading it again.

What is your friends firewall ?

To try and find this undetected element, if you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner (if you use this don’t install the toolbar or crawler or the anti-virus module). Or a-Squared free. I suggest trying then in order as the order that represents the better detection and clean-up. Some elements of the programs might not work if you have an older OS like win9x or winME, this is namely the resident protection in SpywareTerminator.

I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Thank you very much for your advice after I disabled system restore I did a boot time scan and deleted all the infected files and now Avast does not detect any Brontok Viruses
Once again Thank you very much

But don’t forget the later steps… other tools could detect other infections…

Welcome to the forums.

It wouldn’t hurt to at least continue and do step 4, see what that brings and report the findings after that step.

I will send the hijackthis log file after a day or two
I hope you won’t mind :slight_smile:

It is your system take it at your own pace there will be someone here.

Hi Jowin,

You could use this tool: http://www.geocities.com/teddy_baykard/BrontokRemover.html

pol

Hai,
Hijackthis log file of my friends computer is given below :slight_smile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:20 PM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Tally\tallylicserver.exe
C:\Tally\Tally72.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
D:\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe “C:\WINDOWS\sembako-ckzjlli.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{4AD2F55F-2612-42B3-867B-4F2409F29AD8}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip..{4AD2F55F-2612-42B3-867B-4F2409F29AD8}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip..{4AD2F55F-2612-42B3-867B-4F2409F29AD8}: NameServer = 192.168.0.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Tally License Server (NT) (Tally License Server) - Unknown owner - C:\Tally\tallylicserver.exe


End of file - 2539 bytes

C:\WINDOWS\sembako-ckzjlli.exe

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the above file to VirusTotal for analysis. This will allow avast! and other AV’s to add the definition.

Then run HijackThis! again, tick the following entry, close all other windows and click ‘fix’. Reboot into Safe Mode and delete the file.

F2 - REG:system.ini: Shell=Explorer.exe “C:\WINDOWS\sembako-ckzjlli.exe”

http://www.bleepingcomputer.com/startups/sembako_cfzjkmg.exe-13961.html

  1. I would suggest that you/he create a folder specifically for HiJackThis rather than simply use the d:\ partition root folder d:\HJT, etc.

  2. Yours is possibly one of the smallest HJT logs I have seen, either your friends system is very sparse or something is hiding from HJT or messing with it. You could change the hijackthis.exe to hjt-scan.exe, that would avoid this recognition.

Other than what Frank mentions I don’t see anything obvious.

Hai,
I have only 3 GB to download and upload so I can’t think of uploading all files to virustotal.com
Can I kill the process with Threatfire or is there any other way?
The computer is formatted just some two weeks ago so there is not much data in the computer maybe because of that hijackthis logfile is so small :wink:

I have only 3 GB to download and upload so I can't think of uploading all files to virustotal.com

Only the one file:

C:\WINDOWS\sembako-ckzjlli.exe

Post the result here out of interest.

Hi Jowin and FwF,

This is an interesting cleansing routine concerning sembako-ckzjlli.exe which I have found here:
http://www.forospyware.com/archive/t-96924.html

polonus

Hai Polonus,
The link you gave is not in english and I can’t understand can you tell what it meant in English, Thank you :slight_smile:

I translated the essence for you. Amazing how Babelfish improved my understanding of the Spanish language, maybe enough to make them European champions to-night in Vienna. ;D 8)

Here we go:"
Step 1- Disable “System Restore”

Step 2- Download SUPERAntiSpyware (http://www.infospyware.com/Anti-Spywares.htm) , Update it and do not run it yet.

Step 3- With all programs closed execute HijackThis and with “FIX Cheked” tag the following entries:

F2 - REG:system.ini: Shell=Explorer.exe “C:\WINDOWS\sembako-ckzjlli.exe”

F3 - REG:win.ini: run=

O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)

O4 - HKLM..\Run: [uplovedrvdelete] C:\WINDOWS\Profiles\All Users\Datos de programa\real army up love\transbags.exe

O4 - HKCU..\Run: [Cdrom ref] C:\DOCUME~1\usuario\DATOSD~1\LINKSC~1\aboutdownloa d.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

O20 - AppInit_DLLs:
(Your entries could be different, you should load up a hjt log in your next posting, so we can give you your entries to fix…- Note pol)

Step 4- Execute SUPERAntiSpyware

Step 5- Download CCleaner (http://www.forospyware.com/t39511.html) and execute it using the options remove cookies, Internet temp files and all the archives that are obsolete. I would rather advise to use ATF Cleaner from here : http://majorgeeks.com/downloadget.php?id=4949&file=15&evp=72ef5a5e927b2276e6a5bc34c89d005a use Select All.

Reload and post your results,

That’s it,

polonus

Thank you very much for Translating :slight_smile:

Hai,
I ran super antispyware and deleted some worms and fixed the entries in hijack this but I can’t see folder option in tools maybe there are still viruses

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:52 PM, on 01/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
E:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip..{F4FEAAE0-00AA-4434-ACB9-8200E26FA36C}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe


End of file - 2687 bytes

When I say application data through browse in display properties I saw a lot of brontok files :o

I can’t do that because I can’t see folder options in tools :slight_smile: