[CLOSED]Avast keeps finding win32.brontok-CE

Hi Forum,

I need a little help on this one.
On my girlfriends laptop, Avast notifies that it has found Win32.brontok-CE and have blocked it.
I have scanned with MBAM serveral times, also tried scanning with superantispyware and dr.web, none of them finds any malware/virus.
attached is the logfiles from OTL.exe.

don’t know what to do next.

Regards
John B.

was Malwarebytes updated before you did the scan ?

can you attach a screenshot of the avast warning ?

Essexboy is notified

What is the location that Avast is finding this worm ?

Could you post the virus chest contents please showing the full file path

@Pondus: yes MBAM was fully updated, 2 times yesterday.

@Essexboy: please look at attached file.
[Chest] C:\Users\Public\CyberLink\OLReg\HKEY_CLASS_ROOT\CLSID{E303BA32-9368-4a3c-AE3A-AFDADCBDE48B}\Version\2.00\2.00`.exe

Avast find this worm 44 times different places on the labtop.

regards
John B.

Hmm not overly sure on this one as the file seems good - also as it is a PID are you getting this in a memory scan ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Could you show the result of the test file Public.exe on VT - https://www.virustotal.com/

Thank you.

combofix.log attached.

don’t know what file you are talking about.

regards
John B.

That is actually a PID which means it is resident in memory only - so the file may not actually be present

Got it, thanks.

it is all in memory, so if I turn off the power, it should be gone?

regards.
John B.

No my thought is that you have changed the standard avast settings to include memory scans

But if you could run combofix that will either confirm or deny my suspicions

so I should change settings in Avast and run combofix again?

regards
John B.

Yes if they are set to scan memory

Then run Combofix

I restored default settings in avast.
attached is log from combofix

Could you now run an Avast scan to determine whether the alerts are still present

did a new complete scan in avast, it did not find anything, but it keeps making the popup warning.
I’m getting crazy…

OK lets move the suspect file to quarantine and see what occurs

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files ipconfig /flushdns /c C:\Users\Public\public.exe

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

latest log file from OTL

regards
John B.