Brontok Removal Help

Hi Guys

I need some help removing what I think is a brontok infection (bitdefender says win32.brontok.A, while Panda says Brontok.EV). I have run all the scans in the "Read and Run Me First" sticky, and am attaching logs below. I could not run Counterspy because I ran it on another occasion, so I ran AVG.
AVG and my regular antivirus software (Avast) can not detect this in safe or normal boot modes. Neither can spybot or adaware. I allowed bitdefender to delete the infected files from safemode, but the reload when I reboot to normal mode. The virus creates random folders entitled "911.exe" and "Updater" in my G and F drives. It also loads an exe called "KillBrontok.exe" in my C:/documents and settings/johnny whosits/localsettings/temp folder. If I delete this file manually, it reloads as soon as I double click on my F or G drives. Additionally, I can sometimes not access these drives because it cannot find boot.exe. Finally, I cannot use taskmanager, but I can still use msconifg.
I'm attaching two hijack this logs, one from normal mode and one from safe mode, because an earlier scan I ran was flagged by an online parsing site (I forget which one, but I linked from the "Using Hijack This" log). The flagged process doesn't seem to be in these logs (and I've unfortunately forgotten the name of it).
HELP!!! Thanks so much...you guys are great!

 

Here's more logs...

 

And finally, getrunkeys!

 

whoops, file didn't upload.

 

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Download new copies of GetRunKey and ShowNew.

Post the following logs:
1. ShowNew
2. GetRunKey
3. HijackThis

 

Thanks for your help
I ran killbox from normal mode...I hope that was ok. I can do it again from safemode if necessary.
I didn't get any of the pending messages you mentioned, and my computer rebooted right away. I've attached the 3 logs you wanted...all of them from safemode with no internet connection.
cheers

 

The logs need to be from Normal Mode

 

Sorry about that...here are the logs from normal mode.

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Reboot to Normal Mode.

Post the following logs:
1. ShowNew
2. GetRunKey
3. HijackThis

 

Ok, I ran all the instructions in your last post. Just to double check...I have been running killbox and the scans from normal boot mode.

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

 

Thanks so much for your help. I did have one final question...I can no longer double click on my F or G drives to open them...it tells me it can't find boot.exe. Is there a way to restore this easily?

 

boot.exe is a trojan. What type of drives are F & G? I'm assuming they are both Hard drives but are they IDE, SATA, what?

 

My F drive is 10G partition off my main C drive, and my H drive is a portable harddrive...not sure, but maybe IDE? 300G connected by a USB cable, run on its own power source.
When I click on explore, they open fine, but when double clicking I get a message saying "cannot find boot.exe".

 

I want to check for RootKits.

Run AVG Anti-Rootkit and attach the log!

 

Hi again
I ran AVG anti-rootkit (from normal) and it came back with no rootkits found...therefore no log to attach. What should I do from here.
Two addtional "odd" things I noticed. Avast has been acting a little funny as of late...it keeps prompting me to say my updating licence has expired, despite the fact that I renewed it for a year not so long ago. Also, when scanning it can't access its virus chest.

 

Just another update...this morning while I was disconnecting my external drive, the computer randomly shut down. It froze repeatedly when I tried to restart it in normal and safemode with networking. After about 1/2 hour, it started in safemode, then allowed me to restart into normal mode (I used msconfig to do this). HELP! Any ideas would be welcome...I hadn't heard back on the rootkit scans we did.

 

Download
- Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread

 

Hi Again

ARGH...ok, I did something stupid. I have another portable hard drive that I use when traveling to store digital photos. All the scans I did before I did WITHOUT that drive plugged in. Long story short, I plugged it in yesterday and suprise suprise, I found all the brontok stuff back again.
I ran the removal procedures over again, but I did not run the scans from the read and run me first sticky. The "killbrontok" file in my c:/documents and settings/johnny whosits/local settings/temp file is now gone. HOWEVER, boot.exe now shows up as a hidden file (it's visible...I can see it) on my partition drive and my two portable drives. In addition, the virus has created folders called 911.exe and install.exe on my portable drives, and on the partition drive.
There was no link for Registry Search Tool on your post...I tried searching for it on MG but couldn't find it. I'm reattaching new hijackthis, getrunkey and shownew logs. SORRY for all this trouble...kind of stupid to forget about that drive. Your help is much appreciated.

 

I will also need logs from CounterSpy, BitDefender Online and Panda ActiveScan.

I fixed the link in my last post.

 

Ok, thanks for fixing the link. Here are the records from the Registry Search Tool, as well as AVG (can't run counterspy), bitdefender(run from safemode). I ran Panda, and it did not find anything and so did not generate a log file. I'm also including new hijackthis, getrunkey and shownew logs (run from normal mode).
Thanks again...oh, incidently, a friend of mine will post on this forum soon...we used the same portable drive while traveling together, and her system is infected with the same brontok infection.

 

Here's the rest of the logs...

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis, choose "Open the Misc Tools Section", choose "Process Manager", Highlight:

Choose Kill Process. Click on the "Back" Button

Click the 'Scan' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.

Post fresh logs for:
ShowNew
GetRunKey
HijackThis

Be sure to tell me how things are working.

 

Hi Again

I ran all the steps you mentioned. When I first ran hijack this in safemode, the two files C:\DOCUME~1\ADMINI~1\taskmgr.exe, and C:\DOCUME~1\JOHNNY~1\taskmgr.exe did not show up. I ran through the steps for Pocket Killbox, and got an error saying "Pending File Rename Operatons Registry Date has been removed by exernal Process". I manually rebooted to normal mode.
In normal mode, I ran hijack this one more time, and
C:\DOCUME~1\JOHNNY~1\taskmgr.exe showed up this time. I killed the process , saved a second log, and ran the killbox steps one more time. I got the same error message as before.
I've attached 2 logs for hijack this...one showing the file above (from normal) called hijackthis2, and one not showing it.

 

Here's getrunkeys

 

I did not tell you to run the fix in Safe Mode. Unless I specifically tell you to do something from Safe Mode it is to be in Normal Mode.

Follow my directions Verbatim, don't read into them.

 

Sorry about that...because you wrote to reboot to normal mode after the killbox instructions, I assumed you wanted them run from safe mode.

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis, choose "Open the Misc Tools Section", choose "Process Manager", Highlight:

Choose Kill Process.

Exit HijackThis

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post fresh logs for:
ShowNew
GetRunKey
HijackThis

Be sure to tell me how things are working.

 

Sorry for the late reply...had to go to work!!
I ran all the steps as you instructed. Boot.exe is still visible on all my drives, as are the 3 randomly generated folders (G:911, F:/updater, and H:/skin...I haven't clicked on any of them, but if you hover over them it says they contain an exe file by the same name, or install.exe). Killbrontok.exe is not visible in my temp folder.
I've attached new logs...thanks again!

 

Oh, and I still can't use taskmanager...msconfig works fine.

 

Ha-ha...last post, I promise When I booted into safemode and used Windows Explorer to navigate to the files you wanted me to delete, none of them were there...however, in the time it took me to write theses posts, Killbrontok.exe, taskmgr.tme and taskmgr.txt have all regenerated in my johnnywhosits\local settings\temp file.

 

Download FindAWF.exe by Noahdfear to your Desktop from >here<

Double-click FindAWF.exe to run it

A command window will open (OK any warnings by your security software)

Press any key to continue

When finished, a Notepad window will open and the output file called awf.txt
Save this to your Desktop and attach the file to your reply.

From this point forward do not shut off or reboot your computer unless I tell you to do so.

 

Hi again

Alright, I've started up my computer to run the scan, but i won't turn it off again until you let me know!
Here's the AWF log...cheers!

 

Hey again...even though you didn't want me to restart my computer, it had other ideas. It just rebooted itself...I haven't had anything else like this for the past couple of days, but it just reset itself now randomly.
We've been working on this for two weeks...is there any way I can back up my files without the brontok infection getting into them, and simply format and reinstall windows? If there's a simpler solution, I'm open to suggestions.

 

The problem is the files that bring back the infection are on both removable drives.

You'd have to backup all your important data the delete the partitions on all drives. Create new partitions and format the drives.

 

Hmmm...alright, well can we keep working then? Was there anything helpful on the AWF log I sent you?

 

No the AWF log didn't show anything of concern.

Delete G:911, F:/updater, and H:/skin

Post fresh logs for:
ShowNew
GetRunKey (Download again this has been updated)
HijackThis

 

Ok, I re-downloaded getrunkeys, and am attaching the logs you wanted. I also deleted those 3 files. Boot.exe no longer appears on any of my drives, and there are no funny files in my temp folders either. About the only noticeable problem I have is that when I double click on the F, G, or H drives, it tells me it can't find boot.exe. I can open them no problem by choosing "explore".
One more thing...not sure if it's anything. When running crap cleaner and scanning for issues, two items related to hijack this keep popping up.
1. Application Paths Issue: HijackThis.exe-c:\Program FilesHJThijackthis.exe
HKLM\Software\Microsoft\Windows\Current Version\App Paths\Hijackthis.exe

2. Unistaller Reference Issue c:\Program Files\HJT\HijackThis.exe/unistall
HKLM\Software\Microsoft\Windows\Current Version\Uninstall\HijackThis

I have NOT fixed these items with Crap Cleaner...only noticed them during a scan. As per the tutorial, Hijack This is in its own folder in c:\Program Files, and I renamed it to analyze.exe.

Thanks again for your help...let me know what's next!

 

Delete this file: C:\WINDOWS\ScUnin.exe

Try this tool from Sophos:

BRONTGUI is a disinfector for standalone Windows computers

• open BRONTGUI
• run it
• then click GO.

These are both created by HijackThis and can be left alone.

 

My Starcraft uninstaller? Ok, it's gone...I also ran the Sophos scan, and it came up with nothing.
It added the following message though:

Worm Renames c:\windows\system32\mscbcm60.dll by appending an additional extension to its name, creating windows\system3260.dll [num]. It needs to be renamed to its original.
(I checked this, and it was not renamed)

The following subkeys need to be removed manually

HKLM\SOFTWARE\Microsoft\Windows\current\Version\Run random subkey= pathname of worm EXE (j(random7(.exe)

HKLM\software\Microsoft\Windows\current\Version\Run random subkey= pathname of worm EXE (sv(random5)r.exe

HKLM\SOFTWARE\Microsoft\Windows\Current Version\policies\Explorer\run random software=pathway of wworm EXE (sv(random5)r.exe)

HKLM\Softare\Microsoft\Windows\Current Version\policies\Explorer\run random subkey = pathway of worm EXE (sv(random5)r.exe)

(These I don't know how to take care of)...

 

You don't have any of the run keys. The Policy keys is a different matter.

Download GetPolicies.zip (attached below)
Unzip to your Desktop

Open the folder GetPolicies and double-click GetPolicies.bat
Notepad will open, just close it.

This will save a file named policies.txt to the root directory of your hard drive C:/

Attach that file.

 

Ok, I downloaded the getpolicies program, and have attached the log.
By the way, a long while back you told me not to turn off or reboot my computer...should I still be following this advice, or is it ok to turn it off and on?

 

OK, reboot your computer. Make sure you boot to Normal Mode.

Post fresh logs for:
ShowNew
GetRunKey
HijackThis

Make sure to tell me how things are working.

 

Ok, I rebooted...here are the fresh logs. Just to check...when I went through the hijackthis tutorial, I turned off system restore on my drives. I haven't turned it back on because I wasn't sure if I should wait until after we cleaned the computer. Let me know...
No other changes that I've noticed.

 

Delete this file with killbox: C:\WINDOWS\system32\mslck.dat

Reboot

Are your still having problems when you double-click on the F, G, or H drives, and get the can't find boot.exe error message?

You should have left System Restore enabled until we were finished cleaning the computer.

 

Sigh, I'm not so good at this stuff. Alright, well I've turned system restore back on, and I deleted the file you mentioned. I am still having the boot.exe problem with my F, G, and H drives. When I double click on them, it says it can't find boot.exe. If I open them with "explore", I have no problem. This is really the only problem I'm still having...all the other suspicious stuff is gone.
I've attached new logs in case you need them.
Cheers

 

All 3 logs look fine.

Let's take a look for Rootkits. Follow the instructions for Using Sophos Anti-Rootkit.

Post the log from Sophos Anti-Rootkit

 

Ok, I ran the sophos scan...it didn't find anything. Here's the log.

 

Look for an Autorun.inf file in the root folder of drives F, G, & H; if it exists delete the file.

 

Hi again

I found autorun.inf on all 3 drives and deleted the files. What's next?