Jump to content

Worm.Brontok after effect. MWB block ip type outgoing.


Recommended Posts

Hi

Today I have infected with Worm.Brontok. I try to remove it via install Malwarebytes Anti-Malware and update to lastest version. After perform quick scan in safe mode, it find and able to remove it.

//---------------------------------------------------------------------------------------------------------------------

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.18.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
User :: USER-PC [administrator]

Protection: Enabled

18/7/2556 13:17:38
mbam-log-2013-07-18 (13-17-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211014
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoFolderOptions (Hijack.FolderOptions) -> Data: 1 -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\User\Local Settings\Application Data\Bron.tok-3-18 (Worm.Brontok) -> Quarantined and deleted successfully.

Files Detected: 2
C:\Windows\System32\3D Animation.scr (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Users\User\Templates\A.kotnorB.com (Worm.Brontok.Gen) -> Quarantined and deleted successfully.

(end)

//---------------------------------------------------------------------------------------------------------------------

 

However, my PC still have some effect left after removal. Malwarebytes still show pop-up say that it successful block outgoing data from wininit.exe and winlogon.exe to target IP very offen (every 4~6 mintues). My Chrome and FireFox start to malfunction too.
 

Chrome : unable to browse anything anymore. Even with setting page become pernament loading white screen.
FireFox : can browse some website, but not with flash / heavy script website like download.com / facebook. (keep freezing with continue/stop script choice - either choice will result in freeze loading)

 

dds.txt

protection-log-2013-07-18.txt

attach.txt

post-142932-0-87624000-1374147502_thumb.

Link to post
Share on other sites

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Hi, MrCharlie. Thank you very much for your assistance.

Here is RougeKiller's log.

 

//----------------------------------------------------------------------------------------------

 

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : User [Admin rights]
Mode : Scan -- Date : 07/18/2013 19:51:20
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableCMD (0) -> FOUND
[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][sUSP PATH] At1.job : C:\Users\User\AppData\Roaming\Microsoft\Windows\Templates\A.kotnorB.com [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500AAKS-00B3A0 ATA Device +++++
--- User ---
[MBR] a4b1dc063b548d00a7b33d24a7650f9a
[bSP] 1409c821977849d6f259b183b7b8cbbe : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 58373 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 119754752 | Size: 100000 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 324554752 | Size: 79999 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_07182013_195120.txt >>

 

//----------------------------------------------------------------------------------------------

Link to post
Share on other sites

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

OK....Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Running this scan will tell us:

 

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.
http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats is unchecked and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

Click Start
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

MrC

Link to post
Share on other sites

As you can see, you're infected with ----> Win32/Virut.NBP virus

Here's some info on the virus:
http://www.bleepingcomputer.com/forums/t/246184/various-malware-removed-some-problems-remain/

We can try and clean the system but no guaranties, it's advised to wipe the system clean and start over.

If you would like and try to clean the system, start by running by running avg_remover_virut.exe:

http://free.avg.com/us-en/remove-win32-virut

Then run virutkiller.exe:

http://media.kaspersky.com/utilities/VirusUtilities/EN/virutkiller.exe

Let me know...MrC

Link to post
Share on other sites

Finish with avg_remover_virut.exe just 1hours ago.
During cure, it say log file in C: can't be open and once restart I open the log file and it just said....

 

 

//-----------------------------------------------------------------------------
 

Virus Remover for Win32/Virut version 1.2.0.847

C:\rmvirut.log                                                                   Can't open

-- EOF --

 

//-----------------------------------------------------------------------------
 

However, MWB stop show popup blocking outgoing right now. Seem like some of them are cure, but for virut information you given. 1 alive = whole infect, wipe out still waiting for me.

 


Now try runing with virutkiller.exe. Judge from scaning speed, it may take another 2-3 hours, Even now it still said some file being cure (but judge from number of file cure - look like they're left over from avg as C: only have ~14 exe files cure.
virutkiller.exe say it Virus.Win32.Virut.ce

After finish virutkiller.exe I'll try scan with ESET and report to you again.

Link to post
Share on other sites

Reporting.

Downloading DrWeb Cure-It, it'll take 1 more hours (my connection to other country is pretty slow).

Finish virutkiller.exe scaning. ~ 22 files is cures. I also boot into safemode and re scan with virutkiller.exe (didn't try with avs as the scan take about whole 7-8 hours to complete - I'll try do it during this night). No more cure/infect detect, the virutkiller.exe show 0.

I'll report again once DrWeb Cure-It complete download and scan.

May I ask some about virut?
Yesterday when I spot that I'm infect with (brontok) I try to close most online-relate program. But during cure with MWB some reboot accident leave Hamachi open. It virut possible to infect through network system without using it?

I worry about, will it infect other people in Hamachi room that I join? and also I'm connect to router with lan cable and my father PC also connect to this router with another lan cable. I didn't setup any network share with my father PC. will it possible to infect my father PC?.

Link to post
Share on other sites

Everything seem to be ... clear I guess

Internet access
Windows Update
Windows Firewall

 

All of them can access, update and turn on/off normally.

 

I also skim through some my html, php file most of them didn't infect with iframe as virut information had mention. (still looking more on them)

Not sure which thing I should do next to make sure that my PC is clear.

Link to post
Share on other sites

Do you have the Windows DVD??

---------------------------------

There's also problems with these files:

 

------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-11-20 . DDB553F4C9557B1CBD88AD3C94800545 . 326656 . . [6.1.7600.16385] . . c:\windows\System32\spoolsv.exe
[-] 2010-11-20 . DDB553F4C9557B1CBD88AD3C94800545 . 326656 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7601.17514_none_d8530d0d1fcade21\spoolsv.exe
.
[-] 2010-11-20 . 3FBF65878E78D84631BB10880F366F97 . 295936 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
[-] 2010-11-19 . 1562571D6B1541098E677C3BB78709A0 . 285696 . . [6.1.7601.17514] . . c:\windows\System32\winlogon.exe
.
[-] 2010-11-20 . CC61C5B917C1AD74DF251DC7A88B5D3E . 56320 . . [7.5.7601.17514] . . c:\windows\System32\wuauclt.exe
[-] 2010-11-20 . CC61C5B917C1AD74DF251DC7A88B5D3E . 56320 . . [7.5.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.5.7601.17514_none_c315782c0def9f8f\wuauclt.exe
.
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
[-] 2010-11-19 . BE8C64439F1E2AF088063218C16EB9FE . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
.
[-] 2010-11-20 . A3D7E571C5E54B6EC044818958E0D910 . 35840 . . [6.1.7600.16385] . . c:\windows\System32\userinit.exe
[-] 2010-11-20 . A3D7E571C5E54B6EC044818958E0D910 . 35840 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
.
[-] 2009-07-14 . CC32B43E80CF97E5499B4ECB67E94B84 . 407552 . . [6.1.7600.16385] . . c:\windows\regedit.exe
[-] 2009-07-14 . CC32B43E80CF97E5499B4ECB67E94B84 . 407552 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_f4050b883d2c3c08\regedit.exe
.
[-] 2009-07-14 . 94CCA962FF3267AEB50AB111DA31F0F7 . 17920 . . [6.1.7600.16385] . . c:\windows\System32\ctfmon.exe
[-] 2009-07-14 . 94CCA962FF3267AEB50AB111DA31F0F7 . 17920 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe
.

 

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefinduserinit.exe winlogon.exe spoolsv.exe 
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.