# 'Brontok A' worm



## EugeneSlipped (Jul 22, 2006)

The Brontok.A worm is in our system & I can't get rid of it. I found an anti virus site called Sophia that ran a scan and then gave instructions to remove or change a number of files manually. One of them is called BacaBro!!!.txt, but I have no idea where to find it. I was able to delete \Tasks\At1.job and \Tasks\At2.job in the Windows folder, as instructed. I was told there may be data files in the System folder starting with n[randomnumber]\ that may contain file names such as \Spread.Mail.Bro, \Spread.Sent.Bro, \c.bron.tok.txt or domlist.txt, but none of those appeared in the expected place so I assume we don't have them. I was instructed that I might find the file: windows\system32\msvbvm50.dll would have an additional extension .[num] added but this hadn't happened so didn't need changing. Finally I was told that the worm creates several registry entries which need deleting with a path that goes HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (followed by random subkey = pathname of worm EXE & then other stuff after it, but I don't know where to find registry files.

Anyhow, running the scan and finding all this out didn't get rid of everything because that cursed green popup popped up again in the middle of running the scan & then it did its other trick of shutting down the computer when I was in the middle of Googling to find out what a registry entry is. (It's like HAL - it KNOWS when you're trying to kill it!) Please tell me how I can get rid of this thing!!!!


----------



## Glaswegian (Dec 5, 2004)

Hi

Download this tool - - >http://www.techsupportforum.com/sectools/sUBs/CleanX-II.exe

and save it to your Desktop.

Disconnect/unplug the computer from the Internet.
Save any work which you're doing & close all other programs.
Reboot your machine before running it. 
Double-click *CleanX-II.exe*
The tool will begin scanning your machine. Because this worm names it's files randomly, there are a series of cross-checks/verification processes to ensure that the tool does not remove legitimate files. Depending on the size of your drives, this scan may take several minutes. Please be patient during this period & allow it to complete it's task. 
Once it has finished scanning, it will provide a log file, which will be saved to your Desktop with the name *CleanX-II.txt. Post the log with your next post*.


----------



## EugeneSlipped (Jul 22, 2006)

Thanks, here's the log.

The character count was about 150,000 characters too high to post so I'm attaching the cleanx.txt file to this post.


EDIT: Having just checked out a few things on the computer (opening applications and word documents - which opened instantly, and the 'Folder Options' in the Control Panel is now returned) it appears as though the worm has been removed from the computer. As far as we can tell right now, the computer isn't having any of the problems we previously had with the worm.


----------



## Glaswegian (Dec 5, 2004)

Eek! Well that cleared out some rubbish - let's now clean up the remainder.

Download *Deckard's System Scanner (DSS)* to your *Desktop* . Note: You must be logged onto an account with administrator privileges.
*Close* all applications and windows.
*Double-click* on *dss.exe* to run it, and follow the prompts.
When the scan is complete, two text files will open - minimised > *extra.txt* and maximised > *main.txt*.
Copy *(Ctrl+A then Ctrl+C)* and paste *(Ctrl+V)* the contents of *main.txt* back in this thread *(do not attach it). *
Please *attach* *extra.txt* to your post.

To attach a file to a new post, simply

Click the[*Manage Attachments*] button under *Additional Options > Attach Files* on the post composition page, and
*copy and paste* the following into the "*Upload File from your Computer*" box: *C:\Deckard\System Scanner\extra.txt*​
 Click *Upload.*


----------



## EugeneSlipped (Jul 22, 2006)

Deckard's System Scanner v20070426.43
Run by cdeuser on 2007-05-24 at 23:40:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
75: 2007-05-24 13:40:36 UTC - RP418 - Deckard's System Scanner Restore Point
74: 2007-05-24 05:55:52 UTC - RP417 - System Checkpoint
73: 2007-05-22 15:17:31 UTC - RP416 - System Checkpoint
72: 2007-05-21 08:36:37 UTC - RP415 - System Checkpoint
71: 2007-05-20 08:16:56 UTC - RP414 - System Checkpoint

-- First Restore Point -- 
1: 2007-02-24 05:52:59 UTC - RP344 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as cdeuser.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:45:56 PM, on 24/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\cdeuser\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\cdeuser.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://knowledgenet:8080/knowledgenet/Knowledg.nsf/$$Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C|/cde/internet explorer/start_1.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CDE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\CDE\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe \RESET
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [updateMgr] C:\CDE\Acrobat\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file:///C|/cde/internet explorer/start_1.htm
O16 - DPF: DominoApplets - http://n255.service.csv.au/domjava/dominoapplets.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://hns6.uap.csv.au/iqp/qp2.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - 
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - 
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://lycosmail.lycos.com/hanmail-ax/AttachMail.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = service.csv.au
O17 - HKLM\Software\..\Telephony: DomainName = service.csv.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = service.csv.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au,service.csv.au,csv.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au,service.csv.au,csv.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BsStor (InCD Storage Helper Driver) - c:\windows\system32\drivers\bsstor.sys <Not Verified; B.H.A Co.,Ltd.; >
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R2 BsUDF (InCD UDF Driver) - c:\windows\system32\drivers\bsudf.sys <Not Verified; ahead software; UDF File System Driver (WindowsXP)>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft(R) ASPI Shell>
R3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks; Contivity VPN Client>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S2 IPSECEXT (Nortel Extranet Access Protocol) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks; Contivity VPN Client>
S3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
S3 IAMTXP (Driver for Intel(R) Active Management Technology - KCS) - c:\windows\system32\drivers\iamtxp.sys <Not Verified; Intel Corporation; Intel® Active Management Technology  KCS>
S3 sfng32 (Sonic Focus Plugin for Sigmatel HDA) - c:\windows\system32\drivers\sfng32.sys <Not Verified; Sonic Focus, Inc; Sonic Focus, Inc SFNG32.SYS>
S3 STHDA (SigmaTel High Definition Audio CODEC) - c:\windows\system32\drivers\sthda.sys <Not Verified; SigmaTel, Inc.; C-Major Audio>
S3 ZSMC301b (VIMICRO USB PC Camera) - c:\windows\system32\drivers\usbvm31b.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 avinitnt - "c:\program files\command software\command antivirus\avinitnt.exe" <Not Verified; Command Software Systems, Inc.; Command AntiVirus for Windows>
R2 dvpapi - "c:\program files\common files\command software\dvpapi.exe" <Not Verified; Command Software Systems, Inc.; Command AntiVirus for Windows>
R2 schscnt - "c:\program files\command software\command antivirus\schscnt.exe" <Not Verified; Command Software Systems, Inc.; Command AntiVirus for Windows>

-- Scheduled Tasks -------------------------------------------------------------

2007-05-23 18:31:37 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-04-24 and 2007-05-24 -----------------------------

2007-05-19 17:35:31 0 d-------- C:\Documents and Settings\cdeuser\Application Data\Lavasoft
2007-05-19 17:34:48 0 d-------- C:\Program Files\Lavasoft
2007-05-19 17:31:36 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-19 16:51:17 0 d-------- C:\Program Files\CA
2007-05-17 12:00:26 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Opera
2007-05-16 15:37:14 0 d-------- C:\WINDOWS\IPAFONTS
2007-05-12 20:30:05 0 d-------- C:\Documents and Settings\cdeuser\Shared
2007-05-12 20:29:58 0 d-------- C:\Documents and Settings\cdeuser\Incomplete
2007-05-12 20:24:51 0 d-------- C:\Documents and Settings\cdeuser\Application Data\LimeWire
2007-04-25 17:14:51 0 d--h----- C:\Documents and Settings\NetworkService\SendTo
2007-04-25 17:12:36 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Identities
2007-04-25 17:09:48 0 d-------- C:\Documents and Settings\NetworkService\Start Menu
2007-04-25 17:09:48 0 dr-h----- C:\Documents and Settings\NetworkService\Recent
2007-04-25 17:09:48 0 d-------- C:\Documents and Settings\NetworkService\Desktop

-- Find3M Report ---------------------------------------------------------------

2007-05-11 22:10:03 19 --a------ C:\WINDOWS\popcinfo.dat
2007-03-29 23:16:38 0 d-------- C:\Program Files\EA GAMES

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\CDE\Acrobat\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}	C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"SchedulingAgent"="mstinit.exe /firstlogon"
"SigmatelSysTrayApp"="sttray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"avtray"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\avtray.exe"
"CSAV_CheckViruses"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\vchk.exe"
"dvprpt"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\dvprpt.exe"
"untray"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\untray.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"zzzHPSETUP"="D:\\Setup.exe \\RESET"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE VIMICRO USB PC Camera"
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"updateMgr"="C:\\CDE\\Acrobat\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000001
"DisableCMD"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ToggleCommentPosition"=dword:00000001
"ShowDriveLettersFirst"=dword:00000004
"LinkResolveIgnoreLinkInfo"=dword:00000001
"NoRemoteRecursiveEvents"=dword:00000001
"NoPublishingWizard"=dword:00000001
"NoWebServices"=dword:00000001
"NoOnlinePrintsWizard"=dword:00000001
"NoInternetOpenWith"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=dword:00000001
"NoWelcomeScreen"=dword:00000001
"NoActiveDesktop"=dword:00000001
"NoInternetIcon"=dword:00000001
"NoFolderOptions"=dword:00000001

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
 Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-05-24 at 23:46:32 ---------


----------



## Glaswegian (Dec 5, 2004)

Hi again

Looking good  well just run some scans and clean up any other leftovers.

You may wish to *Subscribe* to this thread *(Thread Tools > Subscribe to this thread)* so that you are notified when you receive a reply.

*Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.*

*Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your log is clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.*

*Downloads*
Please download *Cleanup!* or use this *Alternate Link* if the main link does not work and install it. You will use this later. 
**NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups.* If you have any files in any *TEMP* directory and you need to keep them, then please *MOVE THEM NOW!*

Download *AVG Anti Spyware*

Use the link at the bottom of the page under *"AVG Anti-Spyware Free for Windows"*











Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click *Shield*
Click the word *active* to change it to *inactive*
On the top of the main screen click *Update*.
Then click on *Start Update.* The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"


When you have finished updating, *EXIT AVG Anti Spyware.*

*Reboot*
Reboot your system in *Safe Mode*.

Restart the computer. The computer begins processing a set of instructions known as BIOS.
After hearing your computer beep once during startup, but *before* the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight *Safe Mode* and press *Enter*.

*Run CleanUp!*
**NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups.* If you have any files in any *TEMP* directory and you need to keep them, then please *MOVE THEM NOW!*

Open *Cleanup!* by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click *Options*
Move the slider button down to *Custom CleanUp!*
Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the Temporary Files tab and *uncheck* the box for Scan drives for file matching if its checked.

Click *OK,* Press the *CleanUp!* button to start the program and *DO NOT REBOOT* when prompted.
*Note:* *CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.*

*Run AVG Anti Spyware*
Run *AVG* with it's updated definitions (...it's important that *all windows must be closed*) 
 Click *Scanner*
 Click on the *Scan* tab
 Click *Complete System Scan* to begin scanning.
 When the scan is complete click *Recommended Action* and change it to *Quarantine*
 Then click *Apply all actions*
Once finished, click the *Save report* button, then click *Save Report As* and save it to your desktop.

*NOTE: AVG scan may require an hour.*

*Reboot*
Reboot your system in Normal Mode.

*Online Scan*
Perform an online scan with Internet Explorer with *Panda ActiveScan*

 Click on







located at the bottom of the page.
 A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
 Enter your e-mail address, country, and state & click *"Free Online Scan"*  *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting









 If it finds any malware, it will offer you a report.
 Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
 Click on







then click







* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

*Logs required*
*AVG Log
Panda Log
HijackThis Log*

Please also let me know how your system is performing now and if you have any specific problems.


----------



## EugeneSlipped (Jul 22, 2006)

Wow, got quite a few steps ahead of me here...

But unfortunately it looks like I'm going to have to wait a bit before I get started, because I may or may not have a problem with AVG at the moment.

I downloaded and installed AVG from the link provided. When I tried to run it, I was bombarded with "Please insert disc into drive D:\", and it included a file directory name with an avg exe file.
No matter how many "Cancels", "Continues", "Try Agains" and "Xs" I clicked, they kept returning until I closed AVG. I tried uninstalling and reinstalling AVG - this time I didn't get this problem, however now in steps 3 and 4 of the AVG process you provided; 
"# On the top of the main screen click Shield
# Click the word active to change it to inactive"
The Shield isn't even available for me. Now I don't know if this is a problem, but I thought it was best to run it by you before I did anything else.

I've included a couple of screenshots:

The shield tab:









My license:









Not quite sure what to do here, so like I said I thought it would be best to run it by you before I did anything.

Thanks!


----------



## Glaswegian (Dec 5, 2004)

OK - if there's no shield that's fine. You should get 30 days worth of shield for free - perhaps a bad download? Skip that part and then carry on with the rest of the fix. Since we've already removed the main infection, I doubt there will be much left, so just carry on whenever it's convenient.


----------



## EugeneSlipped (Jul 22, 2006)

Urk :S

Sorry, I was busy for a couple of days so didn't get around to finishing the rest of the steps, and I thought that the computer would be fine for a couple more days.
But it appears as though perhaps one or more of the USB memory sticks we have might be infected with the Brontok worm as well, because the computer's slowing down, the computer won't read the USB drives and the 'Folder Options' in Control Panel is gone again. This happened after using the memory sticks. It's taken us right back to where we started, so it looks! >.<

Should I run the CleanX scan and the Deckard's System Scanner again and post the logs?
Also it appears we might have to do something about the USB Memory Sticks, because it looks like they might just keep re-infecting the computer.


----------



## Glaswegian (Dec 5, 2004)

Hi again

Firstly, I would copy over any data you need from the USB drives, then wipe them completely. There's no point in adding in extra complications - dealing with one system at a time is the best bet. Then keep them away from your main PC until we can get that clean.

Once you've done that, run CleanX-II and DSS again and post back with the logs.


----------



## EugeneSlipped (Jul 22, 2006)

(CleanX log attached, once again it was far too long to post)

Also, we tried to wipe the USB drives but we can't access them directly through windows explorer because the worm won't let the drive show up in My Computer, but we were able to get at them via MS Word by asking it to open a document, and then copying the documents from that directory over to a folder on the desk top. We then deleted all the files we could find on the usb drive, but couldn't get at any way of formatting them completely.


DSS logs coming shortly.


----------



## EugeneSlipped (Jul 22, 2006)

For some reason only main.txt appeared, no extra.txt was created. Not sure why this happened, but I've posted the main.txt here:

Deckard's System Scanner v20070426.43
Run by cdeuser on 2007-05-29 at 18:53:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as cdeuser.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:53:32 PM, on 29/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\cdeuser\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\cdeuser.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://knowledgenet:8080/knowledgenet/Knowledg.nsf/$$Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C|/cde/internet explorer/start_1.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CDE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\CDE\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe \RESET
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [updateMgr] C:\CDE\Acrobat\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file:///C|/cde/internet explorer/start_1.htm
O16 - DPF: DominoApplets - http://n255.service.csv.au/domjava/dominoapplets.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://hns6.uap.csv.au/iqp/qp2.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - 
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - 
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://lycosmail.lycos.com/hanmail-ax/AttachMail.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = service.csv.au
O17 - HKLM\Software\..\Telephony: DomainName = service.csv.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = service.csv.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au,service.csv.au,csv.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au,service.csv.au,csv.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe

-- Files created between 2007-04-29 and 2007-05-29 -----------------------------

2007-05-29 18:19:45 0 d-------- C:\WINDOWS\system32\NtmsData
2007-05-19 17:35:31 0 d-------- C:\Documents and Settings\cdeuser\Application Data\Lavasoft
2007-05-19 17:34:48 0 d-------- C:\Program Files\Lavasoft
2007-05-19 17:31:36 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-19 16:51:17 0 d-------- C:\Program Files\CA
2007-05-17 12:00:26 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Opera
2007-05-16 15:37:14 0 d-------- C:\WINDOWS\IPAFONTS
2007-05-12 20:30:05 0 d-------- C:\Documents and Settings\cdeuser\Shared
2007-05-12 20:29:58 0 d-------- C:\Documents and Settings\cdeuser\Incomplete
2007-05-12 20:24:51 0 d-------- C:\Documents and Settings\cdeuser\Application Data\LimeWire

-- Find3M Report ---------------------------------------------------------------

2007-05-26 16:21:02 19 --a------ C:\WINDOWS\popcinfo.dat
2007-03-29 23:16:38 0 d-------- C:\Program Files\EA GAMES

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}	C:\CDE\Acrobat\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}	C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"SchedulingAgent"="mstinit.exe /firstlogon"
"SigmatelSysTrayApp"="sttray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"avtray"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\avtray.exe"
"CSAV_CheckViruses"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\vchk.exe"
"dvprpt"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\dvprpt.exe"
"untray"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\untray.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"zzzHPSETUP"="D:\\Setup.exe \\RESET"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE VIMICRO USB PC Camera"
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"updateMgr"="C:\\CDE\\Acrobat\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000001
"DisableCMD"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ToggleCommentPosition"=dword:00000001
"ShowDriveLettersFirst"=dword:00000004
"LinkResolveIgnoreLinkInfo"=dword:00000001
"NoRemoteRecursiveEvents"=dword:00000001
"NoPublishingWizard"=dword:00000001
"NoWebServices"=dword:00000001
"NoOnlinePrintsWizard"=dword:00000001
"NoInternetOpenWith"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=dword:00000001
"NoWelcomeScreen"=dword:00000001
"NoActiveDesktop"=dword:00000001
"NoInternetIcon"=dword:00000001
"NoFolderOptions"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-05-29 at 18:53:49 ---------


----------



## Glaswegian (Dec 5, 2004)

Hi again

Now that you've copied over any data, and run CleanX-II again, can you try and re-format those flash drives to completely clean them. Your DSS log is pretty clean. If you manage to do the re-format, keep the flash drives away from the main system and then run CleanX-II again.


----------



## EugeneSlipped (Jul 22, 2006)

Thanks for your help - we've made a lot of progress. The logs came up clean this time & one of the flash drives has been formatted successfully. The other one came up with a box saying that the format could not be completed, so we'll stop using it. We're suspicious that the worm has infected it, or even that this is where it came from in the first place, as it was given to us by someone else & just has kids games & rubbish on it. The computer seems to be working fine now, though there is one mystery that I thought was the fault of Brontok. When you open a folder in Windows explorer, & look at the menu within that folder, you find the folder's own name listed as a .exe file. It's as if the folder is nesting inside itself, if that makes any sense. Is this a side-effect of Brontok or something unrelated? I'm sure it didn't happen like this before we had the worm.


----------



## Glaswegian (Dec 5, 2004)

Hi again

Good to hear that youve made some progress.

Im not sure about the folder thing  lets do a run of this tool to check for any remnants.

Please download *combofix.exe* to your *desktop.*
*Alternate link.*

*IMPORTANT - You must place combofix on your desktop!!*

Double click *combofix.exe* & follow the prompts.

When finished, the tool will produce a log for you at *c:\combofix.txt*. *Post that log in your next reply.*

*Note:* Do *not* mouseclick combofix's window while it's running. That may cause it to stall.


----------



## EugeneSlipped (Jul 22, 2006)

Hi again again
This is getting ridiculous. We had some internet trouble & a failed attempt to download combofix.exe. In the meantime, Brontok reappeared in the system. I've run CleanX & DSS again. After doing that I was able to download combofix today & ran it, but after running for a few minutes, it closed without leaving a log. I wasn't looking when it closed & don't know if there were any messages at the time & I tried to run it again just to see, but it told me that another user was already running it & there was some file missing.

I've copied the first part of the log from CleanX, but won't bother you with the rest as most of it is just email addresses, many of them in triplicate. I've included the first part, which has other files and a few of the email addresses so you can see what it's doing, but the rest is just more of the same.

#######################################################################

Current date: Sat 09/06/2007 Current time: 12:43:37.04

=== PRE RUN ANALYSIS ===================================

C:\DOCUME~1\CDEUSER\LOCALS~1\APPLIC~1\INETINFO.EXE
C:\DOCUME~1\CDEUSER\LOCALS~1\APPLIC~1\SERVICES.EXE
C:\DOCUME~1\CDEUSER\LOCALS~1\APPLIC~1\SMSS.EXE
C:\DOCUME~1\CDEUSER\MYDOCU~1\MYMUSI~1\ITUNES\ITUNES~1\UNKNOWN\UNKNOW~1\UNKNOW~1.EXE

......................................

C:\WINDOWS\Tasks\At1.job 
C:\WINDOWS\sembako-ckzjmqg.exe 
C:\WINDOWS\system32\cmd-bro-qmx.exe 
C:\WINDOWS\system32\sistem.sys 
C:\Documents and Settings\cdeuser\Local Settings\Application Data\csrss.exe 
C:\Documents and Settings\cdeuser\Local Settings\Application Data\lsass.exe 
C:\Documents and Settings\cdeuser\Local Settings\Application Data\winlogon.exe 
C:\Documents and Settings\cdeuser\Local Settings\Application Data\br4941on.exe 
C:\Documents and Settings\cdeuser\Local Settings\Application Data\Bron.tok-18-8 
C:\Documents and Settings\cdeuser\Local Settings\Application Data\svchost.exe 
C:\Documents and Settings\cdeuser\Start Menu\Programs\Startup\Empty.pif 
C:\Documents and Settings\cdeuser\Templates\8064-NendangBro.com

...............

C:\Documents and Settings\cdeuser\Local Settings\Application Data\Bron.tok-18-8
C:\Documents and Settings\cdeuser\Local Settings\Application Data\Bron.tok-18-9
C:\Documents and Settings\cdeuser\Local Settings\Application Data\Loc.Mail.Bron.Tok
C:\Documents and Settings\cdeuser\Local Settings\Application Data\Ok-SendMail-Bron-tok
"C:\Documents and Settings\cdeuser\Local Settings\Application Data\Loc.Mail.Bron.Tok\[email protected]"
"C:\Documents and Settings\cdeuser\Local Settings\Application Data\Loc.Mail.Bron.Tok\[email protected]"
"C:\Documents and Settings\cdeuser\Local Settings\Application Data\Loc.Mail.Bron.Tok\[email protected]"
"C:\Documents and Settings\cdeuser\Local Settings\Application Data\Loc.Mail.Bron.Tok\[email protected]"
"C:\Documents and Settings\cdeuser\Local Settings\Application Data\Loc.Mail.Bron.Tok\[email protected]"
"C:\Documents and Settings\cdeuser\Local Settings\Application Data\Loc.Mail.Bron.Tok\[email protected]"
"C:\Documents and Settings\cdeuser\Local Settings\Application Data\Loc.Mail.Bron.Tok\[email protected]"
"C:\Documents and Settings\cdeuser\Local Settings\Application Data\Loc.Mail.Bron.Tok\[email protected]"

This is the log from DSS:
Deckard's System Scanner v20070426.43
Run by cdeuser on 2007-06-09 at 12:52:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as cdeuser.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:52:45 PM, on 9/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\cdeuser\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\cdeuser.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://knowledgenet:8080/knowledgenet/Knowledg.nsf/$$Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C|/cde/internet explorer/start_1.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CDE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\CDE\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe \RESET
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [updateMgr] C:\CDE\Acrobat\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file:///C|/cde/internet explorer/start_1.htm
O16 - DPF: DominoApplets - http://n255.service.csv.au/domjava/dominoapplets.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://hns6.uap.csv.au/iqp/qp2.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - 
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - 
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://lycosmail.lycos.com/hanmail-ax/AttachMail.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = service.csv.au
O17 - HKLM\Software\..\Telephony: DomainName = service.csv.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = service.csv.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au,service.csv.au,csv.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au,service.csv.au,csv.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe

-- Files created between 2007-05-09 and 2007-06-09 -----------------------------

2007-05-29 18:19:45 0 d-------- C:\WINDOWS\system32\NtmsData
2007-05-19 17:35:31 0 d-------- C:\Documents and Settings\cdeuser\Application Data\Lavasoft
2007-05-19 17:34:48 0 d-------- C:\Program Files\Lavasoft
2007-05-19 17:31:36 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-19 16:51:17 0 d-------- C:\Program Files\CA
2007-05-17 12:00:26 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Opera
2007-05-16 15:37:14 0 d-------- C:\WINDOWS\IPAFONTS
2007-05-12 20:30:05 0 d-------- C:\Documents and Settings\cdeuser\Shared
2007-05-12 20:29:58 0 d-------- C:\Documents and Settings\cdeuser\Incomplete
2007-05-12 20:24:51 0 d-------- C:\Documents and Settings\cdeuser\Application Data\LimeWire

-- Find3M Report ---------------------------------------------------------------

2007-06-04 08:12:37 0 d-------- C:\Program Files\Nortel Networks
2007-05-26 16:21:02 19 --a------ C:\WINDOWS\popcinfo.dat

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}	C:\CDE\Acrobat\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}	C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"SchedulingAgent"="mstinit.exe /firstlogon"
"SigmatelSysTrayApp"="sttray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"avtray"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\avtray.exe"
"CSAV_CheckViruses"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\vchk.exe"
"dvprpt"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\dvprpt.exe"
"untray"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\untray.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"zzzHPSETUP"="D:\\Setup.exe \\RESET"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE VIMICRO USB PC Camera"
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"updateMgr"="C:\\CDE\\Acrobat\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000001
"DisableCMD"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ToggleCommentPosition"=dword:00000001
"ShowDriveLettersFirst"=dword:00000004
"LinkResolveIgnoreLinkInfo"=dword:00000001
"NoRemoteRecursiveEvents"=dword:00000001
"NoPublishingWizard"=dword:00000001
"NoWebServices"=dword:00000001
"NoOnlinePrintsWizard"=dword:00000001
"NoInternetOpenWith"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=dword:00000001
"NoWelcomeScreen"=dword:00000001
"NoActiveDesktop"=dword:00000001
"NoInternetIcon"=dword:00000001
"NoFolderOptions"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-06-09 at 12:53:03 ---------

This is all I've been able to achieve. Why does this thing keep coming back? If it infected a flash drive, could it infect a digital camera? (I had one plugged in yesterday.)


----------



## Glaswegian (Dec 5, 2004)

Hi again

I've never heard of malware infecting a camera (SD card I presume?) - yet.

Delete any versions of combofix you may have and download a fresh version from here

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Download to your desktop and run it - follow the prompts. It has been updated so I want to see what happens when run.

It's likely coming from an external source - have you plugged in any external drives recently? Have the flash drives been formatted?


----------



## EugeneSlipped (Jul 22, 2006)

Hi again
So far so good. I've run the new version of Combofix and it did generate a log, which I'll paste below this. Don't know what external source could be causing it. We formatted one flash drive properly & the only time I've used it since is to load back on the files we'd saved onto the computer while running CleanX etc. The other drive couldn't complete the format, so we've ditched it. There are two other computers connected to the same router in our house, but this one has some sort of secure connection to an office & has all sorts of firewall things that prevent it from communicating with the other two via any LAN. 
I'm keeping a lookout for early warning signs of reinfection, such as hidden files suddenly becoming invisible & there are a couple of ancient Windows games that seem to get automatically deleted when Brontok takes hold. They've become my canaries in the mine, & they're still singing at the moment, so maybe things are ok.

Thanks again for your help!
Here's the log:
ComboFix 07-06-13.3 - C:\Documents and Settings\cdeuser\Desktop\ComboFix.exe
"cdeuser" - 2007-06-13 16:05:48 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))

2007-06-11 20:42 d--------	C:\WINDOWS\system32\LogFiles
2007-06-10 18:52 d--------	C:\PSFonts
2007-06-09 13:49	49,152	--a------	C:\WINDOWS\nircmd.exe
2007-05-29 18:19 d--------	C:\WINDOWS\system32\NtmsData
2007-05-25 19:47	3,968	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-24 23:39 d--------	C:\Deckard
2007-05-19 17:35 d--------	C:\DOCUME~1\cdeuser\APPLIC~1\Lavasoft
2007-05-19 17:34 d--------	C:\Program Files\Lavasoft
2007-05-19 17:31 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-05-19 16:51 d--------	C:\Program Files\CA
2007-05-17 12:00 d--------	C:\DOCUME~1\NETWOR~1\APPLIC~1\Opera
2007-05-16 15:37 d--------	C:\WINDOWS\IPAFONTS

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 22:12:37	--------	d-----w	C:\Program Files\Nortel Networks
2007-05-26 06:21:02	19	----a-w	C:\WINDOWS\popcinfo.dat
2007-05-12 10:48:39	--------	d-----w	C:\DOCUME~1\cdeuser\APPLIC~1\LimeWire
2004-08-03 14:56:44	1,392,671	--sh--r	C:\WINDOWS\system32\msvbvm60.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\CDE\Acrobat\ActiveX\AcroIEHelper.dll [2005-09-23 20:12]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 02:25]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 19:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SchedulingAgent"="mstinit.exe" [2004-08-04 00:56 C:\WINDOWS\system32\mstinit.exe]
"SigmatelSysTrayApp"="sttray.exe" []
"nwiz"="nwiz.exe" []
"avtray"="C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe" [2005-11-10 16:47]
"CSAV_CheckViruses"="C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe" [2005-11-10 16:47]
"dvprpt"="C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe" [2005-11-10 16:47]
"untray"="C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe" [2005-11-10 16:47]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2002-12-25 01:19]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-10-19 21:23]
"zzzHPSETUP"="D:\Setup.exe" []
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 02:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 17:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 08:36]
"CaISSDT"="C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe" [2006-04-21 14:42]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [2007-05-19 17:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\CDE\Acrobat\Reader\AdobeUpdateManager.exe" [2005-08-18 10:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableCMD"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ToggleCommentPosition"=1 (0x1)
"ShowDriveLettersFirst"=4 (0x4)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)
"NoPublishingWizard"=1 (0x1)
"NoWebServices"=1 (0x1)
"NoOnlinePrintsWizard"=1 (0x1)
"NoInternetOpenWith"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoInternetIcon"=1 (0x1)
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-29 00:13]

Contents of the 'Scheduled Tasks' folder
2007-06-06 08:31:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 16:09:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan
**************************************************************************

Completion time: 2007-06-13 16:10:02

--- E O F ---


----------



## Glaswegian (Dec 5, 2004)

Hi again

Lets just double check for any rootkits. *Make sure you are logged in as an Admin.*

*Gmer*
Download *Gmer* and extract it to your *desktop.*

Double-click *gmer.exe* to run it and select the *rootkit* tab. Press *scan*. When it has finished, press *copy* and paste the log back here.

Alternate link: http://www.majorgeeks.com/download.php?det=5198

*Blacklight*
Download and run *Blacklight*

Note that you must have local administrative privileges to run the program.

Click *Scan*. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this.

When it finishes, click *Next*. You may get a screen similar to the picture below. Click on *Close*.

BlackLight beta will create a log file called *"fsbl-<date-and-time>.log"*. By default, the log file is in the same directory as the executable. Please post the log.


----------

