BleepingComputer.com: DriverCure and Brontuk

Hello, first time user here! This seems like a really neat service and I appreciate your help in advance.

Helping a neighbour with their computer but can't figure this out.

Have removed DriverCure (uninstall) and installed Security Essentials and Malwarebytes, but the computer is still infected. All the application icons lead to Internet Explorer Shortcuts both on the Desktop and in the Start Menu.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by KEVIN at 20:42:30 on 2012-02-01
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3001.1654 [GMT -6:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG2012\avgfws.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\ProgramData\bProtector\bProtect.exe
C:\ProgramData\bProtector\bProtect.exe
C:\Program Files\InstallBrainService\InstallBrainService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\AUDIODG.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: File2LinkIB: {c23b756a-bd9f-4ca6-aded-17ab8ccf3e8b} - c:\program files\file2linkib\file2linkibX.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: File2LinkIB: {c23b756a-bd9f-4ca6-aded-17ab8ccf3e8b} - c:\program files\file2linkib\file2linkibX.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: DhcpNameServer = 192.168.22.1
TCP: Interfaces\{2B09E2BA-9C81-4A8D-AEA2-53AEE022B844} : DhcpNameServer = 192.168.22.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
AppInit_DLLs: protector.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2012-1-29 64512]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 avgfws;AVG Firewall;c:\program files\avg\avg2012\avgfws.exe [2011-11-23 2391832]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 bProtector;bProtector;c:\programdata\bprotector\bProtect.exe [2011-12-18 803328]
R2 InstallBrainService;InstallBrain Updater Service;c:\program files\installbrainservice\InstallBrainService.exe [2011-12-18 273912]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-23 2152152]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-1 652360]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-30 20464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-2-1 40776]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-12 136176]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-12 136176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-12-10 1343400]
.
=============== Created Last 30 ================
.
2012-02-02 02:26:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-02 02:04:49 709968 ----a-w- c:\windows\isRS-000.tmp
2012-02-02 02:00:20 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-02-02 02:00:08 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b2936236-054e-4f9f-89c9-6ca1b2cf4ae8}\mpengine.dll
2012-02-02 01:58:46 388096 ----a-r- c:\users\kevin\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-02-02 01:58:45 -------- d-----w- c:\program files\Trend Micro
2012-01-30 16:57:52 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-01-30 15:44:32 -------- d-----w- c:\users\kevin\appdata\roaming\Malwarebytes
2012-01-30 15:44:20 -------- d-----w- c:\programdata\Malwarebytes
2012-01-30 15:44:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-30 15:44:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-30 02:18:34 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-01-30 02:13:55 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-01-30 02:13:46 -------- d-----w- c:\program files\Lavasoft
2012-01-30 02:07:08 703824 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{57dd1d03-5cbc-4770-b10d-af4e750073a7}\gapaengine.dll
2012-01-30 02:06:58 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-30 02:03:55 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-29 02:55:37 1656 ----a-w- c:\windows\system32\ASOROSet.bin
2012-01-28 19:01:55 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-28 19:01:55 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-28 19:01:55 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-28 19:01:55 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-28 19:01:55 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-28 19:01:55 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-28 19:01:55 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-28 19:01:55 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-28 19:01:55 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-28 19:01:55 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-14 22:44:16 42776 ----a-w- c:\programdata\microsoft\ehome\packages\mceclientux\dsm-2\StartResources.dll
2012-01-14 22:44:09 539984 ----a-w- c:\programdata\microsoft\ehome\packages\mcespotlight\mcespotlight-2\SpotlightResources.dll
2012-01-14 22:38:31 -------- d-----w- C:\c1e4405748735a11f239
2012-01-14 21:44:30 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-14 21:44:30 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-14 21:44:28 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-14 21:44:27 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-10 01:24:15 -------- d-----w- c:\users\kevin\appdata\local\Microsoft Games
.
==================== Find3M ====================
.
2011-12-24 21:47:03 748544 ----a-w- c:\windows\system32\protector.dll
2011-12-18 20:45:16 748544 ----a-w- c:\windows\system32\protector.dll.tmp
2011-12-13 01:40:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:01:32 409088 ----a-w- c:\windows\system32\systemcpl.dll
2011-12-10 23:01:32 13824 ----a-w- c:\windows\system32\slwga.dll
2011-12-10 23:01:31 811520 ----a-w- c:\windows\system32\user32.dll
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 17:52:52 17280 ----a-w- c:\windows\system32\roboot.exe
2011-11-05 04:26:03 2048 ----a-w- c:\windows\system32\tzres.dll
.
============= FINISH: 20:43:13.78 ===============

Quote

Hello there, justacanuck



I'm Conspire, I'll be glad to help you with your computer problems.

Please observe these rules while we work:

• Read the entire procedure
  
• It is important to perform ALL actions in sequence.
  
• If you don't know, stop and ask! Don't keep going on.
  
• Please reply to this thread. Do not start a new topic.
  
• Stick with me till you're given the all clear.
  
• Remember, absence of symptoms does not mean the infection is all gone.
  
• Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

IMPORTANT NOTE : Please do not delete anything unless instructed to. Remember to backup all your important data(if possible) before moving on.

---------------------------------------------------------------------------------------------------

Do you still require assistance?

---------------------------------------------------------------------------------------------------

Thanks for the response. Yes, I still require assistance. I think the virus/malware might be gone but all the shortcut icons are IE icons (although they do seem to launch actual programs).

Hi,

Thanks for the feedback.

Let's see if we could reset things.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Great! That worked. Wondering if you think the system is safe to use now? Here is the log requested.

exeHelper by Raktor
Build 20100414
Run at 20:28:43 on 02/05/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Well there's one more file I'd like to take a further look.

Follow these steps to display hidden files and folders.

• Open Folder Options by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
  
• Click the View tab.
  
• Under Advanced settings, click Show hidden files and folders
  
• Click OK. (Remember to Hide files and folders once done)

Please go to one of the below sites to scan the following files:
Virus Total (Recommended)
jotti.org
VirScan


click on Browse, and upload the following file for analysis:
c:\windows\system32\roboot.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results link(for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

I tried to attach it as a txt file, but for some reason, the forums wouldn't take it:



SHA256: 71348bdbb51aeea4680d6abc3e7baa76fcd6bf14cc3261a9b946f29897dad550


File name: roboot.exe

Detection ratio:

0 / 43

Analysis date:

2012-02-06 14:48:20 UTC ( 6 minutes ago )

0



0


Antivirus

Result

Update


AhnLab-V3

-

20120206



AntiVir

-

20120206



Antiy-AVL

-

20120206



Avast

-

20120206



AVG

-

20120206



BitDefender

-

20120206



ByteHero

-

20120126



CAT-QuickHeal

-

20120206



ClamAV

-

20120206



Commtouch

-

20120206



Comodo

-

20120206



DrWeb

-

20120206



Emsisoft

-

20120206



eSafe

-

20120202



eTrust-Vet

-

20120206



F-Prot

-

20120201



F-Secure

-

20120206



Fortinet

-

20120206



GData

-

20120206



Ikarus

-

20120206



Jiangmin

-

20120206



K7AntiVirus

-

20120203



Kaspersky

-

20120206



McAfee

-

20120206



McAfee-GW-Edition

-

20120205



Microsoft

-

20120206



NOD32

-

20120206



Norman

-

20120206



nProtect

-

20120206



Panda

-

20120206



PCTools

-

20120205



Prevx

-

20120206



Rising

-

20120206



Sophos

-

20120206



SUPERAntiSpyware

-

20120203



Symantec

-

20120206



TheHacker

-

20120206



TrendMicro

-

20120206



TrendMicro-HouseCall

-

20120206



VBA32

-

20120206



VIPRE

-

20120206



ViRobot

-

20120206



VirusBuster

-

20120206

Comments
Additional information


ssdeep
192:frW8ACZd07P/uG+eNPL+T7XTPMG4QW/O5YSnEXNp8SbjcHZs10UKyowJL/VgrYMN:sDNhLE7XbM/zhjcu10HYJLeVbCoj1p



TrID
Windows Screen Saver (51.1%)
Win32 Executable Generic (33.2%)
Generic Win/DOS Executable (7.8%)
DOS Executable Generic (7.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)




ExifTool
CodeSize.................: 8192
FileDescription..........: Regclean Pro
Comments.................: http://www.systweak.com
InitializedDataSize......: 3072
ImageVersion.............: 6.0
ProductName..............: Systweak Regclean Pro
FileVersionNumber........: 6.1.0.0
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x0000
CharacterSet.............: Windows, Latin1
LinkerVersion............: 8.0
OriginalFilename.........: RegcleanPro.exe
MIMEType.................: application/octet-stream
Subsystem................: Native
FileVersion..............: 6.1
TimeStamp................: 2010:12:28 12:16:10+01:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: Regclean Pro Registry Optimizer
SubsystemVersion.........: 6.0
ProductVersion...........: 6.1
UninitializedDataSize....: 0
OSVersion................: 6.0
FileOS...................: Win32
LegalCopyright...........: Copyright © 2010 Systweak Inc., All rights reserved.
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Systweak Inc., (www.systweak.com)
LegalTrademarks..........: Systweak, Regclean Pro
FileSubtype..............: 0
ProductVersionNumber.....: 6.1.0.0
EntryPoint...............: 0x2545
ObjectFileType...........: Dynamic link library




Sigcheck
publisher................: Systweak Inc., (www.systweak.com)
product..................: Systweak Regclean Pro
internal name............: Regclean Pro Registry Optimizer
copyright................: Copyright © 2010 Systweak Inc., All rights reserved.
original name............: RegcleanPro.exe
signing date.............: 7:26 AM 11/19/2011
comments.................: http://www.systweak.com
file version.............: 6.1
signers..................: Systweak Inc
VeriSign Class 3 Code Signing 2009-2 CA
Class 3 Public Primary Certification Authority
description..............: Regclean Pro




Portable Executable structural information
Compilation timedatestamp.....: 2010-12-28 11:16:10
Target machine................: 332
Entry point address...........: 0x00002545

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 7982 8192 6.24 baaafcec427a6cc0cc73728bc3f0274b
.data 12288 844 512 0.20 563629f165a1b00ba1c92b2b4adf94bb
.rsrc 16384 1128 1536 2.59 ed9df3c3dd2ff71057983f0ee6cb5d56
.reloc 20480 438 512 5.06 40af51e8e0afdba218bf98f14ab70502

PE Imports....................:

ntdll.dll
NtDisplayString, RtlAnsiStringToUnicodeString, RtlInitAnsiString, vsprintf, NtOpenKey, RtlInitUnicodeString, NtLoadKey, NtUnloadKey, RtlAllocateHeap, RtlFreeHeap, RtlAdjustPrivilege, NtInitializeRegistry, RtlCreateHeap, memset, NtClose, NtReadFile, NtCreateFile, NtSaveKey, NtReplaceKey, ZwDeleteFile, LdrGetProcedureAddress, LdrGetDllHandle, NtFlushKey, NtDelayExecution, NtSetValueKey, memmove, NtQueryValueKey, _chkstk, NtFlushBuffersFile, NtWriteFile, NtShutdownSystem, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind



First seen by VirusTotal
2011-11-29 21:19:16 UTC ( 2 months, 1 week ago )



Last seen by VirusTotal
2012-02-06 14:48:20 UTC ( 47 minutes ago )



File names (max. 25)
1. roboot.exe
2. A20CA8A0800799B943F10050346B600032B0E804.exe
3. file-3231130_exe
4. roboot.exe

This post has been edited by justacanuck: 06 February 2012 - 01:14 PM

You're good to go.

Thanks for the awesome assistance!

You're welcome

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.