Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Threats


  • This topic is locked This topic is locked
15 replies to this topic

#1 nsp

nsp

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 22 May 2008 - 10:33 AM

Hi,

My PC is infected with the following.

Email-Worm.Brontok.Q
Backdoor.Hupigon.GEN
Trojan-Downloader.Agent.BNZ
Exploit.Java.ByteVerify

Iam new to fixing spyware etc.
Please help me out.

Thanks.

BC AdBot (Login to Remove)

 


m

#2 nsp

nsp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 22 May 2008 - 10:42 AM

It says, the path of the file is
C:\DOCUMENTS AND SETTINGS:\NETWORKSERVICE\MYDOCUMENTS\My Pictures\about.Brontok.A.html

#3 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:12:31 PM

Posted 22 May 2008 - 12:15 PM

Are you able to quarantine these with your Anti-virus, or do you get error messages?
What is the "it" that tells you the path file?
Regards,
John
Whereof one cannot speak, thereof one should be silent.

#4 nsp

nsp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 22 May 2008 - 12:24 PM

Spywaredoctor tells this path file

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:31 PM

Posted 22 May 2008 - 01:34 PM

What action is Spywaredoctor taking?

If its not doing anything, please download the Brontok Disinfection Tool and follow the instructions posted by Sophos.

Java.ByteVerify is actually a method to exploit a security vulnerability in the Microsoft Virtual Machine that is stored in the java cache as a java-applet. The vulnerability arises as the ByteCode verifier in the Microsoft VM does not correctly check for the presence of certain malformed code when a java-applet is loaded. Attackers can exploit the vulnerability by creating malicious Java applets and inserting them into web pages that could be hosted on a web site or sent to users as an attachment. Trojan Exploit ByteVerify indicates that a Java applet - a malicious Java archive file (JAR) - was found on your system containing the exploit code.

When a browser runs an applet, the Java Runtime Environment (JRE) stores all the downloaded files into its cache directory for better performance. Microsoft stores the applets in the Temporary Internet Files. The Java.ByteVerify will typically arrive as a component of other malicious content. An attacker could use the compiled Java class file to execute other code...Notification of infection does not always indicate that a machine has been infected; it only indicates that a program included the viral class file. This does not mean that it used the malicious functionality.

These malicious applets are designed to exploit vulnerabilities in the Microsoft VM (Microsoft Security Bulletin MS03-011). If you are using the Sun JVM as your default virtual machine, these malicious applets cannot cause any harm to your computer. See: here.

AVG, eTrust EZ Antivirus, Pest Patrol and others will find Java/ByteVerify but cannot get rid of them. If you have the Java-Plugin installed, then deleting them from the Java cache should eliminate the problem. The Java Plug-In in the Control Panel is only present if you are using Sun's Java. If you don't have the Java-Plugin installed then just delete the files manually. The Microsoft Virtual machine stores the applets in the Temporary Internet Files.

Recommended Solution:
If your using Sun Java, follow the instructions for Clearing the Java Runtime Environment (JRE) Cache.
If your using IE, Netscape, Mozilla, Opera, or AOL, follow the instructions for Clearing your Web Browser Cache.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 nsp

nsp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 22 May 2008 - 01:49 PM

Which one is the downloadable?
Is it BRONTSFX.EXE?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:31 PM

Posted 22 May 2008 - 02:04 PM

BRONTSFX.EXE is for use by system administrators on Windows networks.

Download BRONTGUI and save to your desktop.
  • Double-Click brontgui.com.
  • Click OK to accept the terms.
  • Click the GO Button.
  • Your computer will now be scanned. Be patient as the scan may take a few minutes.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 nsp

nsp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 22 May 2008 - 02:22 PM

Well, I followed your instructions.
Here is the log.
Still spyware shows me the threat Email-Worm.Brontok.Q






RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com

System disinfection for W32/Brontok

Data Version 1.03

System scan started at 13:53 on 22 May 2008

Checking for W32/Brontok in memory

Checking for registry keys affected by W32/Brontok

Reset registry value HKCU\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden
Reset registry value HKCU\software\microsoft\windows\currentversion\policies\explorer\NoFolderOptions

Checking for files affected by W32/Brontok

Scanning C:


Scanning D:


Scanning C:\WINDOWS


Checking for registry keys affected by W32/Brontok


System scan finished at 14:04 on 22 May 2008

Processes found : 0
Processes terminated or disinfected : 0
Registry keys affected : 2
Registry keys changed : 2
Files found : 0
Files deleted : 0


RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com

System disinfection for W32/Brontok

Data Version 1.03

System scan started at 14:05 on 22 May 2008

Checking for W32/Brontok in memory

Checking for registry keys affected by W32/Brontok


Checking for files affected by W32/Brontok

Scanning C:


Scanning D:



RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com

System disinfection for W32/Brontok

Data Version 1.03

System scan started at 14:08 on 22 May 2008

Checking for W32/Brontok in memory

Checking for registry keys affected by W32/Brontok


Checking for files affected by W32/Brontok

Scanning C:


Scanning D:


Scanning C:\WINDOWS


Checking for registry keys affected by W32/Brontok


System scan finished at 14:15 on 22 May 2008

Processes found : 0
Processes terminated or disinfected : 0
Registry keys affected : 0
Registry keys changed : 0
Files found : 0
Files deleted : 0

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:31 PM

Posted 22 May 2008 - 02:31 PM

Please download the Brontok Worm Removal Tool by sUBs and save it to your Desktop.
  • Disconnect the computer from the Internet and close all other programs.
  • Double-click CleanX-II.exe and follow the prompts.
  • The tool will begin scanning your machine. Because this worm names it's files randomly, there are a series of cross-checks/verification processes to ensure that the tool does not remove legitimate files. Depending on the size of your drives, this scan may take several minutes. Please be patient during this period & allow it to complete it's task.
  • Once the scan is complete it will provide a text log of the results. If the log shows any files remaining in the bottom portion under "POST RUN ANALYSIS" run the entire scan a second time.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 nsp

nsp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 22 May 2008 - 02:57 PM

It didnot perform the required.
still the worm is there.
Here is the log.

#######################################################################

Brontok Worm Removal Tool - (Version - 06.09.17B)
by sUBs

#######################################################################

Current date: Thu 05/22/2008 Current time: 14:46:29.73

=== PRE RUN ANALYSIS ===================================


=== POST RUN ANALYSIS ==================================



NOTE
The post-run analysis portion should be empty. If it's not, reboot and run the tool a second time.
14:47:21.21

======================================================

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:31 PM

Posted 22 May 2008 - 04:23 PM

Download FileASSASSIN FA_Portable.zip and save to your desktop (this tool is compatible with Win 2000/NT/XP/Vista only).
  • Create a new folder on your C:\ drive called FileASSASSIN and extract (unzip) the file to that folder. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.)
  • Open the folder and double-click on FileASSASSIN.exe.
    Note: If you downloaded the installable version instead, just double-click on fa-setup.exe to install and then launch FileASSASSIN from the program folder.
  • Select the bad file to delete by dragging it onto the text area or select it using the (...) browse button.
  • Select a removal method. Start with the default "Attempt FileASSASSIN's method of file removal"
  • Click delete and the removal process will begin.
  • If that did not work, start the program again, select the file(s) the same way as before and this time check "Use delete on reboot function from windows."

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 nsp

nsp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 22 May 2008 - 04:32 PM

Can you pls explain what do you mean by "Select the bad file to delete"
How do I know where the bad files are located.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:31 PM

Posted 22 May 2008 - 04:38 PM

Email-Worm.Brontok.Q is the name of the threat detection from the anti-spyware vendor. It is not the specific file but you said the path was:

C:\DOCUMENTS AND SETTINGS:\NETWORKSERVICE\MYDOCUMENTS\My Pictures\about.Brontok.A.html <- this file

You said it was still there after running both tools. Is this not the file you were referring too?
If that is not the file, then what file are you referring to when stating the worm is there.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 nsp

nsp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 22 May 2008 - 04:41 PM

The problem is this.
Spyware doctor shows the threat and file path as C:\DOCUMENTS AND SETTINGS:\NETWORKSERVICE\MYDOCUMENTS\My Pictures\about.Brontok.A.html

But, this file path does not exist at all.
If I have located this file, I could have as well deleted it.
But I dont know where it resides.
Its a malware.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:31 PM

Posted 22 May 2008 - 07:30 PM

The Network Service account is a special built-in account hidden by default.

Reconfigure Windows XP to show hidden files, folders. Double-click on My Computer, go to Tools > Folder Options and click on the View tab. Under Hidden Files and Folders, check "Show hidden files and Folders", uncheck "Hide Protected operating system Files (recommended)", uncheck "Hide file extensions for known file types", then click Apply > OK.

Profiles in this folder are required by the system to run and should not be modified so be careful what you delete.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users