Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brontok.q.227 exe files keep reappearing


  • Please log in to reply
6 replies to this topic

#1 rgdmn

rgdmn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 23 October 2011 - 02:38 PM

Every couple of days, a number of exe files appear in my C:\Users\Public\ folder. They are all the same size and are named after whatever folder they are in (Public.exe/Videos.exe/Pictures.exe), and Avira detects them as Worm/Brontok.q.227. I've scanned with MBAM, Avira, and the ESET online scan, and while they manage to detect the exe files, they can't seem to find the source.

If someone could help I'd be very grateful

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:08 PM

Posted 23 October 2011 - 02:39 PM

Can you post the logs?

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:08 AM

Posted 23 October 2011 - 02:50 PM

Also Please download the Brontok Disinfection Tool and follow the instructions posted by Sophos.

When done, please download the Brontok Worm Removal Tool by sUBs and save it to your Desktop.
Disconnect the computer from the Internet and close all other programs.
Double-click CleanX-II.exe and follow the prompts.
The tool will begin scanning your machine. Because this worm names it's files randomly, there are a series of cross-checks/verification processes to ensure that the tool does not remove legitimate files. Depending on the size of your drives, this scan may take several minutes. Please be patient during this period & allow it to complete it's task.
Once the scan is complete it will provide a text log of the results. If the log shows any files remaining in the bottom portion under "POST RUN ANALYSIS" run the entire scan a second time.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 rgdmn

rgdmn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 23 October 2011 - 02:52 PM

I had to remove the part of the log where it lists every single folder it scans because it was way too long to post:

Avira Free Antivirus
Report file date: Monday, October 24, 2011 03:20

Version information:
BUILD.DAT : 12.0.0.855 Bytes 12/10/2011 17:40:00
AVSCAN.EXE : 12.1.0.17 490448 Bytes 11/10/2011 07:00:09
AVSCAN.DLL : 12.1.0.17 54224 Bytes 23/9/2011 05:34:56
LUKE.DLL : 12.1.0.17 68304 Bytes 11/10/2011 07:00:17
AVSCPLR.DLL : 12.1.0.19 99536 Bytes 11/10/2011 07:00:09
AVREG.DLL : 12.1.0.20 227024 Bytes 11/10/2011 07:00:09
VBASE000.VDF : 7.10.0.0 19875328 Bytes 6/11/2009 12:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 03:07:39
VBASE002.VDF : 7.11.3.0 1950720 Bytes 9/2/2011 09:08:51
VBASE003.VDF : 7.11.5.225 1980416 Bytes 7/4/2011 04:00:55
VBASE004.VDF : 7.11.8.178 2354176 Bytes 31/5/2011 04:18:22
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 06:12:53
VBASE006.VDF : 7.11.13.60 6411776 Bytes 16/8/2011 01:26:09
VBASE007.VDF : 7.11.15.106 2389504 Bytes 5/10/2011 07:00:25
VBASE008.VDF : 7.11.15.107 2048 Bytes 5/10/2011 07:00:25
VBASE009.VDF : 7.11.15.108 2048 Bytes 5/10/2011 07:00:25
VBASE010.VDF : 7.11.15.109 2048 Bytes 5/10/2011 07:00:25
VBASE011.VDF : 7.11.15.110 2048 Bytes 5/10/2011 07:00:25
VBASE012.VDF : 7.11.15.111 2048 Bytes 5/10/2011 07:00:25
VBASE013.VDF : 7.11.15.144 161792 Bytes 7/10/2011 07:00:25
VBASE014.VDF : 7.11.15.177 130048 Bytes 10/10/2011 07:00:25
VBASE015.VDF : 7.11.15.213 113664 Bytes 11/10/2011 07:35:57
VBASE016.VDF : 7.11.16.1 163328 Bytes 14/10/2011 03:12:22
VBASE017.VDF : 7.11.16.34 187904 Bytes 18/10/2011 03:12:24
VBASE018.VDF : 7.11.16.77 139264 Bytes 20/10/2011 03:12:25
VBASE019.VDF : 7.11.16.78 2048 Bytes 20/10/2011 03:12:26
VBASE020.VDF : 7.11.16.79 2048 Bytes 20/10/2011 03:12:27
VBASE021.VDF : 7.11.16.80 2048 Bytes 20/10/2011 03:12:28
VBASE022.VDF : 7.11.16.81 2048 Bytes 20/10/2011 03:12:28
VBASE023.VDF : 7.11.16.82 2048 Bytes 20/10/2011 03:12:29
VBASE024.VDF : 7.11.16.83 2048 Bytes 20/10/2011 03:12:30
VBASE025.VDF : 7.11.16.84 2048 Bytes 20/10/2011 03:12:30
VBASE026.VDF : 7.11.16.85 2048 Bytes 20/10/2011 03:12:31
VBASE027.VDF : 7.11.16.86 2048 Bytes 20/10/2011 03:12:32
VBASE028.VDF : 7.11.16.87 2048 Bytes 20/10/2011 03:12:32
VBASE029.VDF : 7.11.16.88 2048 Bytes 20/10/2011 03:12:33
VBASE030.VDF : 7.11.16.89 2048 Bytes 20/10/2011 03:12:34
VBASE031.VDF : 7.11.16.107 146944 Bytes 23/10/2011 19:19:19
Engineversion : 8.2.6.84
AEVDF.DLL : 8.1.2.1 106868 Bytes 1/9/2011 15:46:02
AESCRIPT.DLL : 8.1.3.81 467322 Bytes 11/10/2011 07:00:07
AESCN.DLL : 8.1.7.2 127349 Bytes 1/9/2011 15:46:02
AESBX.DLL : 8.2.1.34 323957 Bytes 1/9/2011 15:46:02
AERDL.DLL : 8.1.9.15 639348 Bytes 8/9/2011 15:16:06
AEPACK.DLL : 8.2.10.11 684408 Bytes 22/9/2011 08:18:45
AEOFFICE.DLL : 8.1.2.15 201083 Bytes 15/9/2011 17:17:25
AEHEUR.DLL : 8.1.2.180 3748217 Bytes 12/10/2011 05:41:59
AEHELP.DLL : 8.1.17.7 254327 Bytes 1/9/2011 15:46:01
AEGEN.DLL : 8.1.5.9 401780 Bytes 1/9/2011 15:46:01
AEEMU.DLL : 8.1.3.0 393589 Bytes 1/9/2011 15:46:01
AECORE.DLL : 8.1.23.0 196983 Bytes 1/9/2011 15:46:01
AEBB.DLL : 8.1.1.0 53618 Bytes 1/9/2011 15:46:01
AVWINLL.DLL : 12.1.0.17 27344 Bytes 11/10/2011 07:00:11
AVPREF.DLL : 12.1.0.17 51920 Bytes 11/10/2011 07:00:09
AVREP.DLL : 12.1.0.17 179408 Bytes 11/10/2011 07:00:09
AVARKT.DLL : 12.1.0.17 223184 Bytes 11/10/2011 07:00:07
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 11/10/2011 07:00:08
SQLITE3.DLL : 3.7.0.0 398288 Bytes 11/10/2011 07:00:22
AVSMTP.DLL : 12.1.0.17 62928 Bytes 11/10/2011 07:00:10
NETNT.DLL : 12.1.0.17 17104 Bytes 11/10/2011 07:00:18
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 11/10/2011 07:00:31
RCTEXT.DLL : 12.1.0.16 96208 Bytes 23/9/2011 05:37:24

Configuration settings for the scan:
Jobname.............................: Manual Selection
Configuration file..................: C:\ProgramData\Avira\AntiVir Desktop\PROFILES\folder.avp
Logging.............................: extended
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Complete
Skipped files.......................: D:\Users\User\Desktop\runner.exe, D:\users\user\desktop\runner.old, D:\users\user\documents\my received files\runner(4).exe,
Deviating risk categories...........: +APPL,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Monday, October 24, 2011 03:20

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
[WARNING] System error [5]: Access is denied.
[INFO] Please restart the search with Administrator rights
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [5]: Access is denied.
[INFO] Please restart the search with Administrator rights
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [5]: Access is denied.
[INFO] Please restart the search with Administrator rights
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [5]: Access is denied.
[INFO] Please restart the search with Administrator rights
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [5]: Access is denied.
[INFO] Please restart the search with Administrator rights
Master boot sector HD5
[INFO] No virus was found!
[WARNING] System error [5]: Access is denied.
[INFO] Please restart the search with Administrator rights
Master boot sector HD6
[INFO] No virus was found!
[WARNING] System error [5]: Access is denied.
[INFO] Please restart the search with Administrator rights
Master boot sector HD7
[INFO] No virus was found!
[WARNING] System error [5]: Access is denied.
[INFO] Please restart the search with Administrator rights

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
[WARNING] System error [5]: Access is denied.
[INFO] Please restart the search with Administrator rights

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'League of Legends.exe' - '1' Module(s) have been scanned
Scan process 'LolClient.exe' - '1' Module(s) have been scanned
Scan process 'LoLLauncher.exe' - '1' Module(s) have been scanned
Scan process 'rads_user_kernel.exe' - '1' Module(s) have been scanned
Scan process 'wlcomm.exe' - '1' Module(s) have been scanned
Scan process 'IELowutil.exe' - '1' Module(s) have been scanned
Scan process 'plugin-container.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'razerofa.exe' - '1' Module(s) have been scanned
Scan process 'razertra.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'razerhid.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'VCDDaemon.exe' - '1' Module(s) have been scanned
Scan process 'soffice.bin' - '1' Module(s) have been scanned
Scan process 'soffice.exe' - '1' Module(s) have been scanned
Scan process 'Dropbox.exe' - '1' Module(s) have been scanned
Scan process 'TM Server.exe' - '1' Module(s) have been scanned
Scan process 'zumodrive.exe' - '1' Module(s) have been scanned
Scan process 'AnyDVDtray.exe' - '1' Module(s) have been scanned
Scan process 'GoogleCrashHandler.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '2830' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\
C:\hiberfil.sys
[NOTE] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[NOTE] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.

Beginning disinfection:
C:\Users\Public\Videos\
C:\Users\Public\Videos\Videos.exe
[DETECTION] Contains recognition pattern of the WORM/Brontok.q.227 worm
[NOTE] The file was moved to the quarantine directory under the name '4a89c3c3.qua'.
C:\Users\Public\Recorded TV\Sample Media\
C:\Users\Public\Recorded TV\Sample Media\Sample Media.exe
[DETECTION] Contains recognition pattern of the WORM/Brontok.q.227 worm
[NOTE] The file was moved to the quarantine directory under the name '5207ec1c.qua'.
C:\Users\Public\Pictures\
C:\Users\Public\Pictures\Pictures.exe
[DETECTION] Contains recognition pattern of the WORM/Brontok.q.227 worm
[NOTE] The file was moved to the quarantine directory under the name '004eb68c.qua'.
C:\Users\Public\Music\
C:\Users\Public\Music\Music.exe
[DETECTION] Contains recognition pattern of the WORM/Brontok.q.227 worm
[NOTE] The file was moved to the quarantine directory under the name '6669f942.qua'.


End of the scan: Monday, October 24, 2011 03:41
Used time: 19:27 Minute(s)

The scan has been done completely.

46498 Scanned directories
887188 Files were scanned
4 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
4 Files were moved to quarantine
0 Files were renamed
343 Files cannot be scanned
886841 Files not concerned
5987 Archives were scanned
448 Warnings
394 Notes

#5 rgdmn

rgdmn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 23 October 2011 - 02:55 PM

The Sophos Brontok tool finds nothing, and CleanX-II.exe gives errors "the program or feature cannot start or run due to incompatibility with 64-bit versions of Windows"

#6 rgdmn

rgdmn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 23 October 2011 - 06:37 PM

I just noticed something else - there is another computer showing up on the network as RANDY-PC. The thing is, I don't have a home network - my computer is connected directly to the modem. Public folder sharing was turned on, so I'm assuming this is how the exes kept reappearing. I've turned off public folder sharing and network discovery.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:08 AM

Posted 25 October 2011 - 11:53 AM

OK, Avira removed the Brontok. Is the other person gone now?



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users