Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5297
  • Last Modified:

W32/Brontok.H.worm

My (Windows XP) computer is infected with W32/Brontok.H.worm as Panda Titaniam detects. It keeps removing it, but it keeps reappering. The statistics show 650,000+ detections. I've looked online for help, but the solutions I've seen don't seem to contain the files removed by Panda.

Some of the files being:
-c:\documents and settings\all users\documents\my videos\my videos.exe
-c:\documents and settings\all users\documents\my pictures\sample pictures\sample pictures.exe
-c:\documents and settings\all users\documents\my music\sync playlists\sync playlists.exe
-c:\documents and settings\all users\documents\adobe pdf\settings\settings.exe
-c:\windows\system\system.exe
-c:\windows\srchasst\chars.exe
-c:\windows\shellnew\shellnew.exe
-c:\windows\servicepackfiles\i386\i386.exe
-c:\data jason.exe
-c:\c.exe
-c:\dnetc\dnetc.exe
-c:\windows\inf\inf.exe
-etc...

I see no changes in my computer though, except a few of resources being used up on displaying alerts. I'll try to post additional info when asked. And I have no points, sorry for the low number.
0
RubyWeapon
Asked:
RubyWeapon
  • 13
  • 13
1 Solution
 
r-kCommented:
Please run HijackThis and post your log here as follows:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.

0
 
RubyWeaponAuthor Commented:
0
 
r-kCommented:
Thanks, though I am just a user of HJT, not the author.

Your HJT log looks fairly clean, so I think the virus is no longer active. You should clean the following entry anyway:

 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

using HJT itself.

For the files that Panda is having trouble deleting, about how many such files are there? Can you boot in safe mode and delete them directly with Windows Explorer?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
r-kCommented:
Or, download Killbox from: http://www.scancomplete.com/download/killbox/
and use that to delete those files.
0
 
RubyWeaponAuthor Commented:
The thing is that the files are being deleted (I check the dir and there is no file, not even hidden). The files keep reappearing, no problem deleting. There are many different files that it deletes, but they all seem to keep coming back no matter what I do. Safe mode wont have any effect here (in terms of fixing the problem).
0
 
r-kCommented:
"I check the dir and there is no file"

Have you checked that the files really are back, using Windows Explorer or "My Computer" ?

If yes, then do the following:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"

(4) This will give you a shorter, more meaningful list.

(5) Use the File -> Save as.. option in Autoruns to save the list to a text file and then copy and paste it here.
0
 
RubyWeaponAuthor Commented:
Isn't that basically what HJT does?

Anyways, it's huge and long (about 64KB) are you sure I should post something that big here?
0
 
RubyWeaponAuthor Commented:
And I do check for the deleted files.
0
 
r-kCommented:
"are you sure I should post something that big here?"

No, first shorten the list using step (3) above

"(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"

(4) This will give you a shorter, more meaningful list."
0
 
r-kCommented:
Since the files keep coming back (as you verified?) we have to assume there is something still active that recreates them.

Autoruns sometimes shows things that are missed by HJT.
0
 
RubyWeaponAuthor Commented:
It's 64KB with those options done.
0
 
RubyWeaponAuthor Commented:
Wait, forgot to refresh the list (it's still big) =.=

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run                  

+ APVXDWIN      ApVxdWin      Panda Software International      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\apvxdwin.exe

+ DiskeeperSystray      DKICON.EXE      Diskeeper Corporation      c:\program files\diskeeper corporation\diskeeper\dkicon.exe

+ Launch Ai Booster                  c:\program files\asus\ai booster\overclk.exe

+ MSPY2002                  c:\windows\system32\ime\pintlgnt\imscinst.exe

+ NeroFilterCheck      NeroCheck      Ahead Software Gmbh      c:\windows\system32\nerocheck.exe

+ NvCplDaemon      NVIDIA Display Properties Extension      NVIDIA Corporation      c:\windows\system32\nvcpl.dll

+ NvMediaCenter      NVIDIA Media Center Library      NVIDIA Corporation      c:\windows\system32\nvmctray.dll

+ nwiz      NVIDIA nView Wizard, Version 110.26       NVIDIA Corporation      c:\windows\system32\nwiz.exe

+ QuickTime Task      QuickTime Task      Apple Computer, Inc.      c:\program files\quicktime\qttask.exe

+ SoundMan      Realtek Sound Manager      Realtek Semiconductor Corp.      c:\windows\soundman.exe

+ SunJavaUpdateSched      Java(TM) 2 Platform Standard Edition binary      Sun Microsystems, Inc.      c:\program files\java\jre1.5.0_06\bin\jusched.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup                  

+ Adobe Reader Speed Launch.lnk      Adobe Acrobat SpeedLauncher      Adobe Systems Incorporated      c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

C:\Documents and Settings\xRubyWeaponx\Start Menu\Programs\Startup                  

+ Adobe Gamma.lnk      Adobe Gamma Loader      Adobe Systems, Inc.      c:\program files\common files\adobe\calibration\adobe gamma loader.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run                  

+ ResChanger 2005      ResChanger 2005      EVGA CORP      c:\program files\reschanger 2005\reschanger2005.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved                  

+ Desktop Explorer      NVIDIA Desktop Explorer, Version 110.26       NVIDIA Corporation      c:\windows\system32\nvshell.dll

+ Desktop Explorer Menu      NVIDIA Desktop Explorer, Version 110.26       NVIDIA Corporation      c:\windows\system32\nvshell.dll

+ Display Panning CPL Extension                  File not found: deskpan.dll

+ HyperTerminal Icon Ext      HyperTerminal Applet Library      Hilgraeve, Inc.      c:\windows\system32\hticons.dll

+ NeroDigitalIconHandler      Nero Digital Shell Extension      Nero AG      c:\program files\common files\ahead\lib\nerodigitalext.dll

+ NeroDigitalPropSheetHandler      Nero Digital Shell Extension      Nero AG      c:\program files\common files\ahead\lib\nerodigitalext.dll

+ NvCpl DesktopContext Class      NVIDIA Display Properties Extension      NVIDIA Corporation      c:\windows\system32\nvcpl.dll

+ nView Desktop Context Menu      NVIDIA Desktop Explorer, Version 110.26       NVIDIA Corporation      c:\windows\system32\nvshell.dll

+ Panda Antivirus      ShellTit      Panda Software International      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\shelltit.dll

+ Play on my TV helper      NVIDIA Display Properties Extension      NVIDIA Corporation      c:\windows\system32\nvcpl.dll

+ PowerISO      PowerISOShell DLL      PowerISO Computing, Inc.      c:\program files\poweriso\pwrisosh.dll

+ WinRAR shell extension                  c:\program files\winrar\rarext.dll

+ WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll

+ WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll

+ WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll

+ WinZip      WinZip Shell Extension DLL      WinZip Computing LP      c:\program files\winzip\wzshlstb.dll

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers                  

+ NeroDigitalColumnHandler Class      Nero Digital Shell Extension      Nero AG      c:\program files\common files\ahead\lib\nerodigitalext.dll

+ PDF Shell Extension      PDF Shell Extension      Adobe Systems, Inc.      c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects                  

+ Adobe PDF Reader Link Helper      Adobe Acrobat IE Helper Version 7.0 for ActiveX      Adobe Systems Incorporated      c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll

+ Google Toolbar Helper      Google IE Client Toolbar      Google Inc.      c:\program files\google\googletoolbar2.dll

+ SSVHelper Class      Java(TM) 2 Platform Standard Edition binary      Sun Microsystems, Inc.      c:\program files\java\jre1.5.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar                  

+ googletoolbar2.dll      Google IE Client Toolbar      Google Inc.      c:\program files\google\googletoolbar2.dll

Task Scheduler                  

+ B070A4DE93A75886.job                  File not found: c:\docume~1\xrubyw~1\applic~1\partsk~1\That Bias Dale.exe

HKLM\System\CurrentControlSet\Services                  

+ Diskeeper      Controls the Windows Diskeeper Service      Diskeeper Corporation      c:\program files\diskeeper corporation\diskeeper\dkservice.exe

+ NVSvc      Provides system and desktop level support to the NVIDIA display driver      NVIDIA Corporation      c:\windows\system32\nvsvc32.exe

+ PAVFNSVR      Panda Function Service      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pavfnsvr.exe

+ PavPrSrv      Panda Process Protection Service      Panda Software      c:\program files\common files\panda software\pavshld\pavprsrv.exe

+ PAVSRV      On-Access Antivirus Scanner Service.      Panda Software International      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pavsrv51.exe

+ PNMSRV      Panda Network Manager Service      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\pnmsrv.exe

+ PSIMSVC      PsImSvc      Panda Software Internacional      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\psimsvc.exe

+ StarWindService      Enables network access to local devices via iSCSI protocol.      Rocket Division Software      c:\program files\alcohol soft\alcohol 120\starwind\starwindservice.exe

+ TPSrv      TPSrv Application      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\tpsrv.exe

HKLM\System\CurrentControlSet\Services                  

+ ALCXWDM      Realtek AC'97 Audio Driver (WDM)      Realtek Semiconductor Corp.      c:\windows\system32\drivers\alcxwdm.sys

+ AmdK8      AMD Processor Driver      Advanced Micro Devices      c:\windows\system32\drivers\amdk8.sys

+ APPFLT      Panda APPFLT      Panda Software      c:\windows\system32\drivers\appflt.sys

+ AsIO                  c:\windows\system32\drivers\asio.sys

+ cpoint      cPoint      Panda Software      c:\windows\system32\drivers\cpoint.sys

+ DSAFLT      DsaFlt      Panda Software      c:\windows\system32\drivers\dsaflt.sys

+ FNETMON      Panda FNetMon      Panda Software      c:\windows\system32\drivers\fnetmon.sys

+ IDSFLT      IdsFlt      Panda Software      c:\windows\system32\drivers\idsflt.sys

+ InCDPass                  File not found: system32\drivers\InCDPass.sys

+ InCDRm                  File not found: system32\drivers\InCDRm.sys

+ MTsensor      ATK0110 ACPI Utility            c:\windows\system32\drivers\asacpi.sys

+ netflt      NetFlt      Panda Software      c:\windows\system32\drivers\netflt.sys

+ NETFLTDI      Panda TDI Filter      Panda Software      c:\windows\system32\drivers\netfltdi.sys

+ NPF      npf      CACE Technologies      c:\windows\system32\drivers\npf.sys

+ npkcrypt      nProtect KeyCrypt Driver      INCA Internet Co., Ltd.      c:\program files\gravity\ro\npkcrypt.sys

+ NPPTNT2      nProtect NPSC Kernel Mode Driver for NT      INCA Internet Co., Ltd.      c:\windows\system32\npptnt2.sys

+ nv      NVIDIA Compatible Windows 2000 Miniport Driver, Version 84.21       NVIDIA Corporation      c:\windows\system32\drivers\nv4_mini.sys

+ PavProc      Panda Process Protection driver      Panda Software      c:\windows\system32\drivers\pavproc.sys

+ Ptilink      Direct Parallel Link Driver      Parallel Technologies, Inc.      c:\windows\system32\drivers\ptilink.sys

+ PxHelp20      Px Engine Device Driver for Windows 2000/XP      Sonic Solutions      c:\windows\system32\drivers\pxhelp20.sys

+ Secdrv      SafeDisc driver            c:\windows\system32\drivers\secdrv.sys

+ SMSFLT      SmsFlt      Panda Software      c:\windows\system32\drivers\smsflt.sys

+ SVKP      SVKP driver for NT      AntiCracking      c:\windows\system32\svkp.sys

+ vax347b      Plug and Play BIOS Extension             c:\windows\system32\drivers\vax347b.sys

+ vax347s      SCSI miniport             c:\windows\system32\drivers\vax347s.sys

+ viamraid      VIA RAID DRIVER FOR WIN 2000/XP/2003IA32      VIA Technologies inc,.ltd      c:\windows\system32\drivers\viamraid.sys

+ WNMFLT      WnmFlt      Panda Software      c:\windows\system32\drivers\wnmflt.sys

+ yukonwxp      NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller      Marvell      c:\windows\system32\drivers\yk51x86.sys

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute                  

+ PFDNNT C:\DOCUME~1\XRUBYW~1\APPLIC~1\16NOUN~1\ACE HEART.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\DOCUME~1\XRUBYW~1\LOCALS~1\TEMP\BIS401.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\DOWNLOADED PROGRAM FILES\DOWNLOADED PROGRAM FILES.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\HELP\HELP.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\INF\INF.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\INF\INF.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\INF\INF.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\INF\INF.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\INF\INF.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\INF\INF.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\MEDIA\MEDIA.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\1033\1033.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\REGISTEREDPACKAGES\{30C7234B-6482-4A55-A11D-ECD9030313F2}\{30C7234B-6482-4A55-A11D-ECD9030313F2}.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\SERVICEPACKFILES\I386\I386.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\SERVICEPACKFILES\I386\I386.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\SERVICEPACKFILES\I386\I386.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\SERVICEPACKFILES\I386\I386.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\SYSTEM32\LD100.TMP      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\SYSTEM32\REGPERF.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\SYSTEM32\STDOLE3.TLB      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\SYSTEM32\WINYOD32.DLL      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\SYSTEM\SYSTEM.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\SYSTEM\SYSTEM.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

+ PFDNNT C:\WINDOWS\WINDOWS.EXE      pfdnnt      Panda Software      c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pfdnnt.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify                  

+ avldr      On-Access Antivirus Scanner Sync.      Panda Software      c:\windows\system32\avldr.dll

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9                  

+ PAV_LAYERED      pavlsp Dynamic Link Library      Panda Software       c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pavlsp.dll

+ PAV_LAYERED over [MSAFD Tcpip [RAW/IP]]      pavlsp Dynamic Link Library      Panda Software       c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pavlsp.dll

+ PAV_LAYERED over [MSAFD Tcpip [TCP/IP]]      pavlsp Dynamic Link Library      Panda Software       c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pavlsp.dll

+ PAV_LAYERED over [MSAFD Tcpip [UDP/IP]]      pavlsp Dynamic Link Library      Panda Software       c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pavlsp.dll

0
 
r-kCommented:
About how many lines of text are in that saved file?

For comparison, on my system, I get about 50 lines, and the saved file size is 12 KB.


If you like, you can edit that saved file with Notepad, and delete entries you feels are safe for sure, such as Panda AV entries, e.g.
That will reduce it to just the unknowns or unexplained ones.

0
 
r-kCommented:
OK, ignore my last message. I am reviewing the list and will send you an update in a few minutes.
0
 
RubyWeaponAuthor Commented:
Well since it's already there... there is no point.
0
 
r-kCommented:
I think this is the item of interest:

 + SVKP     SVKP driver for NT     AntiCracking     c:\windows\system32\svkp.sys

Can you browse to that file in Windows Explorer, right-click on it, select "Properties", then click on the Version tab and see who created the file. Also check the dates on the file.
0
 
RubyWeaponAuthor Commented:
SVKP driver for NT
Modified May 12, 2000
Copyright (C) Microsoft Corp. 1981-1999
Company: AntiCracking
File Version: 4.0.1381.1
0
 
r-kCommented:
You can also try the following:

Start Autoruns, un-check the SVKP entry, exit Autoruns.

Delete a few of the offending files mentiond in your original post.

Reboot.

Run Autoruns and verify the the SVKP entry is still un-checked

Check whether the files you deleted have come back or not.
0
 
r-kCommented:
Ok, thaks for the info. I still think this file is malware. try disabling with Autoruns as in my last post, and see if it stays disabled.
0
 
RubyWeaponAuthor Commented:
It does stay disabled, but Brontok reappears.
0
 
r-kCommented:
This could be a rootkit. Do the following:

Download RootkitRevealer from: http://www.sysinternals.com/Utilities/RootkitRevealer.html
and use it to scan your system. (keep activity at a minimum during the scan)
It takes a while, but at the end if there is anything of interest, be sure to use File -> Save As to save the results to a text file, you'll need them later.

Post the results here, but if it's very big then just post the first 50 or so lines.

I have to run but will check back in a couple of hours.

Thanks.
0
 
RubyWeaponAuthor Commented:
RootkitReveal log:

HKLM\S-1-5-21-1935655697-1563985344-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DAA983B8-AC41-AA61-8B1C-732E72861F91}*      5/12/2000 6:27 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName      1/14/2006 3:00 PM      58 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed      6/5/2006 7:44 PM      80 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName      1/14/2006 3:13 PM      58 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\vax347s\Config\jdgg40      6/5/2006 6:09 PM      0 bytes      Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\vax347s\Config\jdgg41      6/5/2006 6:09 PM      0 bytes      Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\vax347s\Config\jdgg42      6/5/2006 6:09 PM      0 bytes      Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\vax347s\Config\jdgg43      6/5/2006 6:09 PM      0 bytes      Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\vax347s\Config\jdgg44      6/5/2006 6:09 PM      0 bytes      Hidden from Windows API.
C:\Documents and Settings\xRubyWeaponx\Local Settings\Temporary Internet Files\Content.IE5\U1K2G7CX\CAQVEDUF.bin      6/5/2006 7:49 PM      20.52 KB      Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010001.ci      6/5/2006 5:37 PM      984.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010001.dir      6/5/2006 5:37 PM      3.74 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010002.ci      6/5/2006 6:56 PM      440.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010002.dir      6/5/2006 6:56 PM      1.97 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010005.ci      6/5/2006 6:57 PM      184.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010005.dir      6/5/2006 6:57 PM      1.35 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010006.ci      6/5/2006 6:57 PM      36.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010006.dir      6/5/2006 6:57 PM      448 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010007.ci      6/5/2006 7:01 PM      8.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010007.dir      6/5/2006 7:01 PM      347 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010008.ci      6/5/2006 7:03 PM      4.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010008.dir      6/5/2006 7:03 PM      340 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010009.ci      6/5/2006 7:05 PM      4.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010009.dir      6/5/2006 7:05 PM      340 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000A.ci      6/5/2006 7:11 PM      4.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000A.dir      6/5/2006 7:11 PM      316 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000C.ci      6/5/2006 7:13 PM      4.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000C.dir      6/5/2006 7:13 PM      340 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000D.ci      6/5/2006 7:19 PM      4.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000D.dir      6/5/2006 7:19 PM      316 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000E.ci      6/5/2006 7:21 PM      4.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000E.dir      6/5/2006 7:21 PM      316 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000F.ci      6/5/2006 7:23 PM      4.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000F.dir      6/5/2006 7:23 PM      340 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010010.ci      6/5/2006 7:30 PM      4.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010010.dir      6/5/2006 7:30 PM      340 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010011.ci      6/5/2006 7:32 PM      4.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010011.dir      6/5/2006 7:32 PM      340 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010013.ci      6/5/2006 7:34 PM      4.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010013.dir      6/5/2006 7:34 PM      316 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010014.ci      6/5/2006 7:41 PM      4.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010014.dir      6/5/2006 7:41 PM      340 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010015.ci      6/5/2006 7:42 PM      4.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010015.dir      6/5/2006 7:42 PM      340 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010016.ci      6/5/2006 7:47 PM      1.07 MB      Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010016.dir      6/5/2006 7:47 PM      4.29 KB      Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.000      6/5/2006 7:47 PM      240 bytes      Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.001      6/5/2006 7:47 PM      192.00 KB      Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.002      6/5/2006 7:47 PM      192.00 KB      Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.000      6/5/2006 7:42 PM      240 bytes      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffd.001      6/5/2006 7:42 PM      192.00 KB      Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffd.002      6/5/2006 7:42 PM      192.00 KB      Visible in Windows API, but not in MFT or directory index.
0
 
r-kCommented:
OK, I am back.

Your RootkitRevealer does not show a rootkit. Those HKLM\SYSTEM\ControlSet001\Services\vax347s\Config\jdgg40 and similar entries are part of Alcohol CD/DVD software.

At this point I am puzzled. The HJT, Autoruns and RootkitRevealer logs don't show any active infection.
I will go through the logs again and see what I may have missed.

Can you confirm the following:

(1) Can you try deleting the file c.exe from the root c:\ folder, then reboot and see if it comes back.

(2) If you run Autoruns again, is the SVKP entry still unchecked? Look around in that list to make a new entry did not created that wasn't there before.
0
 
RubyWeaponAuthor Commented:
The c.exe file is never there because Panda AV deletes it before I get a chance to see it. And the SVKP entry is unchecked. Brontok seems to come back periodically. Some days are terrible, some are okay. Thanks for helping anyways.
0
 
RubyWeaponAuthor Commented:
It turns out, another computer on the network was infected and it had no anti-virus. One quick scan and the problem was fixed.
0
 
RubyWeaponAuthor Commented:
I intend to get a refund.
0
 
NetminderCommented:
Closed, 335 points refunded.
Netminder
Site Admin
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 13
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now