Avast found a win32:Brontok[wrm] on my computer

  • Thread starter Thread starter casioculture
  • Start date Start date
C

casioculture

I found it on an SD card that I used a couple of weeks ago to test a
camera in a store. I took pictures with it and brought the SD card
back. Strangely, I looked at the pictures back then and had no problem.
Now that I looked at the SD card again I clicked on some folder on it
and it seems to have ran something that avast/prevx/kerio didn't like.
I don't exactly remember what was going on in detail, I was literally a
"moron in a hurry" trying to get this cheap mp3 player to work to
listen to an podcast. Anyhow, I allowed it to do one thing and then
blocked the rest when I noticed that it wasn't normal (prevx does get
frustrating in normal usage, so I acquired a habit of allowing without
much thinking unless I'm on guard). I then ran avast, it said reboot, I
rebooted, it ran on reboot and moved 9 files to its virus chest.

Any permanent harm done? Should I reinstall windows? Thanks.
 
From: <[email protected]>

|
| I found it on an SD card that I used a couple of weeks ago to test a
| camera in a store. I took pictures with it and brought the SD card
| back. Strangely, I looked at the pictures back then and had no problem.
| Now that I looked at the SD card again I clicked on some folder on it
| and it seems to have ran something that avast/prevx/kerio didn't like.
| I don't exactly remember what was going on in detail, I was literally a
| "moron in a hurry" trying to get this cheap mp3 player to work to
| listen to an podcast. Anyhow, I allowed it to do one thing and then
| blocked the rest when I noticed that it wasn't normal (prevx does get
| frustrating in normal usage, so I acquired a habit of allowing without
| much thinking unless I'm on guard). I then ran avast, it said reboot, I
| rebooted, it ran on reboot and moved 9 files to its virus chest.
|
| Any permanent harm done? Should I reinstall windows? Thanks.

OK, so Avast found a worm (?) on a SD card. The question is, in what form was it and what
was done with it ?
Was it an EXE file ?
Was it deleted ?
Was it quarantined ?
Was it executed ?
Have you scanned your computer to see if the computer OS was infected ?

The following can be used to see if the system was infected
* * * NOTE: You should disable Avast if you run the Trend module in the below tool as it
falsely declares the Trend Micro Sysclean utility as being infected with the VBS/RedLof.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_%96_Getting_Help


* * * Please report back your results * * *
 
David said:
From: <[email protected]>

|
| I found it on an SD card that I used a couple of weeks ago to test a
| camera in a store. I took pictures with it and brought the SD card
| back. Strangely, I looked at the pictures back then and had no problem.
| Now that I looked at the SD card again I clicked on some folder on it
| and it seems to have ran something that avast/prevx/kerio didn't like.
| I don't exactly remember what was going on in detail, I was literally a
| "moron in a hurry" trying to get this cheap mp3 player to work to
| listen to an podcast. Anyhow, I allowed it to do one thing and then
| blocked the rest when I noticed that it wasn't normal (prevx does get
| frustrating in normal usage, so I acquired a habit of allowing without
| much thinking unless I'm on guard). I then ran avast, it said reboot, I
| rebooted, it ran on reboot and moved 9 files to its virus chest.
|
| Any permanent harm done? Should I reinstall windows? Thanks.

OK, so Avast found a worm (?) on a SD card. The question is, in what form was it and what
was done with it ?
Was it an EXE file ?
Was it deleted ?
Was it quarantined ?
Was it executed ?
Have you scanned your computer to see if the computer OS was infected ?
Click to expand...

Hi, sorry I havne't been clear.

The files on the card looked either like a folder or an archive file in
thumnail view. I clicked on it and it ran an exe. prevx alarmed me but
because I was messing with a new mp3/card reader thing that wasn't
working well I allowed it once or twice, then suspected things weren't
right after a second or two, so I denied further attempts to modify.

Wait, I just had a look at the virus chest. Okay, it seems the virus
had used the names of the folders and made them EXEs.
http://i2.tinypic.com/somgxi.jpg

See those top three? Those used to be folders on the SD card. Each
folder stood for a camera and contained the pictures from that camera.
Like I said, I took this card to a camera store and used it there in
cameras I was testing before I buy one.

I don't remember if Avast alarmed me about the files or not, but it
didn't while they were active. If it did it sure took its time and I
was dealing with prevx and kerio popping up first. I then ran it
afterwards and it told me that there was a virus in memory and it was
better to reboot and do a boot-time-scan. So I did that. I told it to
move everything to its virus chest (that's a quarantine I think) rather
than delete.

I'm running another Avast scan now and it's not showing up anything
new.

Do you suggest I don't use any passwords until I'd reinstalled the OS?

Thanks.




The following can be used to see if the system was infected
* * * NOTE: You should disable Avast if you run the Trend module in the below tool as it
falsely declares the Trend Micro Sysclean utility as being infected with the VBS/RedLof.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_%96_Getting_Help


* * * Please report back your results * * *
Click to expand...
 
From: <[email protected]>

|
| David H. Lipman wrote:
||>> I found it on an SD card that I used a couple of weeks ago to test a
|>> camera in a store. I took pictures with it and brought the SD card
|>> back. Strangely, I looked at the pictures back then and had no problem.
|>> Now that I looked at the SD card again I clicked on some folder on it
|>> and it seems to have ran something that avast/prevx/kerio didn't like.
|>> I don't exactly remember what was going on in detail, I was literally a
|>> "moron in a hurry" trying to get this cheap mp3 player to work to
|>> listen to an podcast. Anyhow, I allowed it to do one thing and then
|>> blocked the rest when I noticed that it wasn't normal (prevx does get
|>> frustrating in normal usage, so I acquired a habit of allowing without
|>> much thinking unless I'm on guard). I then ran avast, it said reboot, I
|>> rebooted, it ran on reboot and moved 9 files to its virus chest.
|>>
|>> Any permanent harm done? Should I reinstall windows? Thanks.|
| Hi, sorry I havne't been clear.
|
| The files on the card looked either like a folder or an archive file in
| thumnail view. I clicked on it and it ran an exe. prevx alarmed me but
| because I was messing with a new mp3/card reader thing that wasn't
| working well I allowed it once or twice, then suspected things weren't
| right after a second or two, so I denied further attempts to modify.
|
| Wait, I just had a look at the virus chest. Okay, it seems the virus
| had used the names of the folders and made them EXEs.
| http://i2.tinypic.com/somgxi.jpg
|
| See those top three? Those used to be folders on the SD card. Each
| folder stood for a camera and contained the pictures from that camera.
| Like I said, I took this card to a camera store and used it there in
| cameras I was testing before I buy one.
|
| I don't remember if Avast alarmed me about the files or not, but it
| didn't while they were active. If it did it sure took its time and I
| was dealing with prevx and kerio popping up first. I then ran it
| afterwards and it told me that there was a virus in memory and it was
| better to reboot and do a boot-time-scan. So I did that. I told it to
| move everything to its virus chest (that's a quarantine I think) rather
| than delete.
|
| I'm running another Avast scan now and it's not showing up anything
| new.
|
| Do you suggest I don't use any passwords until I'd reinstalled the OS?
|
| Thanks.
|

At this point I don't think you need to reinstall the OS.

Scan with Avast and scan with the Multi AV Scanning Tool using the McAfee, Sophos and/or
Trend module.

So far it looks like Avast protected you. The additional scans will affirm or deny that.
 
Any permanent harm done? Should I reinstall windows? Thanks.
Click to expand...

Reinstalling ANYTHING is the LAST recourse when ALL else fails.

Reinstalling is what unskilled, overworked, underpaid "tech support"
people recommend just to get you off of the phone!

You did the right thing by seeking help in this NG. People like David
Lippman are very knowledgeable and can usually walk you through a
problem.

Good luck,

Chas.
 
Back
Top