Win32.Brontok.A virus

[Guest]

Please help!! My stand alone desktop has been infected with a Win32.Brontok
virus. It has altered files in registry preventing me accessing regedit to
delete/rename them. When I try to enter regedit the computer reboots. I've
tried downloading so called retrieval programmes and running in both Safe
mode and 'normal' operation but they are not having any effect. I tried
downloading the Microsoft Malicious Software Removal tool but half way
through the download I get a pop-up stating that "windows is unable to
download the software and has reset the connection to the server". Then it
reboots. Can anybody offer help?????

 

[David H. Lipman]

From: "davep" <[email protected]>

| Please help!! My stand alone desktop has been infected with a Win32.Brontok
| virus. It has altered files in registry preventing me accessing regedit to
| delete/rename them. When I try to enter regedit the computer reboots. I've
| tried downloading so called retrieval programmes and running in both Safe
| mode and 'normal' operation but they are not having any effect. I tried
| downloading the Microsoft Malicious Software Removal tool but half way
| through the download I get a pop-up stating that "windows is unable to
| download the software and has reset the connection to the server". Then it
| reboots. Can anybody offer help?????


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Guest]

Try this:

Take copy of regedit.exe in Explorer and paste into another directory.

Rename the copy myregedit.exe, copy it, and paste back into the original
directory.

Your new program 'myregedit.exe' should do everything the original was
capable of, but is not detected by the malware in your system.

HTH

 

[Guest]

From: "davep" <[email protected]>

| Please help!! My stand alone desktop has been infected with a Win32.Brontok
| virus. It has altered files in registry preventing me accessing regedit to
| delete/rename them. When I try to enter regedit the computer reboots. I've
| tried downloading so called retrieval programmes and running in both Safe
| mode and 'normal' operation but they are not having any effect. I tried
| downloading the Microsoft Malicious Software Removal tool but half way
| through the download I get a pop-up stating that "windows is unable to
| download the software and has reset the connection to the server". Then it
| reboots. Can anybody offer help?????


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

David,
you are a saviour!!! I followed your instructions and first tried Trend,
that identified all the infected files but could not clean/move them. I then
tried Kaspersky and although it took about 3 hours it seems to have
eradicated the virus BUT, when I reboot I am left with a file in Recycle Bin
called RB4, the pathname is C:/RECYCLER... I can delete it but next time I
boot up there it is again! Before I did the AV scan there were 4 files of
that type RB1, RB2 etc.
But at least now I can access regedit and the virus seems to have been
deleted....many many thanks for your advice.

 

[David H. Lipman]

From: "davep" <[email protected]>

|
| David,
| you are a saviour!!! I followed your instructions and first tried Trend,
| that identified all the infected files but could not clean/move them. I then
| tried Kaspersky and although it took about 3 hours it seems to have
| eradicated the virus BUT, when I reboot I am left with a file in Recycle Bin
| called RB4, the pathname is C:/RECYCLER... I can delete it but next time I
| boot up there it is again! Before I did the AV scan there were 4 files of
| that type RB1, RB2 etc.
| But at least now I can access regedit and the virus seems to have been
| deleted....many many thanks for your advice.
C:\RECYCLER is the Recycle Bin.

Login and dump the Recycle Bin.

 

[Guest]

Please help!! My stand alone desktop has been infected with a Win32.Brontok
virus. It has altered files in registry preventing me accessing regedit to
delete/rename them. When I try to enter regedit the computer reboots. I've
tried downloading so called retrieval programmes and running in both Safe
mode and 'normal' operation but they are not having any effect. I tried
downloading the Microsoft Malicious Software Removal tool but half way
through the download I get a pop-up stating that "windows is unable to
download the software and has reset the connection to the server". Then it
reboots. Can anybody offer help?????

You still have traces of the virus regenerated from a script or a hidden
file on your system.
You need to be sure your system is clean from malware and Viruses by
scanning for them
Scan for malware from here:
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm
Run a scan from here on-line:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine:
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/
http://free.grisoft.com/doc/5390/lng/us/tpl/v5

Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
HTH.
nass

 

[cquirke (MVP Windows shell/user)]

From: "davep" <[email protected]>

| David,
| you are a saviour!!! I followed your instructions and first tried Trend,
| that identified all the infected files but could not clean/move them. I then
| tried Kaspersky and although it took about 3 hours it seems to have
| eradicated the virus BUT, when I reboot I am left with a file in Recycle Bin
| called RB4, the pathname is C:/RECYCLER... I can delete it but next time I
| boot up there it is again! Before I did the AV scan there were 4 files of
| that type RB1, RB2 etc.
| But at least now I can access regedit and the virus seems to have been
| deleted....many many thanks for your advice.

Well done! I really thought this might be a case requiring formal
management via a mOS (say, Bart CDR boot). Glad the malware
self-protection was weak enough to be defeated informally.

C:\RECYCLER is the Recycle Bin.

If memory serves, it may not be that easy. A malware I encountered -
and I think it was Brontok - sets itself as a file located within
C:\Recycler and runs from there, but it is not "seen" via the Recycle
bin namespace object.

When viewed formally from a Bart boot, it will be the file that
doesn't have the typical internal Recycle Bin file names (the "real"
deleted stuff will always have names like DC4.* or something, and the
malware will have a different name).

I suspect this means that what you see via the Recycle Bin view will
not include the malware file, and emptying the bin won't clear it.

If the malware is obliging enough to allow you to do this, you could
fire up a true file system browser (e.g. ye olde DOS LL3.EXE),
navigate to each *:\RECYCLER, and either delete the Desktop.ini to
facilitate generic access, or delete the malware directly.

Let's look up Brontok...

http://www.sophos.com/virusinfo/analyses/w32brontokh.html

http://www.bitdefender.com/[email protected]

Killer tools for it:

http://www.bitdefender.com/site/Download/downloadRemovalTool/630/

http://wirusy.antivirenkit.pl/en/szczepionki/Brontok.html

Login and dump the Recycle Bin.

None of this stuff refers to a Recycle Bin presence (first used by
malware way back when Norton AV was too thick to include the 'bin in
its "full system scan") so I may be remembering a different malware.

If so, David's advice should work. When the system is clean and
running well, do this:
- Start, Accessries, System Tools, System Restore
- create a new restore point
- Windows Explorer, rt-click on C:, Properties, Disk Cleanup
- More Options tab, System Restore section, Clean Up button
- OK

That should purge any malware hidden in SR's subtree.

David, did you get my email? I wanted to ask you about referencing
MultiAV as a wrapped component within an end-user mOS project.

---------- ----- ---- --- -- - - - -

When Occam's Razor meets the Halting Problem,
the Halting Problem wins

 

[David H. Lipman]

From: "cquirke (MVP Windows shell/user)" <[email protected]>

< snip >

|
| David, did you get my email? I wanted to ask you about referencing
| MultiAV as a wrapped component within an end-user mOS project.
|


Yes and I replied -- You didn't get my reply ?

 

[cquirke (MVP Windows shell/user)]

From: "cquirke (MVP Windows shell/user)"

| David, did you get my email? I wanted to ask you about referencing
| MultiAV as a wrapped component within an end-user mOS project.

Yes and I replied -- You didn't get my reply ?

It might still be in the Inbox, if your From: address has changed so
that my filters didn't white-list it in. I'll look again... doesn't
look good; your surname comes up in 5 messages since 1 July 2007, but
they aren't from you... eh - retry, please?

Put your surname in the text as a detectable biopsy

--------------- ----- ---- --- -- - - -

Dreams are stack dumps of the soul