How do you remove brontok virus?

Answer 1

Manual removal steps: Disconnect your computer from the network and disable file sharings, if any.

Disable System Restore (for Windows XP/Windows Me only).

For Windows XP:

Click Start.

Right-click My Computer, and then click Properties.

Click the System Restore tab.

Select "Turn off System Restore" or "Turn off System Restore on all drives" check box. Start your machine in Safe mode.

How to start a computer in safe mode, pls refer to: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Update your Anti-virus software with the latest signature files and scan your computer withthe Anti-virus to detect the worm and delete any files detected as the worm by clicking the DELETE button.

Delete the value from the registry.

You need to back up the registry before making any changes to it. In correct changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only.

How to make a backup of the Windows registry, pls refer at: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&src=sec_doc_nam

Click Start > Run. Type regedit Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. You can used a tool to resolve this problem.

Download this tool. Once downloaded, �right-click� the UnHookExec.inf file and click install. Then continue with the removal steps. http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.HTML

Other alternative way to enable registry, please refer to: http://www.patheticcockroach.com/mpam4/index.php?p=28

Navigate to the subkey that was detected by the anti-virus and delete the value.

Exit the Registry Editor.

If you are still unable to open your registry, you may try the following steps.

Boot up the infected computer, but do not login to the server, leave it at the login prompt.

Start up another clean computer, worm-free computer which has an updated anti-virus software running and an active firewall running preventing all inbound connections.

From the clean computer, start REGEDIT.EXE and click on File -> File -> Connect Network Registry. Connect to the infected computer.

Modify the following values in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\NT\CurrentVersion\Winlogon to the following values:

"Userinit" = "C:\WINNT\system32\userinit.exe," "Shell" = "Explorer.exe"

(make sure that you enter the correct path to where Windows is installed. For example on NT4.0 it is WINNT)

After completing the above steps, reboot the infected computer.

Using the clean computer, map the C$ share and scan it using the up to date anti-virus to remove any infected files on the infected computer. Then, you should be able to boot to the computer and then follow Steps 6 - Steps 11.

Run a full system scan using an updated version of Anti-virus software and delete any files detected as worm.

Download and run a process management tool or process viewer to kill all worm processes running on the infected machine. The process management tool or the process viewer is available according to the machine's platform and can be downloaded free from the internet. For example users can download and use the following process viewer: http://www.sysinternals.com/Utilities/ProcessExplorer.HTML

Delete the scheduled tasks added by the worm. Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.) In the Control Panel window, double click Scheduled Tasks. Right click the task icon and select Properties from pop-up menu. The properties of the task is displayed. Delete the task if the contents of the Run text box in the task pane matches the worm.

Enable the System Restore (for Windows XP/Windows Me only).

Re-scan your computer with an updated version of Anti-virus to confirm the computer is clean.

Re-connect your computer to the network once confirmed clean.

IMPROVED ANSWER WITH LINKS TO TOOLS (SOLVED BY A SENIOR IT SYSTEMS ADMIN) BY: Ian Gardiner

Brontok Virus Manual Removal Instructions

1. Disconnect your computer from the network and disable file sharings, if any exist on the PC.
2. Disable System Restore (for Windows XP/Windows Me only).

For Windows XP:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Select Turn off System Restore or Turn off System Restore on all drives check box.

1. Start your machine in Safe mode. Reboot and repeatedly press F8. If you cannot boot into safe mode, you should still be able to get rid of the virus, however, safe mode is recommended.
2. Update the anti-virus software for any latest updates.
3. You will have to use the regedit function to remove a lot of infected/newly created values in the registry.
4. Click Start>Run. Then type regedit, click OK.
   1. You will need to use internet Explorer to download this file.
   2. Go to http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99 and download the UnHookExec.inf file at the bottom of the page. (you will have to download this file on another PC and save it on a drive and move it over to the infected PC)
   3. Once you have put this file onto the infected PC's Desktop, Right-click the file and click Install. You won't really notice anything happen, however, this will enable the regedit function.
5. If the registry editor fails to open, the threat may have modified the registry to prevent it from opening. You can use a tool to resolve this problem:
6. Once you can use the regedit function check to see if there is a scheduled task named A1 or something along those lines (scheduled to run at 5:08pm) in All Programs\Accessories\System Tools\Scheduled Tasks. If you can't reach that location try: Control Pannel in classic view and look for the Scheduled Tasks icon/folder. Delete the task.
   1. The tool can also be found at: http://www.kaer-media.org/penawar-brontok/Download.htm
7. Next, before going ahead and deleting anything in the registry. You will need to use this German Brontok Removal tool
8. Click on the link that says: PenawarB.exe and save the file.
   1. Double click the file, click Run
   2. In the bottom right hand corner click the button that says: Percubaan Percuma!
   3. On the next screen click on the button on the left that says: Tidak mengapa, saya hendak cuba dahulu…
   4. On the next screen click the button that says: Scan sekarang!
   5. Once the tool has run it will show the location of all of the infected files
   6. Click the button that says: Buang ! & Repair to delete the infected files
   7. Note: This tool is free so when you click Repair it will delete all of the files except for 10 of them. For the remaining 10 you will have to take not of the infected files' locations and manually delete them. Also, if there are less than 10 files that are infected to begin with you will have to manually delete all of them.
9. Once the file has been saved to the infected PC's Desktop
10. Once this is done follow the instructions below on deleting all other files and registry values. This step is very important and crucial to the final removal of the virus!

The worm may use various methods to run automatically each time Windows starts. Automatic startup methods that the worm employs may include:

• Placing a copy of itself in the user's startup folder, i.e. %homepath%\Start Menu\Programs\Startup\Empty.pif. Delete the file.
• Adding a scheduled task to run %homepath%\Templates\A.kotnorB.com each day at 5:08 pm. Also check to see if there is a scheduled task named A1 or something along those lines in All Programs\Accessories\System Tools\Scheduled Tasks. If you can't reach that location try: Control Pannel in classic view and look for the Scheduled Tasks icon/folder. Delete the task.
• Adding a registry value: "Tok-Cirrhatus"

With data:

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the key.

• Adding registry value: "Bron-Spizaetus"

with data: <path to Win32/Brontok worm>

in subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Delete the key.

• Adding registry value: Shell

  with data: "explorer.exe " <path to Win32/Brontok worm>

in registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon. Delete the key.

• Modifies registry value: AlternateShell

  with data: <Win32/Brontok file name>

  in registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

  Note: the default setting for this key is "AlternateShell"="cmd.exe"

Win32/Brontok may attempt to lower security settings by making the following changes:

• Prevents the user from accessing the Registry Editor by making the following registry edit:

Adds value: DisableRegistryTools

With data: 1

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System. Change the Data to 0.

• Prevents the display of files and folders with the 'hidden' attribute set:

Adds value: Hidden

With data: 0

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Change the Data to 1.

• Prevents the display of Windows system files:

Adds value: ShowSuperHidden

With data: 0

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Change the Data to 1.

• Prevents the display of executable file extensions:

Adds value: HideFileExt

With data: 1

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Change the Data to 0.

• Prevents access to the Folder Options menu:

Adds value: NoFolderOptions

With data: 1

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Change the Data to 0.

• Modifies the Windows HOSTS file to prevent access to certain Internet sites, the majority of which are antivirus or security-related.
• Attempts ping attacks against certain Web sites, presumably to launch a form of denial of service (DoS) attack.
• Terminates applications or restarts Windows when the title of the active window contains certain strings, many of which may be representative of antivirus or system tools that might ordinarily be used to detect or remove the worm.
• Overwrites the autoexec.bat file with the word "pause", causing systems that employ the autoexec.bat file to pause on bootup. Some variants of Win32/Brontok may modify the autoexec.bat in order to display a message during bootup.

1. You will also want to go into msconfig. Start>Run, type msconfig. And disable any startup items (under the startup tab) that look suspicious; you may have to run an internet search to determine which are normal processes and which may be a threat.
   1. make sure the scheduled task is no longer there
   2. make sure you can open regedit
   3. re-run the scanner for any infected files. If it finds anything delete them, restart the PC, and then re-run the scanner and delete files until nothing shows up again.
   4. Make sure the registry is back to normal and that you can view hidden files and folders.
2. Once this has been done, restart the PC, and check over everything in the following order: