Computer Worms

Manual removal steps: Disconnect your computer from the network and disable file sharings, if any.

Disable System Restore (for Windows XP/Windows Me only).

For Windows XP:

Click Start.

Right-click My Computer, and then click Properties.

Click the System Restore tab.

Select "Turn off System Restore" or "Turn off System Restore on all drives" check box. Start your machine in Safe mode.

How to start a computer in safe mode, pls refer to: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Update your Anti-virus software with the latest signature files and scan your computer withthe Anti-virus to detect the worm and delete any files detected as the worm by clicking the DELETE button.

Delete the value from the registry.

You need to back up the registry before making any changes to it. In correct changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only.

How to make a backup of the Windows registry, pls refer at: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&src=sec_doc_nam

Click Start > Run. Type regedit Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. You can used a tool to resolve this problem.

Download this tool. Once downloaded, �right-click� the UnHookExec.inf file and click install. Then continue with the removal steps. http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.HTML

Other alternative way to enable registry, please refer to: http://www.patheticcockroach.com/mpam4/index.php?p=28

Navigate to the subkey that was detected by the anti-virus and delete the value.

Exit the Registry Editor.

If you are still unable to open your registry, you may try the following steps.

Boot up the infected computer, but do not login to the server, leave it at the login prompt.

Start up another clean computer, worm-free computer which has an updated anti-virus software running and an active firewall running preventing all inbound connections.

From the clean computer, start REGEDIT.EXE and click on File -> File -> Connect Network Registry. Connect to the infected computer.

Modify the following values in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\NT\CurrentVersion\Winlogon to the following values:

"Userinit" = "C:\WINNT\system32\userinit.exe," "Shell" = "Explorer.exe"

(make sure that you enter the correct path to where Windows is installed. For example on NT4.0 it is WINNT)

After completing the above steps, reboot the infected computer.

Using the clean computer, map the C$ share and scan it using the up to date anti-virus to remove any infected files on the infected computer. Then, you should be able to boot to the computer and then follow Steps 6 - Steps 11.

Run a full system scan using an updated version of Anti-virus software and delete any files detected as worm.

Download and run a process management tool or process viewer to kill all worm processes running on the infected machine. The process management tool or the process viewer is available according to the machine's platform and can be downloaded free from the Internet. For example users can download and use the following process viewer: http://www.sysinternals.com/Utilities/ProcessExplorer.HTML

Delete the scheduled tasks added by the worm. Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.) In the Control Panel window, double click Scheduled Tasks. Right click the task icon and select Properties from pop-up menu. The properties of the task is displayed. Delete the task if the contents of the Run text box in the task pane matches the worm.

Enable the System Restore (for Windows XP/Windows Me only).

Re-scan your computer with an updated version of Anti-virus to confirm the computer is clean.

Re-connect your computer to the network once confirmed clean.

Brontok Virus Manual Removal Instructions

1. Disconnect your computer from the network and disable file sharings, if any exist on the PC.
2. Disable System Restore (for Windows XP/Windows Me only).

For Windows XP:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Select Turn off System Restore or Turn off System Restore on all drives check box.

1. Start your machine in Safe mode. Reboot and repeatedly press F8. If you cannot boot into safe mode, you should still be able to get rid of the virus, however, safe mode is recommended.
2. Update the anti-virus software for any latest updates.
3. You will have to use the regedit function to remove a lot of infected/newly created values in the registry.
4. Click Start>Run. Then type regedit, click OK.
   1. You will need to use Internet Explorer to download this file.
   2. Go to http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99 and download the UnHookExec.inf file at the bottom of the page. (you will have to download this file on another PC and save it on a drive and move it over to the infected PC)
   3. Once you have put this file onto the infected PC's Desktop, Right-click the file and click Install. You won't really notice anything happen, however, this will enable the regedit function.
5. If the registry editor fails to open, the threat may have modified the registry to prevent it from opening. You can use a tool to resolve this problem:
6. Once you can use the regedit function check to see if there is a scheduled task named A1 or something along those lines (scheduled to run at 5:08pm) in All Programs\Accessories\System Tools\Scheduled Tasks. If you can't reach that location try: Control Pannel in classic view and look for the Scheduled Tasks icon/folder. Delete the task.
   1. The tool can also be found at: http://www.kaer-media.org/penawar-brontok/Download.htm
7. Next, before going ahead and deleting anything in the registry. You will need to use this German Brontok Removal tool
8. Click on the link that says: PenawarB.exe and save the file.
   1. Double click the file, click Run
   2. In the bottom right hand corner click the button that says: Percubaan Percuma!
   3. On the next screen click on the button on the left that says: Tidak mengapa, saya hendak cuba dahulu…
   4. On the next screen click the button that says: Scan sekarang!
   5. Once the tool has run it will show the location of all of the infected files
   6. Click the button that says: Buang ! & Repair to delete the infected files
   7. Note: This tool is free so when you click Repair it will delete all of the files except for 10 of them. For the remaining 10 you will have to take not of the infected files' locations and manually delete them. Also, if there are less than 10 files that are infected to begin with you will have to manually delete all of them.
9. Once the file has been saved to the infected PC's Desktop
10. Once this is done follow the instructions below on deleting all other files and registry values. This step is very important and crucial to the final removal of the virus!

The worm may use various methods to run automatically each time Windows starts. Automatic startup methods that the worm employs may include:

• Placing a copy of itself in the user's startup folder, i.e. %homepath%\Start Menu\Programs\Startup\Empty.pif. Delete the file.
• Adding a scheduled task to run %homepath%\Templates\A.kotnorB.com each day at 5:08 pm. Also check to see if there is a scheduled task named A1 or something along those lines in All Programs\Accessories\System Tools\Scheduled Tasks. If you can't reach that location try: Control Pannel in classic view and look for the Scheduled Tasks icon/folder. Delete the task.
• Adding a registry value: "Tok-Cirrhatus"

With data:

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the key.

• Adding registry value: "Bron-Spizaetus"

with data: <path to Win32/Brontok worm>

in subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Delete the key.

• Adding registry value: Shell

  with data: "explorer.exe " <path to Win32/Brontok worm>

in registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon. Delete the key.

• Modifies registry value: AlternateShell

  with data: <Win32/Brontok file name>

  in registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

  Note: the default setting for this key is "AlternateShell"="cmd.exe"

Win32/Brontok may attempt to lower security settings by making the following changes:

• Prevents the user from accessing the Registry Editor by making the following registry edit:

Adds value: DisableRegistryTools

With data: 1

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System. Change the Data to 0.

• Prevents the display of files and folders with the 'hidden' attribute set:

Adds value: Hidden

With data: 0

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Change the Data to 1.

• Prevents the display of Windows system files:

Adds value: ShowSuperHidden

With data: 0

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Change the Data to 1.

• Prevents the display of executable file extensions:

Adds value: HideFileExt

With data: 1

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Change the Data to 0.

• Prevents access to the Folder Options menu:

Adds value: NoFolderOptions

With data: 1

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Change the Data to 0.

• Modifies the Windows HOSTS file to prevent access to certain Internet sites, the majority of which are antivirus or security-related.
• Attempts ping attacks against certain Web sites, presumably to launch a form of denial of service (DoS) attack.
• Terminates applications or restarts Windows when the title of the active window contains certain strings, many of which may be representative of antivirus or system tools that might ordinarily be used to detect or remove the worm.
• Overwrites the autoexec.bat file with the word "pause", causing systems that employ the autoexec.bat file to pause on bootup. Some variants of Win32/Brontok may modify the autoexec.bat in order to display a message during bootup.

1. You will also want to go into msconfig. Start>Run, type msconfig. And disable any startup items (under the startup tab) that look suspicious; you may have to run an internet search to determine which are normal processes and which may be a threat.
   1. make sure the scheduled task is no longer there
   2. make sure you can open regedit
   3. re-run the scanner for any infected files. If it finds anything delete them, restart the PC, and then re-run the scanner and delete files until nothing shows up again.
   4. Make sure the registry is back to normal and that you can view hidden files and folders.
2. Once this has been done, restart the PC, and check over everything in the following order:

Try using the website symantec.com. They have a whole list of Worms and cures for free.

1 Download and intall the Malwarebytes on your computer .

2 Update your Malwarebytes .

3 Scan your computer for all the malwares in your computer .

4 Remove all the malwares , found while scanning with the malwarebytes .

5 Restart your computer ,

You need to run these 3 essential programs to remove all the spyware on your computer.

If you do not have an internet security suit and only an anti virus

1. Run Malwarebytes Anti-Malware

2. Run a complete scan with free curing utility Dr.Web CureIt!

3. Run the anti spyware removal programs spybot or Superantispyware

Browsers

Use Mozilla firefox or the google chrome browser for browsing unsafe websites

Install ThreatFire

ThreatFire, features innovative real-time behavioral protection technology that provides powerful standalone protection or the perfect complement to traditional signature-based antivirus programs offers unsurpassed protection against both known and unknown zero-day viruses, worms, trojans, rootkits, buffer overflows, spyware, adware and other malware.

Run an online virus scan like

Trend Micro HouseCall

Kaspersky free online virus scanner

Windows Live OneCare safety scanner

BitDefender Online Scanner

ESET Online Antivirus Scanner

F-Secure Online Virus Scanner

avast! Online Scanner

update your software by running

Secunia Online Software Inspector

Install a good antivirus in your computer.

Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.

Keep your permanent antivirus protection enabled at all times.

Hidden malicious programs (most are not viruses) are called "Trojans" from the story of the Trojan Horse, from the war between Greece and the city of Troy, as written in Virgil's Aeneidand referenced in Homer's The Odyssey. The trojan horse was a threat masquerading as a gift. Similarly, trojan programs seem innocuous, but are designed to damage your computer or use it for harmful purposes.

---

In the Trojan War, one side was the Greeks and the other was the people from Troy. They were fighting for this beautiful queen, Helen, wife of Menelaus. Eventually the Greeks saw that the Trojans were winning the war, so they devised a very clever plan: they would create a giant wooden horse (because the Trojans worshiped horses) and then leave it behind as they left, pretending to give up. The wooden horse would be a peace offering. The Trojans accepted it, took it into the city walls, and then they partied at night and got drunk. After the Trojans were sleeping, Greek soldiers hiding inside the hollow wooden horse got out and opened the city gates of Troy to let their much larger army inside. Because the Trojans were caught off guard and drunk, they had no choice but to surrender and the Greeks won the war.

Trojan Horse programs work in the same way. They disguise themselves as legitimate programs or files. When you accept to download them, they infect your computer and run malicious processes in the background without you knowing. They often really do have the program that you intended to download, but they also come with a virus or something else to corrupt your computer. Hence the name, Trojan Horse or Trojan.

Not yet i suppose BUT viruses can freeze a computer and do all kinds of damage

If one was to "remote login" to another PC and be able to run a system overlocking task to overclock the users CPU 200x

This would create heat and could possiblly make the CPU spontaniously combust.

This would then cause an electrical fire.

ANSER:

Yes, All you have to do is get a virus called a hammer and smash it continously into your computer and then that's all, you can also send this virus to your friends all you have to do is go to there house pick up the hammer and throws it as hard as you can either at your friend first, or at their computer.

Yours Truly, Stupid-Head

I'm not sure who wrote that comment, but it is very very very stupid, all you have to is pick up your computer and throw it into your toilet and press the flush button, if this does not work, eat your own face or someone elses cat as for the last comment someone very immature must of wrote that

Yours Truly, Stupid Head