| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 70829 | 2006-07-17 19:11:00 | help, removing brontok | citizen_78g (10758) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 471616 | 2007-02-24 20:57:00 | Hi Try the fixes from this site also. en.wikipedia.org(computer_worm) Hth |
johnboy (217) | ||
| 471617 | 2007-02-24 21:07:00 | Try this link (en.wikipedia.org) | Speedy Gonzales (78) | ||
| 471618 | 2007-02-25 08:39:00 | Hi, I tried all of the above things, but no luck because AVG still pops up saying there are is the same threat "I-Worm/Brontok.C" in those directories... Any new ideas anyone? Real frustrating this |
parci36 (10759) | ||
| 471619 | 2007-02-25 10:24:00 | Try scanning with House Call free online virus scanner. housecall.trendmicro.com Before you do that try running AVG in safemode. Hold down the F8 key while booting to go into safemode. Black screen well come up select the Safemode option. Trevor :) BTW I did a google search and a bit of reading and this virus/worm is rather nasty. |
Trev (427) | ||
| 471620 | 2007-02-25 19:57:00 | hi, tried entering windows in safe mode but wont work. As i press enter to select "safe mode", several commands run in DOS till it freezes at one of them, where it remains frozen for 10 seconds and then my computer simply restarts... now what? | parci36 (10759) | ||
| 471621 | 2007-02-25 23:53:00 | Sounds like to me you might have to format the drive and reinstall windows, unless someone has any other ideas. Do a search on google with I-Worm/Brontok.C in the search field. Trevor :) |
Trev (427) | ||
| 471622 | 2007-02-26 00:02:00 | Did u try trojan remover as well?? Download / install / run it, then click on scan, then select the 3rd to 7th option under utils. Its in my sig below. This should hopefully let u get back into regedit, if its disabled it. It looks like it does this: W32/Brontok-C is an email worm that sends itself to the addresses gathered from the infected computer, skipping email addresses that contain the following strings : PLASA,TELKOM,INDO,.CO.ID,.GO.ID,.MIL.ID,.SCH.ID,.N ET.ID,.OR.ID,.AC.ID,.WEB.ID,.WAR.NET.ID,ASTAGA,GAU L,BOLEH,EMAILKU,SATU W32/Brontok-C may arrive attached with a filename randomly chosed from the following : winword.exe kangen.exe ccapps.exe syslove.exe untukmu.exe myheart.exe my heart.exe jangan dibuka.exe The email is sent with a blank subject line and the following message text : -- Hentikan kebobrokan di negeri ini -- 1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA ( Send to "NUSAKAMBANGAN") 2. Stop Free Sex, Aborsi, & Prostitusi ( Go To HELL ) 3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar. 4. SAY NO TO DRUGS !!! -- KIAMAT SUDAH DEKAT -- Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah By: HVM31 -- JowoBot #VM Community -- !!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!! When first run W32/Brontok-C copies itself to: <User>\Local Settings\Application Data\csrss.exe <User>\Local Settings\Application Data\inetinfo.exe <User>\Local Settings\Application Data\lsass.exe <User>\Local Settings\Application Data\services.exe <User>\Local Settings\Application Data\smss.exe <User>\Local Settings\Application Data\winlogon.exe <Startup>\Empty.pif <User>\Templates\Brengkolang.com <Windows>\ShellNew\sempalong.exe <Windows>\eksplorasi.exe <System>\repclient1's Setting.scr W32/Brontok-C will create a remote task in the following location in order to run a copy of itself on a daily basis to maintain infection : <Windows>\Tasks\At1.job W32/Brontok-C attempts to download files from a remote website to the following location : <User>\Local Settings\Application Data\ListHost11.txt <User>\Local Settings\Application Data\Update.11.Bron.Tok.bin At the time of writing these files were unavailable from the remote website. The following registry entries are created to run W32/Brontok-C on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus <User>\Local Settings\Application Data\smss.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus <Windows>\ShellNew\sempalong.exe The following registry entry is changed to run eksplorasi.exe on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe "<Windows>\eksplorasi.exe" (the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup). The following registry entry is set, disabling the registry editor (regedit): trojan remover should fix these after u select the 3rd to 7th option under utils. HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System DisableRegistryTools 1 Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer NoFolderOptions 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System DisableCMD 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced Hidden 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced HideFileExt 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced ShowSuperHidden 0 |
Speedy Gonzales (78) | ||
| 471623 | 2007-02-26 07:45:00 | I ran House Call and they found no viruses on my PC... Tried running Trojan Remover but dont know how to get to the step "then select the 3rd to 7th option under utils". If i click SCAN it immediately start scanning... That scan reports back to say it finds nothing malicious! | parci36 (10759) | ||
| 471624 | 2007-02-26 07:54:00 | Just select all the 5 options under the line one at a time under the Utilities Menu in Trojan Remover. Trevor :) |
Trev (427) | ||
| 471625 | 2007-02-26 15:55:00 | no luck again, i think things may get solved if i can get into safe mode??? | parci36 (10759) | ||
| 1 2 3 | |||||