TechSpot

Pls help remove worm.brontok.m & downloader.vb

By turbo1
Aug 2, 2007
  1. i have downloaded all the utility tools needed from viruses/spyware/malware preliminary removal instructions but it wasnt successful running them step by step.i even had difficulties installing some of them due it wont launch the install wizard or the EXE.

    even i was able to install some of them & try to run it,runs for a while then it will collapse afterwards.have tried hunting around which ever may work,out of the utilities.trying a bit but i wasnt able to run a complete scan for AVG & AD-AWARE.

    i saw this worm.brontok.m & download.vb from the screen running AVG before it collapsed.i was informed that brontok is a high risk,that it already disabled my registry editor,msconfig,folder options,dos prompt,any program or anything that leads to the registry for a fix,it just dont work.i was able to save a log from COMBOFIX that was automatically saved in my C:\ drive......pls help
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Please download the file fix.reg.zip attached to this post and save it to your desktop. Extract the archive, then double-click the extracted file. When asked if you want to merge the file with the registry, click Yes.

    These instructions and the attached file are for turbo1 only. Anybody else should NOT follow these instructions or download the file as it could damage the workings of your computer.

    Please let me know the results.

    Regards :)

    This thread is for the use of turbo1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     

    Attached Files:

  3. turbo1

    turbo1 TS Maniac Topic Starter Posts: 353

    didnt work too,error message : REGISTRY EDITING WAS DISABLED BY YOUR ADMINISTRATOR.
     
  4. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Download and extract the file to your desktop. Then boot into safe mode, under your normal user name (not the administrator account; see how HERE).

    Then try to open the file.

    Regards :)

    This thread is for the use of turbo1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  5. turbo1

    turbo1 TS Maniac Topic Starter Posts: 353

    still no change,same error message.

    what kind of virus is this? now i found out that my USB flashdisk was infected too.all of the folders have duplicates within the folders,when you open it,some kind of black screen flashes.i think thats the dos prompt releasing & spreading the virus.
     
  6. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    To be honest, the only thing I know to try would be a Windows repair (instructions HERE). If that doesn't work, unless somebody else has suggestions, you'd probably be best off reformatting.

    Please let us know how it goes.

    Regards :)

    This thread is for the use of turbo1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  7. turbo1

    turbo1 TS Maniac Topic Starter Posts: 353

    i'm almost having it re-formatted,it just came to my mind on how to get even & completely eradicate the virus first,just giving a try,my system is totally messed up anyway.& there are plenty of anti-virus software availabe in the market that can do this.but the question is,how to install it when the virus blocks the installation.i had some research about the virus & it lead me to this solution.

    i was able to resolve the problem using the UNHOOK.exe.

    it breaks the codes or unblocks the registry editor's door.its not an anti-virus but a utility tool or something that forces the registry editor to open.
    but its not fixed yet.its just one way of getting in to the registry strings & value entries to have it fixed.

    now,its time to unpack the fix.reg.zip that you told me to download & thats it.registry values were fixed & i can now use the RegEdit command normally.i just read from a website to use the SOPHOS anti-virus to wipe out the infected files & it detected 1,700 + infected.

    do i still have to run the preliminary removal instructions?

    thanks for the repair tool.
     
  8. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Great, I'm glad to hear you got this far.

    You should still follow the preliminary removal instructions and post the requested logfiles. The reason for this is that there is still probably some nasty stuff on your system that you'd do best to remove manually.

    Regards :)

    This thread is for the use of turbo1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  9. turbo1

    turbo1 TS Maniac Topic Starter Posts: 353

    yeah,you're right.i guess there's something else in my system.i cant run the HJT....error message :

    "windows cannot access the specified device,path or file.you may not have the appropriate permissions to access the item ".....

    i'm having difficulties to run the preliminary removal instrcutions for some couple of days aside from having a bad network connection.i'll have the logs posted to this thread once i get them working.thanks.


    -----------------
     
  10. turbo1

    turbo1 TS Maniac Topic Starter Posts: 353

    finally,i got all the required logs.pls view attached & just let me know if i missed something out from the instructions.....

    BTW,
    AVG Anti-Rootkit scan report : "NOTHING FOUND"
     
  11. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Please download the file CFScript.txt attached to my post and save it to the same folder as ComboFix.

    Referring to the image below, drag the CFScript.txt that you just downloaded over onto ComboFix.exe and release.

    [​IMG]

    This will ask ComboFix to execute the instructions within my file. Let ComboFix run normally and do its job. Attach the resultant log in your next reply.

    Then run HijackThis and do a system scan. Place a check in the box next to the following entries (if there):

    ALL O1 - Hosts entries

    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O4 - HKCU\..\Run: [f1959DON] "C:\WINDOWS\system32\s5817\zh591224084y.exe"

    O4 - HKLM\..\Policies\Explorer\Run: [A7413r] "C:\WINDOWS\_default45912.pif"

    O4 - HKCU\..\Policies\Explorer\Run: [f1959DON] "C:\Documents and Settings\DON\Local Settings\Application Data\dv6122400x\yesbron.com"

    O4 - HKUS\S-1-5-18\..\Run: [y3114SYS] "C:\WINDOWS\system32\n8127\sv711917030r.exe" (User 'SYSTEM')

    Close all open programs except HijackThis, then click the Fix Checked button. Fixing may take awhile; once it's done, close HijackThis.

    Your AVG Anti-Spyware log says No action taken for all items. That's because you haven't set it to apply the correct action to scan results. Please rerun AVG Anti-Spyware as per these instructions and then post a fresh logfile, as well as a fresh HijackThis log and the log resulting from the CFScript.

    Regards :)

    This thread is for the use of turbo1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     

    Attached Files:

  12. turbo1

    turbo1 TS Maniac Topic Starter Posts: 353

    hi there again,im really having a hard time getting back to the network due to bad weather & power outage for some couple of days.actually,im in a different location now where i can get back on line just to send the attachment for your review.

    the CFSscript scan was successfull as well as the report for HJT re-run.but i wasnt able to finish the complete scan for AVGAS due to power outage.i'll have it attached on my next post.i really appreciate your patience & thank you very much for accommodating this thread.

    --------------
     
  13. turbo1

    turbo1 TS Maniac Topic Starter Posts: 353

    my apology for my 6th post,i attached the wrong AVGAS file.by that time AVG was not set to QUARANTINE yet.after gettiing over to the settings,i was able to make a complete scan as what is told in the instructions & here's the result.im very sorry for the delay.

    thanks again

    -------------------
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...