Tech Stuffs

Damn you Brontok!

What is Brontok? It’s a virus from the I-worm family. The virus is spread through the network so basically all the pc in a single network will be infected immediately once the infected pc connects into the network. What it does is creating new files which looked like a folder but its actually a .exe file. Unless you’ve enabled the view extensions in the folder options or else you won’t see the .exe extension of the file. The files are approximately 43.7Kb each and normally people will click to open them because they looked like a folder. So after you’ve open it, the virus will run each time during startup and keep on spreading and spreading… into the hard drives.

More troubles coming up. Normally when you click “Tools” in explorer, there’s a “folder options” underneath it. Once the pc is infected with the virus, the Folder Options will be missing, which disabled you to change the options to view the extension of the files. So when you see a new folder appeared from nowhere and you clicked to open it out of curiousity, the virus spread more again. Moreover, the virus disabled the registry edit where you will see this message “Registry edit is disabled by the administrator” everytime you try to edit the registry.

So how to clean the virus then? I found some solution from Symantec.

[email protected] aka brontok.a

This article is based upon what’s written on Symantec Security Response. The original article can be found here
Read the original page to know much into the technical details. I’ll just extract the information on how to remove it, since u already know what it does and what name it carries.

Removal Instructions.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP)
2. Disable network folder sharing on any folder.
3. Update the virus definitions. Install one if you never had any. Norton and AVG already tested to be working. NOD32 might results to failure if the infections happen for the second time.
4. Boot the pc into safe-mode.
5. Run a full system scan and delete all the files detected. You may want to repeat this step a few times if there’s any file that failed to be removed.
6. After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

7. Use the Security Response “Tool to reset shell\open\command registry subkeys.”

Link here.
1. To delete the value from the registry
Click Start > Run.

Type regedit

Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

“Bron-Spizaetus” = “C:\WINDOWS\PIF\CVT.exe”

Exit the Registry Editor.

To delete the scheduled tasks added by the worm

Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.)
In the Control Panel window, double click Scheduled Tasks.
Right click the task icon and select Properties from pop-up menu.
The properties of the task is displayed.
Delete the task if the contents of the Run text box in the task pane, matches the following:

%UserProfile%\Templates\A.kotnorB.com

Or just delete anything that you don’t recognize or remember that you created. Just delete anything suspicious.

Ok now you are almost done. (The steps below are not covered by Symantec.)

Open your folder options (Start > Control Panel > Folder Options). If you failed to do so, follow this step:

Run you regedit.exe again and browse to this code:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

\Policies\NoFolderOptions

Data Type: DWORD = 00000001

Change the DWORD value to 00000000. You may need to restart your computer after that.

Now in the Folder Options, go to “View” tab, untick the option Hide extensions for known file types

Now browse carefully into you documents folder, since most of the time the worm will resides there. Try looking into you pictures folder (eg: My Pictures). If there’s a file that looks like a folder but ends something with .exe, delete it. Most of the time the name will be the duplication of the folder itself. (eg: D:\Documents\My Pictures\personal\personal.exe). The icon will be folder icon so be careful. If you happen to double click it, you will need to remove the virus again.

Check all folders in each drive just to make sure you are clean from it.

Sounds complicated right? I’ve uninstalled my ZoneAlarm Security Suite and installed AVG antivirus. Why I uninstalled it? ZA is almost useless in detecting worms where I found more than 20 files infected by scanning using AVG while ZA can’t find anything at all~! After cleaning, I installed another program, Ewido Anti-Malware, to check there’s any worm or spyware still available. This program is really good as it can detect spywares, worms, trojans, and even keyloggers. I found 160+ files infected after scanning the whole system in Safe Mode. Mostly are just trackers which is not really harmful.

The final steps I did are just following the steps above. In the end, I managed to enable the registry edit and also my folder options again. Now my pc is finally clean from the Brontoks~ I’ve killed you Brontoks!! Yippie!

Update 14 January 2007:
I found some alternative way to delete the virus. Not tested but it is being distributed by popular antivirus programs. Try using the removal tools from Bitdefender and Kaspersky

Download the tools and scan your computer with it. It will remove all the files infected with the Brontok virus. Good luck!~

Tips:
Keep your email network as safe as you can with Exchange server outsourcing. With a reliable company that offers business email and private label Exchange hosting, you will have support to help your computer stay protected. Look into email hosting today!

An engineer which have a lot of interests in gadgets and technology stuffs. The blog varies from life events to gadgets reviews and hacks.

69 Comments

  • ^||DaReDeviL||^

    my house network is clean from virus.. unfortunately the virus came in from Hamachi when we had other frens connected to the network to play dota… it spread into our network just like tat…

  • oakley_konatchi

    Dude,clearing it up from pc is not such a hard work…even by doin ghosting or format pc also can do it(unless u have plenty of files u dun wan to lose)…but there is one problem..and i do hope u have ideas,about prevention…since the latest brontoks can spreads through handy drives,which means it can easily infect the pc again anytime,as long as ur handy drive is ‘dirty’….

    regards

  • PppStuDio

    in my computer,that key is in this path

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

    \Policies\Explorer\NoFolderOptions

    anywhere thank you so much T_T

  • ^||DaReDeviL||^

    Oakley, clearing the virus is not a hardwork actually.. I’m the one who had a lot of files in my hdd that I can’t del it.. so i try using this trick then… you are right about the virus can spread almost from anything. Prevention? I think the best is having a antivirus software which is updated and can clean these sort of virus. I’m now using AVG btw.. and also install some antispyware programs. Check the files with antivirus programs before accessing it. Thanks for your comments ya~

    PppStudio, the key is actually in the path u stated. The steps above is copied from symantec so maybe there’s some typo error for the key link. thanks for stating it out!

  • biLLy_Fisika_ITB

    baguss juga yaa.. ada yang respect tapi yaa githu deh semakin ada penyelesaian semakin menambah minat dan bakat untuk semakin mencari publisitas.. (n_n)”)

  • Abid

    Thanx for this very important issue now-a-days…but one thing I want to know is that …. does any other antivirus except symantec can remove this???
    Rontokbro and Brontok are two different worms or similar in damage but different in name?
    I have recently installed BitDifender Antivirus & Kaspersky….. Kaspersky catch the worm after update but as a “Generic.Brontok” while BitDefender does not need to be updated….. it also catches with the same name “Generic.Brontok”.
    So, please guide me.
    I’ll be very thankful to you.
    [email protected]
    (Please also CC ur reply to this email)
    Ok bye
    Take Care

  • ^||DaReDeviL||^

    thanks for the reply Abid. Actually Symantec just issued out the ways to clear the virus but their antivirus can’t really clear the virus automatically. So basically you have to clear it manually following the details. I used AVG antivirus which detected the virus but also have to clear everything up manually. I still think that u should get an antivirus that updates from time to time since there’s so many virus came out everyday. So recommendations, I think you should go on with kaspersky or AVG antivirus. btw.. AVG is free.. hehe

  • Shaharuddin Ismail

    Dear DareDevil,

    There is another way of fixing the Brontok I that usually do with 100% success with 1 scan using the beloved free edition AVG.
    Once you have recognize the threat, disable System Restore & shutdown the PC. Then take out the Harddrive and scanned it with another computer that have an updated AVG (use USB connector preferably).
    When healing is complete put the harddisk back into the CPU and Restart. Voila no more threats and the Folder Option fix is not needed. However that startup error message saying “********.exe file is missing” will still be there. Use Regedit to correct the problem as to your rec above.
    If you cannot access the Registry, for XP Pro users type “%windir%\system32\gpedit.msc” Goto User Config – Admin Templates – System Folder. In the right pane select “Prevent access to registry tools” and select “Disable” than restart PC. For XP Home user unfortunately you have to download the Symantec reset tools as posted above.

  • Sundar

    Tons of Thanks to you.
    I have cleaned up the PC with AVG and steps given.
    but still get *.exe file missing error message persists! how remove this msg at start up!
    even i reset the registry setting by symantec tool and did what Shaharuddin Ismail told(%windir…..etc)

    also newdot~.dll is also missing(cleaned by mcafee when i installed mcafee b4 tryin AVG). where to find out? or clean up this msg!?

  • menghua

    i think u haven’t edit the registry following the steps i given above. Follow the steps to edit the registry in regedit, n the missing *.exe file msg will be gone. On the newdot~.dll, i really don’t know how to fix it. Did it appear when startup as a warning msg as well? maybe u need to reinstall the windows by using the repair option.

  • neo

    i got infected by the same virus but i found a solution… u dont need any antivirus at all… just install DEEPFREEZE!

    but theres a catch! once ur drive is frozen, saving to it is not posible anymre! hehehe…. you can save, but once you restart… say goodbye to it…

  • Malcohm

    Hey guys,

    Specialy to Symantec! I was just wondering if your solutions are effective????? Rontokbro mass mailing worm will not allow you to open explorer windows. So in reality and not by theory, you cannot install any application because the virus/worm will close any explorer/application windows. Even if you try to be in safe mode, the viruses operation is still in effect. So installing an antivirus in safe mode won’t work either. I dont know if symantecs solution are effective? I tell you what, if the worm/virus is in the memory, you can’t even move or think even a single second to do what is the right thing to do! Because every operation you have will just be in vain because the worm is operating in the memory. The best thing to do is to terminate all suspicious programs running in the memory and then start your expert moves in removing the worm. I found out that the infection will be having 43,072 bytes. So use windows commander to delete all files that have those byte size. As far as my experience is concerned, I manage to remove the worm by simply using WINDOWS DEFENDER from microsoft and terminate all the unpublished programs from the tools/software exporer feature of windows defender. I dont know why the rontokbro allowed me to install the windows defender program and never close the windows of it. So i have the chance to remove the rontokbro virus by tracing its program operation. Indeed it is a mass mailing worm for I have seen it my self all its stored email address. Just use the symantecs recommended step to restore registry access since the worm modifies the registry and disable registry editing. Thanks. More power. From the Philippines. Bye

    For more information just email me.
    contact nos.
    09265146952 (touch mobile/globe)
    (063) 221-2612 (PLDT)

  • ^||DaReDeviL||^

    Actually, this is not the mass mailing worm. This worm that I’m talking about creates files with virus that look like a folder which is with the .exe extension, where most ppl will open it due to curiosity. Then it’ll keep on spreading again after the folder being opened. Besides that, it disabled folder options so that you can’t change the view options to view the extensions of files.

    I understand that there’s a lot of solutions out there. But the solution I posted did clean the virus from my PC. Thanks for your comments.

  • - [ Rizal ITB Technician ] -

    Hey.. I found another way to clean brontok virus
    yes… it’s easy and simple.. i used Penawar Brontok remover
    that you can download at

    http://www.kaer-media.org/penawar-brontok

    i managed to clean my computer labs… its just simple and easy.. and some donation to the programmer of Penawar Brontok to get the full edition, i bought it with a very cheap donation… the program fix & repair all the damaged by brontok virus well.. can scan unknown variant of brontok virus, fix the antivirus installation.. now i can install antivirus without format my hardrive… i also can multiple hardisk, map drive just click and scan.. the speed of scanner penawar brontok is very fast. I’m technican so i grab this Full Edition tool to make my job easier last time i hit by brontok 10,000 ! 🙁 gosh… Thanks to penawar brontok 🙂

  • blado admin

    IF HAVE STILL PROBLEM WITH VIRUS BRONTOK, THIS IS THE SOLUTION, YOU CAN FIND AND DOWNLOAD FREE ANTI VIRUS, SO YOU CAN ERASE ALL VIRUS ON YOUR COMPUTER

  • akbar

    Here you can download here free anti virus for remove decoil virus, free anti virus tools for erase virus decoil, free anti virus info, free anti virus linux,free anti virus software, free security tools for your PC’s, free anti virus program, free scan virus, free anti spam, free anti brontok and free for all anti virus and than your pc is clean..

    http://antidecoil.atspace.com/antidecoil.html

  • Manan

    Hi Guys,

    I have successfully cleaned my PC the Symantec way. But i have lost a lot of softwares since windows cant find their exe files. for example, i can see the winamp icon on my desktop but if i click it windows says it is searching for winamp.exe file. Even the winamp folder in program files does not show the exe file.

    Is there some way i can recover these exe files/softwares without having to re-install them?

    Thanx,

    Manan

  • webnecromancer

    FUCK YOU BRONTOKS OUR MUSLIM BROM HAS FOUND AN ANSWER TO IT, U BRONTOK YOU ARE SON OF A WHORE, A SLUT,A woman WHO HAD BEEN RAVAGED BY AGAIN AND AGAIN!!!NOW U GOT GUTS DO DO ANY THING I WILL FUCK YOU GAL, & UR SIS

  • BLANJO

    Antivirus is the place for the best information and solutions for remove virus on you computer, pc, note book, pda, mobile handphone,etc. Here you can download free antivirus and cleaner all virus on you computer. many software for remove virus on your computer.
    Special FOR REMOVE BRONNTOK !!!

  • MERY SCHMIDT

    anti virus is a tool for remove virus on your computer, pc , note book, here you can find free anti virus, download anti virus, anti virus tools and check your computer; how many virus infect on computer.. here you can find what you need and what you want.Antivirus is the place for the best information and solutions for remove virus on your computer, pc, note book, pda, mobile handphone,etc. Here you can download free antivirus and cleaner all virus on you computer. many software for remove virus on your computer. Ex: ( antivir,antivirus Norman, Mc affe antivirus,Pc cilin antivirus ). you can choice your anti virus.So, don’t be afraid for virus more, we give you here all antivirus tools

  • menghua

    hi manan, i think u have to reinstall those applications since the exe files are infected by the virus. Are the .exe files being quarantined? just reinstall the program and they will work again.. hope this helps

  • Lynda

    my pc have been infected with brontok, is it to late to install any *.exe antivirus, what if regedit,msconfig,even folder option has been disabled, what to do? what to do!!?

  • MaxBird35786

    Once you “BEEN DISABLED EVERYTHING” even regedit is no longer exist… Call Bill Gate, (of course he won’t come) The answer is Format your hard disk and then install new antivirus!

  • RomanoRuhizal

    ya formatting c:It’s like re-born but this time with a muscle armour bouncing over your body. stop it before it get in.before it’s to late.

  • Little Friend

    Brontok or whatever it is, after all made by us; is easy to be removed without formating. Mail me about your problem at [email protected]. Mail me virus names for removal instructions back on your mail… Regards, Little Friend…

  • Isa

    Cheers, Mate! Your explanation saved my computer, my thesis, my life! 🙂

    Brontoks hid as “c:\my folder\my folder” on my pc. All that is left now is the message “Windows cannot finde [File Name]. Make sure you typed the name correctly, and then try again. …” everytime I re-boot. But I guess I can live with that :-). I know that the message should disappear, but it doesn’t even though I have followed your instructions to the book.

    For all people who, like me until now, do not have proper up-to-date anti-virus-software on their computer, try “Ultimate Washer” from Ertanto and select one of the infected folders in the browser field. The tool will then detect all similar folders and delete all of them at the same time, allowing you to win the race against the worm. Then proceed with step 6 of this post.

  • Muhammad Akram Babur

    Dear Sir,

    I’m having a big problem in my PC. The problem is that when I want to check Folder Options from Tools Menu; they are absent from there. When I try to open Registry or Command Prompt; my computer Accidently ShutDown.
    Once I’ve seen a picture. After that this happened. I’ve MCafe 8.0i as an antivirus.
    Please

  • rbnx_rebnix_brnx

    i was able to remove the virus manually from one of my client’s pc..but mine was a bit different procedure..i can’t open msconfig, regedit, Folder options anymore..so i used Win 2000 bootable CD then I manually one by one eradicated the mother files of the virus. after that all works well…im in a hurry that time for next customer (to be home serviced) who is a doctor, so i dont care anymore about the locked registry..what is important is that applications won’t close anymore as you open them not like when brontok was still active. by the way maybe some will ask why i used that procedure? why i used win 2000 bootable cd? because that pc of my customer in their home has no internet connection..i cant download and i cant find guids from the internet coz theres no connection..and i found out that virus on the spot so so i hav to do it my way, using the bootable cd and thanks a lot that it worked.

  • MacD

    I also get that error that appears after each restart, the one about the missing file.
    i was wondering, would it be possible to make an .exe file in that directory, that doesnt actually do anything, like it just closes itself?
    i have no idea how to make code that can do that, so if this is a possible solution, could someone make some code that just opens and closes a file, and email it to me or something? my email is [email protected].
    cheers from Australia, and thanks for the help Daredevil!

  • mohit mansinghka

    DEAR RESPECTED FRIENDS,
    THNK YOU ALL FOR THOSE WONDER FUL SOLUTIONS.I HAVE DONE ALL THAT IS WRITTEN BUT THE ONLY PROBLEN IS THAT I CANNOT VIEW THE FOLDER OPTION STILL?

    CAN ANY ONE HELP?
    PLEASE
    PLEASE
    PLEASE

  • ..::::~||DaReDeviL||~::::..

    hmm.. did u follow this step?

    [quote post=”158″]Run you regedit.exe again and browse to this code:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NoFolderOptions

    Data Type: DWORD = 00000001

    Change the DWORD value to 00000000. You may need to restart your computer after that.[/quote]

    you may not able to run regedit due to the virus so u need to use the tool from symantec. Hopefully this helps..

  • titu

    by the does any one who created this damn virus!!! son of a bitch doesnt have anythings to do !!!

  • Suryani Salleh

    Hey Rizal ITB, thanks you for the link that u post before because penawar brontok can save my computer at all ! i bought the full edition yesterday ! now my pc are smooth then before.. thanks you ! anyone that miss Rizal message here the link to cure the brontok :

    http://www.kaer-media.org/penawar-brontok

    it easy enough, fast and very accurate to scan the brontok virus !

  • Mike

    Good news at last;;;

    Real Thanks mate
    Wanna screw de Brontok assshole too…All these days I cant accss my hidden folder exept by using some other mini utility.

    TO HELL WITH THE PERVERT BRONTOK

  • Ivan

    Good Bro…Good

    I agree with Titu…a pity some souls still dont have time to taste life lie us…I really pity him,hope he’s still alive if he have no suicide tendency yet.One thing i,m sure ,he’s constipated all de time or can’t satisfy …poor soul..

    IVAN

  • nicholas

    hallo.. Im a IT in a company .. this virus really make me headache.. i try many kind of anti virus but idoest work …i have install avg and try the way you say but i still cannot clean my network for this virus … if i didnt share my network it wont be infected .. if i share a folder the virus will spread into the folder.. help me … how to clean it …

  • menghua

    you must disconnect all the pc from the network first because the virus will spread into the network as long as 1 pc is still infected. Only connect those cleaned pc into the network. Follow the steps above and it should be ok. Remember don’t open those folder .exe files.

  • nicholas

    Our company have around 40 computer its really hard to make it … if disconnect all the network …we cannot doing our job because we are using My SQL server … got other suggestion ?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: