Help.....Brontok, Rontok Worms

[coolsam]

does avast cure brontok.. rontok.. worm??? i am infected!!!!!

[DavidR]

What is your OS ?
What AV are you using ?

avast's virus database has 19 entries for Brontok/Rontok variants, so unless you have a different variant or a new variant then avast should detect it. I assume you aren't using avast or yours isn't fully up to date (4.6.763 and VPS 0607-2).

If you haven't already got avast installed, ensure you remove (not just disable) your existing AV, otherwise conflicts can occur.

[coolsam]

thanks bro... after reading the past posts i have learned to scan in safe mode.... its great... it removed the virus.. but let me ask again.. is it when i have just cleaned my pc and i opened a network pc which is infected do i get/catch the virus again? even if the avast is on-access protection?

[DavidR]

If you are ignoring local connection traffic, you will get infected again, uncheck the 'Ignore local communications' in Web Shield, Customize, Basic. I don't know if this will resolve this as it would depend on what the local traffic was if not http: then I don't think it would catch it. However Standard Shield should catch it if the file is saved to your systems HDD (depends on your Standard Shield settings and sensitivity.

You should ensure all network systems are cleaned or you and any other systems on it are likely to become infected again.

[polonus]

Hi coolsam,

If you have admin rights you can run the following removal tool:
http://wirusy.antivirenkit.pl/en/szczepionki/Brontok.html

greets,

polonus

[Kunio]

this site also have removal tool:
http://jeruk.padinet.com/~ertanto/
but avast currently FP detect is as Win32:Brontok

[DavidR]

this site also have removal tool:
http://jeruk.padinet.com/~ertanto/
but avast currently FP detect is as Win32:Brontok

Probably because the signatures it is trying to detect aren't encrypted so avast detects them. In that case avast is detecting correctly as it is looking for signatures, it isn't to know what those signatures are for.

[Kunio]

this site also have removal tool:
http://jeruk.padinet.com/~ertanto/
but avast currently FP detect is as Win32:Brontok

Is there any way that avast can tag this tool as "safe"? There are too many confuse to user that think it is virus. But infact, this tool is clean.

[Lisandro]

Is there any way that avast can tag this tool as "safe"? There are too many confuse to user that think it is virus. But infact, this tool is clean.

Until the virus database will be corrected, as a workaround, you can add it to the two Exclusion lists of avast:

For the Standard Shield provider (on-access scanning):
Left click the 'a' blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button...

For the other providers (on-demmand scanning):
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button...

You can use wildcards like * and ?.
But be carefull, you should 'exclude' that many files that let your system in danger.

[DavidR]

I'm not sure the VPS would be changed, it hasn't been for the likes of Panda's signature files which are also unencrypted, avast can't easily make the distinction of what the intent of a tool or file is, it is looking for virus signature patterns and it found one.

So the only option is to add it to the exclusions if you are sure it isn't infected.

You could also consider contacting the author and see if they can encrypt the signatures, that way they wouldn't be scanned.