Hi vaibhavdave,
You should be able to abort shutdown within the first 60 seconds by doing the following:
*
Press the Start button and then the Run menu item.
*
Type shutdown -a. That's the "shutdown" command, with the "-a" option, which stands for "abort the pending shutdown".
*
Press OK.
"The bottom line is that it's a practical reality that we all need to be vigilant about keeping our computers safe."
This doesn't fix anything, it just lets you get on with the business of disinfecting your computer.
Then, take the following steps:
*
Use a firewall. This can be as simple as installing a Internet Connection Firewall like ZoneAlarm free or purchasing and installing hardware devices such as a NAT router. Either of these solutions will likely protect you from brontok.a and many other types of email and non-email based threats.
*
Install the patch. All patches for your operating system can be found with Microsoft Security Bulletins.
*
Remove the virus. There are several removal methods floating around on this webforum, look for Brontok and Its Variants for one.
*
Update and run your Avast Anti-Virus software. Make sure that both of those steps happen automatically in the future as well. For example, my virus scanner is configured to check for updates and run a scan regularly.
*
Stay up-to-date. There are several options, but I endorse running Windows Automatic Update for Windows XP. My preference is to have it download and notify me of changes that are ready to install. In addition - or, if you prefer, instead - you should also visit Windows Update on a regular basis for additional updates to your system. I probably visit once a month.
The bottom line is that it's a practical reality that we all need to be vigilant about keeping our computers safe. The steps you take to protect yourself from becoming infected are much less onerous than the potential hassle of recovering from a destructive virus. Further info on brontok A removal...
Technical details
This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.
The worm itself is a Windows PE EXE file approximately 41KB in size.
Installation
When installing, the worm copies itself to the directories listed below, under the following names:
%Documents and Settings%\User\Local Settings\Application Data\csrss.exe
%Documents and Settings%\User\Local Settings\Application Data\inetinfo.exe
%Documents and Settings%\User\Local Settings\Application Data\lsass.exe
%Documents and Settings%\User\Local Settings\Application Data\services.exe
%Documents and Settings%\User\Local Settings\Application Data\smss.exe
%Documents and Settings%\User\Local Settings\Application Data\winlogon.exe
%Documents and Settings%\User\Start Menu\Programs\Startup\Empty.pif
%Documents and Settings%\User\Templates\WowTumpeh.com
%System%\<user name>'s Setting.scr
%Windir%\eksplorasi.pif
%Windir%\ShellNew\bronstab.exe
The worm then registers itself in the system registry, ensuring that the worm file will be launched each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus"="%Windir%\ShellNew\bronstab.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"="%Documents and Settings%\User\Local Settings\Application Data\smss.exe"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe %Windir%\eksplorasi.pif"
The worm also modifies the following system registry records, which will block some Windows applications and properties (e.g. system registry, file properties)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"="1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced]
"Hidden"="0"
"ShowSuperHidden"="0"
"HideFileExt"="1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"="1"
"DisableCMD"="0"
The worm creates the following folder:
%Documents and Settings%\User\Local Settings\Application Data\Bron.tok-XX
XX: two random numbers.
Propagation via email
The worm harvests email addresses from files with the following extensions:
asp
cfm
csv
doc
eml
html
php
txt
wab
It does not harvest addresses which contain the following strings:
ADMIN
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
ASSOCIATE
AVAST
AVIRA
BILLING@
BUILDER
CILLIN
CONTOH
CRACK
DATABASE
DEVELOP
ESAFE
ESAVE
ESCAN
EXAMPLE
GRISOFT
HAURI
INFO@
LINUX
MASTER
MICROSOFT
NETWORK
NOD32
NORMAN
NORTON
PANDA
PROGRAM
PROLAND
PROTECT
ROBOT
SECURITY
SOURCE
SYBARI
SYMANTEC
TRUST
UPDATE
VAKSIN
VAKSIN
VIRUS
When sending infected messages, it establishes a direct connection to the recipient's SMTP engine.
Infected messages
Message subject
Attachment names
Kangen.exe
Other
If the worm finds an open window with the following strings in the name, it will reboot the victim machine:
.exe
Registry
Stay malware free,
polonus
