Author Topic: Win32: Brontok drama (Read 8733 times)

haleybrontok · « **on:** June 19, 2009, 04:38:35 PM »

My firewall (disabled by Brontok) detects the worm and Avast! detects a serious problem but cannot name nor delete it. Every time I run a scan my computer goes to blue screen and restarts. I get the message from Avast! that a virus is operating in the memory and I should do a boot-up scan. During the boot-up scan, it quits halfway and reboots. I have tried every manual and numerous automatic removers but nothing works. I cannot find the following paths in the regedit:
---HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOption

---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Bron-Spizaetus="[%WINDOWS%]\ShellNew\RakyatKelaparan.exe"

---HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Tok-Cirrhatus-2322="[%LOCAL_APPDATA%]\smss.exe"

---HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Tok-Cirrhatus-6810="[%LOCAL_APPDATA%]\smss.exe"

---HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Tok-Cirrhatus-1563="[%LOCAL_APPDATA%]\smss.exe"

I cannot do a search for any of the folders it creates either! I always come up empty-handed.

I DO have the following processes running:
smss.exe
services.exe
lsass.exe
csrss.exe
winlogon.exe

I DO NOT have:
inetinfo.exe
bronstab.exe

I can run folder options and also registry editor... so what's up? Please help!

.: L' arc :. · « **Reply #1 on:** June 19, 2009, 05:26:38 PM »

-= It seems like normal scans wont do, if you can still install Malwarebytes Antimalware, have time to download, install, update, scan..

-= If no, then, I suggest the use of Avast Bart CD..

micky77 · « **Reply #2 on:** June 19, 2009, 05:31:46 PM »

If you have the genuine Brontok,then you will have to wait for someone a bit more experienced.The fact you can use regedit,seems strange. There is a fake Brontok warning.

Please try and download MBAM.

You may have problems installing,updating,and running.If this is so,rename the set up file ( eg moon.exe ) Then install, if you cannot update,download the definitions manually,using another pc,and double click to install.Then go to C\program files\malwarebytes antimalware\ mbam.exe and rename mbam.exe, then double click on renamed file.

MBAM http://filehippo.com/download_malwarebytes_anti_malware/

MBAM updates http://www.gt500.org/malwarebytes/database.jsp

haleybrontok · « **Reply #3 on:** June 19, 2009, 05:51:46 PM »

If I do a search for the processes(ie winlogon.exe, csrss.exe, lsass.exe ) I find them in the system32 folder and in service pack files. How could I not have the Brontok worm when my firewall and Avast! detects it, I have the processes running, and my PC keeps going to bluescreen and crashing?

BTW is Malwarebytes' Anti-Malware trusted? I has detected 74 infected files so far... Kind of up there with the "virus scanners" that are a scam.

micky77 · « **Reply #4 on:** June 19, 2009, 06:00:01 PM »

Quote from: haleybrontok on June 19, 2009, 05:51:46 PM

BTW is Malwarebytes' Anti-Malware trusted? I has detected 74 infected files so far... Kind of up there with the "virus scanners" that are a scam.

I find that question insulting.

Shows how VERY LITTLE you know about security
Where do you expect to find winlogon.exe, csrss.exe, lsass.exe

How does your firewall detect things ,when its been ' disabled '

DavidR · « **Reply #5 on:** June 19, 2009, 06:13:38 PM »

Quote from: haleybrontok on June 19, 2009, 05:51:46 PM

<snip>
BTW is Malwarebytes' Anti-Malware trusted? I has detected 74 infected files so far... Kind of up there with the "virus scanners" that are a scam.

Absolutely, we are NOT in the habit of suggesting untrustworthy applications.

MBAM is currently one of the best specialist anti-spyware/malware applications, you only have to check the forums to see it being widely used (see posters signatures and you will see it) and recommended.

Post the contents of its log and we can look into what it detected.

haleybrontok · « **Reply #6 on:** June 19, 2009, 06:28:58 PM »

Quote from: micky77 on June 19, 2009, 06:00:01 PM

I find that question insulting. Shows how VERY LITTLE you know about security
Where do you expect to find winlogon.exe, csrss.exe, lsass.exe

I'm sorry for apparently insulting you so badly. You DO NOT need to insult me in return. That is just uncalled for. I asked a simple question, that's ALL. I WILL report you next time. I may not know as much about security as you do, that is why I am asking you. I found it suspicious, that's ALL.

Quote from: DavidR on June 19, 2009, 06:13:38 PM

Absolutely, we are NOT in the habit of suggesting untrustworthy applications.

MBAM is currently one of the best specialist anti-spyware/malware applications, you only have to check the forums to see it being widely used (see posters signatures and you will see it) and recommended.

Post the contents of its log and we can look into what it detected.

Thank you for telling me in a nice way

micky77 · « **Reply #7 on:** June 19, 2009, 06:36:34 PM »

Quote from: haleybrontok on June 19, 2009, 06:28:58 PM

. I WILL report you next time.

Feel free, I wont be helping you anymore. I did not insult you.If you had any intelligence,you would realise that

YoKenny · « **Reply #8 on:** June 19, 2009, 09:07:22 PM »

Quote from: micky77 on June 19, 2009, 06:36:34 PM

Quote from: haleybrontok on June 19, 2009, 06:28:58 PM
. I WILL report you next time.

Feel free, I wont be helping you anymore. I did not insult you.If you had any intelligence,you would realise that

Looks like you bit his shiney metal ass and he got upset

micky77 · « **Reply #9 on:** June 19, 2009, 09:31:35 PM »

Not sure what you mean YoKenny,I sent you a pm

YoKenny · « **Reply #10 on:** June 20, 2009, 01:42:47 AM »

Quote from: micky77 on June 19, 2009, 09:31:35 PM

Not sure what you mean YoKenny,I sent you a pm

This is a friendly forum and new members are welcome from the uber geek to the n00be that just installed avast!.

Using a computer can be quite intricate so when something is not clear sometimes further explanation is necessary geared to their understanding.

@haleybrontok
It is wise to be suspicious on today's malware infested Internet with all the bogus malware removers and phishing scams happening now but the ratings of the posters are clearly displayed on the upper left of their ID and after a while you will see who are the best helpers.

.: L' arc :. · « **Reply #11 on:** June 20, 2009, 05:15:04 AM »

-= By the way, I found some sort of a Brontok Removal Tool from Sophos: http://www.sophos.com/support/disinfection/brontok.html

-= You might probably need to rename the .exe file since Brontok is blocking files with wildcards related to Antivirus & Antispywares.. For example, any word with the letters AVAST shall be terminated so naming it SOMETHING or anything else will help prevent it from being terminated.. Somehow, if that is a new variant, this trick might not easily work..

haleybrontok · « **Reply #12 on:** June 20, 2009, 02:27:36 PM »

I used the Brontok Removal Tool from Sophos and I think it's gone

. My windows firewall isn't popping up with the warning anymore and my browser doesn't redirect me. Thanks!

.: L' arc :. · « **Reply #13 on:** June 20, 2009, 02:40:38 PM »

-= Congratulations.. Glad to help..

Author Topic: Win32: Brontok drama (Read 8733 times)

haleybrontok

Win32: Brontok drama

.: L' arc :.

Re: Win32: Brontok drama

micky77

Re: Win32: Brontok drama

haleybrontok

Re: Win32: Brontok drama

micky77

Re: Win32: Brontok drama

DavidR

Re: Win32: Brontok drama

haleybrontok

Re: Win32: Brontok drama

micky77

Re: Win32: Brontok drama

YoKenny

Re: Win32: Brontok drama

micky77

Re: Win32: Brontok drama

YoKenny

Re: Win32: Brontok drama

.: L' arc :.

Re: Win32: Brontok drama

haleybrontok

Re: Win32: Brontok drama

.: L' arc :.

Re: Win32: Brontok drama