K
khattam_
Guest
Hey all,
To demonstrate how to remove a virus Brontok with free tools, I have disabled my NOD32 AntiVirus System and then executed the virus "bronstab.exe".
Now, my system contains a worm called Rontok.Gen or Bronstab or Rontok or Brontok, whatever it is called, it is the same damn virus.
So now, my registry is disabled.
It has inserted itself in the autostsrt of windows.
It has disabled my command prompt and maybe has done more damage that I cant notice..
Also, my "Folder Options" is gone from the tools menu.
It also restarts my computer when I try to launch "cmd" or "msconfig" or "sysedit" or "regedit" or any third party registry editing software and also when I try to use the Windows Task Manager. Some of my friend also said that it does not allow the installation of some antivirus programs, so I tried to install McAfee ViruScan 10.5 and was able to install it completely, without any problems. So the one my friend was talking about must be some variant. Anyways, lets continue.
McAfee warns me of finding some suspicions in my computer and strongly recommends me to scan my computer for viruses. So I disabled it and am uninstalling it while I continue writing this tut.
I can already see that a lot of copies of the original bronstab are appearing in my system right now, in each folder I have with the respective names of the folder.
The smart thing is that the application has an icon of a folder, so anyone would be fooled and would click it. So, it has spread in so many computers recently.
This virus must have thought I ran it accidently, hehe
.....
So, as this virus is capable of replicating itself. So, as Stephen W. Hawkings says in his lecture "Life in the Universe", this virus is a "living being".
Meanwhile, my McAfee uninstallation is over.
Anyways, lets return to what we are doing. So, we don't need this virus anymore in our computer, do we?
So, lets launch "Process Explorer" which can be dowloaded for free from *www.sysinternals.com
Here, I can see programs viz. services.exe, winlogon.exe and lssass.exe with the icon as that of folder are running. I right click on each of them and right click on it and "Kill Process". Don't mistake these with the windows programs. They can be easily identified from their icons. The virus has the icon of a folder while the windows programs have icons of general application.
Now, the virus is not running and hence bringing up the task manager does not lead to a system restart.
But, what about my registry editing and other restrictions, and what about all the instances of the virus program files in my computer, in almost every folder??
I'm coming to that. First of all, let me make my registry editing tool accessible. To do so, I create a .reg file with the following contents:
and then launch the command window (Start>Run>cmd) and then type in "reg import <path of the regfile>" and press enter.
It shows, Operation Completed Successfully. Good. Now I can use the Registry Editing Tool (regedit). I'll use it later.
Before that let me introduce you to the tool called autoruns which is available for free download at *www.sysinternals.com
This is another great tool that I'm going to use to remove this virus. I have launched it and let me see how many run entries the porgram has entered into my system.
First of all, I go to the "Scheduled Tasks" to see what new entries the virus has put into. Yes, something like At1, and it wants to run "C:\documents and settings\%username%\templates\wowtumpeh.com". I'm not surprised to find out that the file wowtumpeh.com is a copy of the original bronstab.exe. I checked it with "fc" by command "fc wowtumpeh.com bronstab.exe" and it says "No differences encountered". Anyways, lets proceed.
I disable this task by unticking the entry.
In Logon tab of Autoruns, I can see C:\WINDOWS\eksplorasi.exe under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell in the registry.
I have unticked it under Autoruns to prevent it fro running in the future.
Also, I can see something called Bronstab (hmm... hehe) under logon, HKLM\Software\Microsoft\Windows\Currentversion\Run and you guessed it, I unticked it too. I also unticked Smss.exe (it has the same folder-like icon, so I gotch you) from there.
Hmm.. what is this Empty.pif. If this .pif is empty as its name suggests, then what is it doing in my startup folder (C:\Documents and Settings\%username%\Start Menu\Programs\Startup\). In the Logon tab of Autoruns, under C:\Documents and Settings\%username%\Start Menu\Programs\Startup\, hmm... lets see. It was found to be a copy of the "bronstab.exe" too. Hehe.. Unticked it too...
Now, when my registry is clean, I'm worried about all the copies of the bronstab.exe. I used a shareware tool called "FindOnClick" which searches for files pretty fast and then searched for all files greater than 40Kb and smaller than 42Kb (the size of bronstab is 41Kb approx) with extensions .pif, .com and .exe and I found a lot of files. I deleted all with the size of 42,065 bytes. I reviewed each file individually that it was not any system file or a file that I wanted to keep. Alternately, you can scan with a free virus scanner such as avg or avast to clean all the virus files.
And last but not the least, where is the folder options?? No there in no folder options in Tools.... So to get it back, I ran regedit. And navigated to
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
and then set the value of the NoFolderOptions to 0 and then restarted explorer.
Anyways, hope you enjoyed it like I did. I have to go to eat now. My mom was calling me at least 2 hours ago, but I was busy with this thing..... Let me enjoy the meal, while you enjoy this tut..
To demonstrate how to remove a virus Brontok with free tools, I have disabled my NOD32 AntiVirus System and then executed the virus "bronstab.exe".
Now, my system contains a worm called Rontok.Gen or Bronstab or Rontok or Brontok, whatever it is called, it is the same damn virus.
So now, my registry is disabled.
It has inserted itself in the autostsrt of windows.
It has disabled my command prompt and maybe has done more damage that I cant notice..
Also, my "Folder Options" is gone from the tools menu.
It also restarts my computer when I try to launch "cmd" or "msconfig" or "sysedit" or "regedit" or any third party registry editing software and also when I try to use the Windows Task Manager. Some of my friend also said that it does not allow the installation of some antivirus programs, so I tried to install McAfee ViruScan 10.5 and was able to install it completely, without any problems. So the one my friend was talking about must be some variant. Anyways, lets continue.
McAfee warns me of finding some suspicions in my computer and strongly recommends me to scan my computer for viruses. So I disabled it and am uninstalling it while I continue writing this tut.
I can already see that a lot of copies of the original bronstab are appearing in my system right now, in each folder I have with the respective names of the folder.
The smart thing is that the application has an icon of a folder, so anyone would be fooled and would click it. So, it has spread in so many computers recently.
This virus must have thought I ran it accidently, hehe
.....
So, as this virus is capable of replicating itself. So, as Stephen W. Hawkings says in his lecture "Life in the Universe", this virus is a "living being".
Stephen Hawkings; said:......For example, a computer virus is a program that
will make copies of itself in the memory of a computer, and will transfer
itself to other computers. Thus it fits the definition of a living system,
that I have given. Like a biological virus, it is a rather degenerate form,
because it contains only instructions or genes, and doesn't have any
metabolism of its own. Instead, it reprograms the metabolism of the
host computer, or cell. Some people have questioned whether viruses
should count as life, because they are parasites, and can not exist
independently of their hosts. But then most forms of life, ourselves included, are parasites, in
that they feed off and depend for their survival on other forms of life. I think computer viruses
should count as life. Maybe it says something about human nature, that the only form of life we
have created so far is purely destructive. Talk about creating life in our own image....
Meanwhile, my McAfee uninstallation is over.
Anyways, lets return to what we are doing. So, we don't need this virus anymore in our computer, do we?
So, lets launch "Process Explorer" which can be dowloaded for free from *www.sysinternals.com
Here, I can see programs viz. services.exe, winlogon.exe and lssass.exe with the icon as that of folder are running. I right click on each of them and right click on it and "Kill Process". Don't mistake these with the windows programs. They can be easily identified from their icons. The virus has the icon of a folder while the windows programs have icons of general application.
Now, the virus is not running and hence bringing up the task manager does not lead to a system restart.
But, what about my registry editing and other restrictions, and what about all the instances of the virus program files in my computer, in almost every folder??
I'm coming to that. First of all, let me make my registry editing tool accessible. To do so, I create a .reg file with the following contents:
Code:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:0
and then launch the command window (Start>Run>cmd) and then type in "reg import <path of the regfile>" and press enter.
It shows, Operation Completed Successfully. Good. Now I can use the Registry Editing Tool (regedit). I'll use it later.
Before that let me introduce you to the tool called autoruns which is available for free download at *www.sysinternals.com
This is another great tool that I'm going to use to remove this virus. I have launched it and let me see how many run entries the porgram has entered into my system.
First of all, I go to the "Scheduled Tasks" to see what new entries the virus has put into. Yes, something like At1, and it wants to run "C:\documents and settings\%username%\templates\wowtumpeh.com". I'm not surprised to find out that the file wowtumpeh.com is a copy of the original bronstab.exe. I checked it with "fc" by command "fc wowtumpeh.com bronstab.exe" and it says "No differences encountered". Anyways, lets proceed.
I disable this task by unticking the entry.
In Logon tab of Autoruns, I can see C:\WINDOWS\eksplorasi.exe under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell in the registry.
I have unticked it under Autoruns to prevent it fro running in the future.
Also, I can see something called Bronstab (hmm... hehe) under logon, HKLM\Software\Microsoft\Windows\Currentversion\Run and you guessed it, I unticked it too. I also unticked Smss.exe (it has the same folder-like icon, so I gotch you) from there.
Hmm.. what is this Empty.pif. If this .pif is empty as its name suggests, then what is it doing in my startup folder (C:\Documents and Settings\%username%\Start Menu\Programs\Startup\). In the Logon tab of Autoruns, under C:\Documents and Settings\%username%\Start Menu\Programs\Startup\, hmm... lets see. It was found to be a copy of the "bronstab.exe" too. Hehe.. Unticked it too...
Now, when my registry is clean, I'm worried about all the copies of the bronstab.exe. I used a shareware tool called "FindOnClick" which searches for files pretty fast and then searched for all files greater than 40Kb and smaller than 42Kb (the size of bronstab is 41Kb approx) with extensions .pif, .com and .exe and I found a lot of files. I deleted all with the size of 42,065 bytes. I reviewed each file individually that it was not any system file or a file that I wanted to keep. Alternately, you can scan with a free virus scanner such as avg or avast to clean all the virus files.
And last but not the least, where is the folder options?? No there in no folder options in Tools.... So to get it back, I ran regedit. And navigated to
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
and then set the value of the NoFolderOptions to 0 and then restarted explorer.
Anyways, hope you enjoyed it like I did. I have to go to eat now. My mom was calling me at least 2 hours ago, but I was busy with this thing..... Let me enjoy the meal, while you enjoy this tut..
Last edited by a moderator: