• CONTEST ALERT - Experience the power of DDR5 memory with Kingston Click for details

Remove Rontok

Status
Not open for further replies.

khattam_

Fresh Stock Since 2005
Hey all,
To demonstrate how to remove a virus Brontok with free tools, I have disabled my NOD32 AntiVirus System and then executed the virus "bronstab.exe".

Now, my system contains a worm called Rontok.Gen or Bronstab or Rontok or Brontok, whatever it is called, it is the same damn virus.

So now, my registry is disabled.
It has inserted itself in the autostsrt of windows.
It has disabled my command prompt and maybe has done more damage that I cant notice..
Also, my "Folder Options" is gone from the tools menu.

It also restarts my computer when I try to launch "cmd" or "msconfig" or "sysedit" or "regedit" or any third party registry editing software and also when I try to use the Windows Task Manager. Some of my friend also said that it does not allow the installation of some antivirus programs, so I tried to install McAfee ViruScan 10.5 and was able to install it completely, without any problems. So the one my friend was talking about must be some variant. Anyways, lets continue.

McAfee warns me of finding some suspicions in my computer and strongly recommends me to scan my computer for viruses. So I disabled it and am uninstalling it while I continue writing this tut.

I can already see that a lot of copies of the original bronstab are appearing in my system right now, in each folder I have with the respective names of the folder.

The smart thing is that the application has an icon of a folder, so anyone would be fooled and would click it. So, it has spread in so many computers recently.

This virus must have thought I ran it accidently, hehe :)

.....

So, as this virus is capable of replicating itself. So, as Stephen W. Hawkings says in his lecture "Life in the Universe", this virus is a "living being".

Stephen Hawkings; said:
......For example, a computer virus is a program that
will make copies of itself in the memory of a computer, and will transfer
itself to other computers. Thus it fits the definition of a living system,
that I have given. Like a biological virus, it is a rather degenerate form,
because it contains only instructions or genes, and doesn't have any
metabolism of its own. Instead, it reprograms the metabolism of the
host computer, or cell. Some people have questioned whether viruses
should count as life, because they are parasites, and can not exist
independently of their hosts. But then most forms of life, ourselves included, are parasites, in
that they feed off and depend for their survival on other forms of life. I think computer viruses
should count as life. Maybe it says something about human nature, that the only form of life we
have created so far is purely destructive. Talk about creating life in our own image....

Meanwhile, my McAfee uninstallation is over.

Anyways, lets return to what we are doing. So, we don't need this virus anymore in our computer, do we?

So, lets launch "Process Explorer" which can be dowloaded for free from http://www.sysinternals.com

Here, I can see programs viz. services.exe, winlogon.exe and lssass.exe with the icon as that of folder are running. I right click on each of them and right click on it and "Kill Process". Don't mistake these with the windows programs. They can be easily identified from their icons. The virus has the icon of a folder while the windows programs have icons of general application.

Now, the virus is not running and hence bringing up the task manager does not lead to a system restart.

But, what about my registry editing and other restrictions, and what about all the instances of the virus program files in my computer, in almost every folder??

I'm coming to that. First of all, let me make my registry editing tool accessible. To do so, I create a .reg file with the following contents:

Code:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:0

and then launch the command window (Start>Run>cmd) and then type in "reg import <path of the regfile>" and press enter.

It shows, Operation Completed Successfully. Good. Now I can use the Registry Editing Tool (regedit). I'll use it later.

Before that let me introduce you to the tool called autoruns which is available for free download at http://www.sysinternals.com

This is another great tool that I'm going to use to remove this virus. I have launched it and let me see how many run entries the porgram has entered into my system.

First of all, I go to the "Scheduled Tasks" to see what new entries the virus has put into. Yes, something like At1, and it wants to run "C:\documents and settings\%username%\templates\wowtumpeh.com". I'm not surprised to find out that the file wowtumpeh.com is a copy of the original bronstab.exe. I checked it with "fc" by command "fc wowtumpeh.com bronstab.exe" and it says "No differences encountered". Anyways, lets proceed.

I disable this task by unticking the entry.

In Logon tab of Autoruns, I can see C:\WINDOWS\eksplorasi.exe under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell in the registry.

I have unticked it under Autoruns to prevent it fro running in the future.

Also, I can see something called Bronstab (hmm... hehe) under logon, HKLM\Software\Microsoft\Windows\Currentversion\Run and you guessed it, I unticked it too. I also unticked Smss.exe (it has the same folder-like icon, so I gotch you) from there.

Hmm.. what is this Empty.pif. If this .pif is empty as its name suggests, then what is it doing in my startup folder (C:\Documents and Settings\%username%\Start Menu\Programs\Startup\). In the Logon tab of Autoruns, under C:\Documents and Settings\%username%\Start Menu\Programs\Startup\, hmm... lets see. It was found to be a copy of the "bronstab.exe" too. Hehe.. Unticked it too...


Now, when my registry is clean, I'm worried about all the copies of the bronstab.exe. I used a shareware tool called "FindOnClick" which searches for files pretty fast and then searched for all files greater than 40Kb and smaller than 42Kb (the size of bronstab is 41Kb approx) with extensions .pif, .com and .exe and I found a lot of files. I deleted all with the size of 42,065 bytes. I reviewed each file individually that it was not any system file or a file that I wanted to keep. Alternately, you can scan with a free virus scanner such as avg or avast to clean all the virus files.

And last but not the least, where is the folder options?? No there in no folder options in Tools.... So to get it back, I ran regedit. And navigated to

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

and then set the value of the NoFolderOptions to 0 and then restarted explorer.

Anyways, hope you enjoyed it like I did. I have to go to eat now. My mom was calling me at least 2 hours ago, but I was busy with this thing..... Let me enjoy the meal, while you enjoy this tut..
 
Last edited:

max_demon

IM AS MAD AS HELL!!
exellent tutorial , but to test this tutorial , we need that worm .

anyways , thank you .it helped me .i always reinstalled windows to kill this problem but this problem generated again .

digging so that it may help others
 

Rollercoaster

-The BlacKCoaT Operative-
:D that is more of a blog material then a thread.. nice tho.. almost like a spy novel in extreme digital sense :)
 

pra_2006

A S S E M B L E
thanks for the info man i was really getting angry with this but i hope this virus will kill with ur procedure
 

ayush_chh

Ambassador of Buzz
struggled a lot to remove this virus but in vain....at last formatted th PC nways it's gr8 .....
 

1st

Right off the assembly line
to delete this virus just using PCMedia antivirus :D
this virus from Indonesia
 

NiluGeek

Broken In
scvhosts.exe files are reappearing after deleting them

hello friends as said by khattam right clicking on services.exe and deleting them by clicking on kill process does not help, simply because the moment i del them a dialog box appears windows will shutdown in 47 minutes and restart, and it shuts down and resarts afterwards and again all those deleted viruses reappear,

can anybody provide solution to this problem.

Awatiing ur reply

thanks
 

azzu

AJJU
first of all Max_demon digged up that 8 month old thread and now
nilu u digged 2 month old
Khattam is now no active on this forum guys
 
OP
K

khattam_

Fresh Stock Since 2005
Re: scvhosts.exe files are reappearing after deleting them

hello friends as said by khattam right clicking on services.exe and deleting them by clicking on kill process does not help, simply because the moment i del them a dialog box appears windows will shutdown in 47 minutes and restart, and it shuts down and resarts afterwards and again all those deleted viruses reappear,

can anybody provide solution to this problem.

Awatiing ur reply

thanks

I think you are doing this with svchost.... well, if the shutdown timer starts, you can stop it very easily by typing in "shudown -a" in your run dialog box!!

struggled a lot to remove this virus but in vain....at last formatted th PC nways it's gr8 .....

I think it was not the same virus at all, so......

There are so many such viruses.... you just need to experiment a little to get it to work on other variants!!

to delete this virus just using PCMedia antivirus :D
this virus from Indonesia
yes we surely can use many other antivirus to the rescue, but just in case....

khattam is this worked for you, does the same as the above steps, not worked for my office system ?

yes, maybe it was some other variant, which had different names of services and maybe different startup entries... you could have just dug better!!

Thank you for trying my procedure though!!

exellent tutorial , but to test this tutorial , we need that worm .

anyways , thank you .it helped me .i always reinstalled windows to kill this problem but this problem generated again .

digging so that it may help others

yeah.. forgot to include it... This is the one:

http://rapidshare.com/files/80699410/brons.zip.html
 
Last edited:
Status
Not open for further replies.
Top Bottom