W32.Rontokbro Worm, updated : removal tools 
Mar 19 2006, 10:07 AM
All credit goes to sUBs.
Newer and updated version of CleanX-II
QUOTE(sUBs @ Apr 2 2006, 07:31 AM)
As promised earlier, here's the removal tool for Brontok. It's usage is pretty straightforward. Please take note of the following points.
Turn it back 'On' by unticking the same checkbox & click OK
Once you have done that, double-click on the file you downloaded & double click the executable within - CleanX.exe (It doesn't require to be run in Safe Mode)
You should be greeted by the following message (refer to pic below)
Read the message carefully before clicking OK
The tool will begin scanning your machine. Because this worm names it's files randomly, I have to place a series of cross-checks/verification processes to ensure that the tool does not remove legitimate files. Depending on the size of your drives, this scan may take several minutes. Please be patient during this period & allow it to complete it's task.
Once it has finished scanning, it will provide a post mortem of it's actions. This is in the form of a log file
This is a sample of what the logfile would look like. It's made up of 2 parts - BEFORE / AFTER.
In the lower portion, POST RUN ANALYSIS, make sure that no files appear there.
If it looks something like below you will need to run the tool a 2nd time.
If the files remain after a 2nd run, there's no need to run it a 3rd time. We're probably dealing with a variant of Brontok that I didn't have a sample of. In such circumstances, I will require a sample file from the afflicted machine for reseach.
Note:
It has been brought to my attention that some people may experience an error message like the one below. If that happens to you, you shall need to visit this website to download additional files > http://www.tech-forums.net/computer/topic/29806.html
Edit: Updated to ver 6.04.02
Edit: Ver 6.04.03 - discovered a scripting error which caused the removal engine to fail.
Edit: Ver 6.04.04. - This version scans faster & does a better job removing all the files in one go. Does away with the need to reboot.
Edit: Ver 6.04.09 - Updated with more viral signatures & added heuristic scanning to the tool. This ensures that it detects a wider range of Brontok variants. Unless it's creator decides to do a major overhaul of the worm, this tool should disinfect almost all Brontok cases.
Edit: Ver 6.04.11 - Improved heuristics. Less leftover files. Also fixed some bugs
- Download the attachment I placed with this post - CleanX
- Save it on Desktop.
- Disconnect/unplug the computer from the internet.
- Save any work which you're doing & close all other programs.
- If Brontok hasn't totally disabled your security programs yet, kindly disable them now. They might intefere with the tool's working.
- For Window's XP, please create a new system restore point.
- Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
» Click to show Spoiler - click again to hide... «
This is a sample of what the logfile would look like. It's made up of 2 parts - BEFORE / AFTER.
In the lower portion, POST RUN ANALYSIS, make sure that no files appear there.
If it looks something like below you will need to run the tool a 2nd time.
» Click to show Spoiler - click again to hide... «
If the files remain after a 2nd run, there's no need to run it a 3rd time. We're probably dealing with a variant of Brontok that I didn't have a sample of. In such circumstances, I will require a sample file from the afflicted machine for reseach.
Note:
It has been brought to my attention that some people may experience an error message like the one below. If that happens to you, you shall need to visit this website to download additional files > http://www.tech-forums.net/computer/topic/29806.html
Edit: Updated to ver 6.04.02
Edit: Ver 6.04.03 - discovered a scripting error which caused the removal engine to fail.
Edit: Ver 6.04.04. - This version scans faster & does a better job removing all the files in one go. Does away with the need to reboot.
Edit: Ver 6.04.09 - Updated with more viral signatures & added heuristic scanning to the tool. This ensures that it detects a wider range of Brontok variants. Unless it's creator decides to do a major overhaul of the worm, this tool should disinfect almost all Brontok cases.
Edit: Ver 6.04.11 - Improved heuristics. Less leftover files. Also fixed some bugs
QUOTE(sUBs @ Jun 8 2006, 01:22 AM)
Download this... It works !!
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
This post has been edited by eggy: Jul 28 2006, 06:26 PM * Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found:
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. - After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
0.1052sec
3.90
7 queries
GZIP Disabled