W32.Rontokbro Worm

Lowyat.NET Lowyat.NET Rules and Regulations

FAQ Help Search Members Calendar

Outline · [ Standard ] · Linear+

W32.Rontokbro Worm, updated : removal tools

Track this topic | Email this topic | Print this topic

eggy

Mar 19 2006, 10:07 AM

Show posts by this member only |This post's rating (0+, 0-) | Post #1

Question authority; but, raise your hand 1st

Group: Senior Member
Posts: 1,730
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Feb 2006
From: Kajang | Shah Alam Mood: Confused -_-"

Here are two tools that might help you in cleanning and removing the worm.
All credit goes to sUBs.

Newer and updated version of CleanX-II

QUOTE(sUBs @ Apr 2 2006, 07:31 AM)

As promised earlier, here's the removal tool for Brontok. It's usage is pretty straightforward. Please take note of the following points.

Download the attachment I placed with this post - CleanX
Save it on Desktop.
Disconnect/unplug the computer from the internet.
Save any work which you're doing & close all other programs.
If Brontok hasn't totally disabled your security programs yet, kindly disable them now. They might intefere with the tool's working.
For Window's XP, please create a new system restore point.
- Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
  - Tick on the checkbox - Turn off System Restore on all drives
  - Click Apply
- Turn it back 'On' by unticking the same checkbox & click OK
Once you have done that, double-click on the file you downloaded & double click the executable within - CleanX.exe (It doesn't require to be run in Safe Mode)
You should be greeted by the following message (refer to pic below)
Read the message carefully before clicking OK
The tool will begin scanning your machine. Because this worm names it's files randomly, I have to place a series of cross-checks/verification processes to ensure that the tool does not remove legitimate files. Depending on the size of your drives, this scan may take several minutes. Please be patient during this period & allow it to complete it's task.
Once it has finished scanning, it will provide a post mortem of it's actions. This is in the form of a log file

» Click to show Spoiler - click again to hide... «

This is a sample of what the logfile would look like. It's made up of 2 parts - BEFORE / AFTER.
In the lower portion, POST RUN ANALYSIS, make sure that no files appear there.

If it looks something like below you will need to run the tool a 2nd time.

» Click to show Spoiler - click again to hide... «

If the files remain after a 2nd run, there's no need to run it a 3rd time. We're probably dealing with a variant of Brontok that I didn't have a sample of. In such circumstances, I will require a sample file from the afflicted machine for reseach.
Note:
It has been brought to my attention that some people may experience an error message like the one below. If that happens to you, you shall need to visit this website to download additional files > http://www.tech-forums.net/computer/topic/29806.html

user posted image

Edit: Updated to ver 6.04.02
Edit: Ver 6.04.03 - discovered a scripting error which caused the removal engine to fail.
Edit: Ver 6.04.04. - This version scans faster & does a better job removing all the files in one go. Does away with the need to reboot.
Edit: Ver 6.04.09 - Updated with more viral signatures & added heuristic scanning to the tool. This ensures that it detects a wider range of Brontok variants. Unless it's creator decides to do a major overhaul of the worm, this tool should disinfect almost all Brontok cases.
Edit: Ver 6.04.11 - Improved heuristics. Less leftover files. Also fixed some bugs

QUOTE(sUBs @ Jun 8 2006, 01:22 AM)

Download this... It works !!

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

This post has been edited by eggy: Jul 28 2006, 06:26 PM

Turnip

Mar 19 2006, 10:17 AM

Show posts by this member only |This post's rating (0+, 0-) | Post #2

Regular

Group: Junior Member
Posts: 429
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Aug 2005
From: Sheffield,UK/Bangi New City

dude...hahaha...same here happens at uitm sri iskandar...well wut i get is dat it disables da folder options where we can find under da tools menu...yea it made me restart when i click on certain objects....u have to end some processes to make it not to restart....wut i do is jus update da symantec anti virus....then scan throughly....(before dat disable some processes like eggy did) then scan troughly...dats all i did....hope it works...

eggy

Mar 19 2006, 10:20 AM

Show posts by this member only |This post's rating (0+, 0-) | Post #3

Question authority; but, raise your hand 1st

Group: Senior Member
Posts: 1,730
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Feb 2006
From: Kajang | Shah Alam Mood: Confused -_-"

ahaha...
im from there also lol

what suprised me that my norton antivirus cannot detect it

This post has been edited by sUBs: Apr 9 2006, 04:13 PM

keyz

Mar 19 2006, 10:40 AM

Show posts by this member only |This post's rating (0+, 0-) | Post #4

Freak

Group: Moderator
Posts: 1,228
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Jan 2003
From: Terengganu

Nowdays, virus or worm getting smarter la...It can disable AV, firewall, taskmanager, regedit and other program.

Few days back my task manager is disabled, I cannot terminate the process.My Kaspersky, ad-aware didn't detect it.

This post has been edited by sUBs: Apr 9 2006, 04:15 PM

eggy

Mar 19 2006, 10:42 AM

Show posts by this member only |This post's rating (0+, 0-) | Post #5

Question authority; but, raise your hand 1st

Group: Senior Member
Posts: 1,730
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Feb 2006
From: Kajang | Shah Alam Mood: Confused -_-"

QUOTE(keyz @ Mar 19 2006, 10:40 AM)

Nowdays, virus or worm getting smarter la...It can disable AV, firewall, taskmanager, regedit and other program.

Few days back my task manager is disabled, I cannot terminate the process.My Kaspersky, ad-aware didn't detect it.

yeah..
its getting smarter!!

last nite it blocked me from xs-ing the internet...

This post has been edited by sUBs: Apr 9 2006, 04:15 PM

Turnip

Mar 19 2006, 02:42 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #6

Regular

Group: Junior Member
Posts: 429
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Aug 2005
From: Sheffield,UK/Bangi New City

da virus sucks big time dude....da option folder m8 be disabled by da virus...after dat u cant view ya hidden files....dis are a few dat i found....''kesenjangansosial.exe''....''rakyatkelaparan.exe''.....''yangtercinta.exe''....brontok....blabla....

eggy

Mar 19 2006, 03:58 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #7

Question authority; but, raise your hand 1st

Group: Senior Member
Posts: 1,730
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Feb 2006
From: Kajang | Shah Alam Mood: Confused -_-"

QUOTE(number8 @ Mar 19 2006, 02:36 PM)

this virus is detected by my panda platinum 2006... goshh, is that bad?

its bad of course...
the better brontok version i think...
like i mentioned, u cant use the hijackthis tool which is very useful in killing the processes.. it will automatically shut it down...

to make it worst ur internet connection became useless... u cant suft the internet..
n it also shuts down any content of the webpage related to the virus...

This post has been edited by lex: Mar 23 2006, 11:58 AM

number8

Mar 19 2006, 04:27 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #8

It's Not About The Number, It's About The Position...

Group: Senior Member
Posts: 1,188
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Aug 2005
From: Selangor Darul Ehsan

eggy, when you remove the virus, did your NAV 2006 detect it if when you plug in your thumbdrive?

ayiesz

Mar 19 2006, 06:39 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #9

Ù©(â—Ì®Ì®Ìƒâ€¢Ìƒ)Û¶ TOMOK Ù©(â—Ì®Ì®Ìƒâ€¢Ìƒ)Û¶

Group: Senior Member
Posts: 2,638
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Jan 2003
From: engineer miskin

QUOTE(teckhooi @ Mar 19 2006, 06:08 PM)

Any Faster Way To Clean That Virus?

update ur av engine and virus definition. definition only does not work. use the latest version of av. its already 2006, so if still using 2004 releases, there might be some problem.

those indons did this as protest, either to the gov or those who are not supporting their current gov. and now they are back with haze, coming to malaysia soon, like always. kewl neighbour we had.

This post has been edited by lex: Mar 23 2006, 11:56 AM

eggy

Mar 20 2006, 09:55 AM

Show posts by this member only |This post's rating (0+, 0-) | Post #10

Question authority; but, raise your hand 1st

Group: Senior Member
Posts: 1,730
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Feb 2006
From: Kajang | Shah Alam Mood: Confused -_-"

QUOTE(number8 @ Mar 19 2006, 04:27 PM)

eggy, when you remove the virus, did your NAV 2006 detect it if when you plug in your thumbdrive?

when i remove the virus the file that the virus left is the duplicated folder... which has the *.exe extension... i jst scan for the files and delete it all

the nav 2006 didn detect it and that really suprised me.. since my pc always connected to the net to upadate the virus definition..

QUOTE(teckhooi @ Mar 19 2006, 06:08 PM)

Any Faster Way To Clean That Virus?

haha..
yeah.. there is..
jst restart ur pc in safe mode n run the system restore..
i tried it last nyt and it works

but u must remove the infected files eventho the virus gone already

This post has been edited by lex: Mar 23 2006, 11:58 AM

gerrard capashen

Mar 20 2006, 11:01 AM

Show posts by this member only |This post's rating (0+, 0-) | Post #11

Quarry Executive

Group: Senior Member
Posts: 3,377
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Jan 2003
From: Kulai-Pontian (Johor)

Here, hope it can help..

my friend created it.. but it for var D..
hope it will work.

This post has been edited by lex: Mar 23 2006, 11:57 AM

Attached File(s)

PENAWAR_BRONTOK_VARD.zip ( 621.71k ) Number of downloads: 76388

eggy

Mar 20 2006, 11:37 AM

Show posts by this member only |This post's rating (0+, 0-) | Post #12

Question authority; but, raise your hand 1st

Group: Senior Member
Posts: 1,730
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Feb 2006
From: Kajang | Shah Alam Mood: Confused -_-"

QUOTE(gerrard capashen @ Mar 20 2006, 11:01 AM)

Here, hope it can help..
my friend created it.. but it for var D..
hope it will work.

im not sure if it will works...
i have some brontok cleaner oso n works jst fine b4 this..
but when i try to use it with this U@mm type brontok its jst useless

i dunno bout this one..
if someone had tried it with the U@mm pls share

This post has been edited by lex: Mar 23 2006, 11:57 AM

aaronlbs

Mar 20 2006, 01:03 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #13

Regular

Group: Junior Member
Posts: 230
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Jun 2005
From: Setapak

just download the norton antivirus 2006 shareware
http://www.majorgeeks.com/Norton_AntiVirus_2006_d4697.html

Norton Virus Definitions - [2006-03-19]
http://www.majorgeeks.com/Norton_Virus_Def...ions_d3995.html

it can remove/detect W32.Rontokbro.U@mm with latest definitions

This post has been edited by lex: Mar 23 2006, 11:57 AM

eggy

Mar 20 2006, 03:07 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #14

Question authority; but, raise your hand 1st

Group: Senior Member
Posts: 1,730
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Feb 2006
From: Kajang | Shah Alam Mood: Confused -_-"

QUOTE(aaronlbs @ Mar 20 2006, 01:03 PM)

just download the norton antivirus 2006 shareware
http://www.majorgeeks.com/Norton_AntiVirus_2006_d4697.html

Norton Virus Definitions - [2006-03-19]
http://www.majorgeeks.com/Norton_Virus_Def...ions_d3995.html

it can remove/detect W32.Rontokbro.U@mm with latest definitions

nice

This post has been edited by lex: Mar 23 2006, 11:56 AM

DjiNn

Mar 24 2006, 03:58 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #15

~||Noob Game Console Advisor||~

Group: Store Representative
Posts: 7,931
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Jan 2003
From: PJ, Malaysia

I try to kill the process Csrss.exe in safe mode. but my computer restart itself in safe mode

now my firefox and internet explorer randomly crashes..

This post has been edited by DjiNn: Mar 24 2006, 04:00 PM

liyen

Mar 24 2006, 04:34 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #16

Regular

Group: Junior Member
Posts: 101
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: May 2005

eggy,

i have brontok also~

have u found the solution for it?

number8

Mar 24 2006, 05:03 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #17

It's Not About The Number, It's About The Position...

Group: Senior Member
Posts: 1,188
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Aug 2005
From: Selangor Darul Ehsan

QUOTE(liyen @ Mar 24 2006, 04:34 PM)

eggy,

i have brontok also~

have u found the solution for it?

dudette, try reading the whole thread...

louyeh

Mar 24 2006, 05:08 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #18

Look at all my stars!!

Group: Senior Member
Posts: 2,932
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Jan 2003
From: Ipoh, PJ

AdAware should detect the following changes to the Registry:
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions

from here one can easily remove the virus from the system completely.

liyen

Mar 24 2006, 05:16 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #19

Regular

Group: Junior Member
Posts: 101
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: May 2005

QUOTE(number8 @ Mar 24 2006, 05:03 PM)

dudette, try reading the whole thread...

oh, sure i read through...

but it seems no solution is working still...

eggy

Mar 24 2006, 05:39 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #20

Question authority; but, raise your hand 1st

Group: Senior Member
Posts: 1,730
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Feb 2006
From: Kajang | Shah Alam Mood: Confused -_-"

QUOTE(liyen @ Mar 24 2006, 05:16 PM)

oh, sure i read through...

but it seems no solution is working still...

yeah..
i got it fixed

QUOTE(DjiNn @ Mar 24 2006, 03:58 PM)

I try to kill the process Csrss.exe in safe mode. but my computer restart itself in safe mode

now my firefox and internet explorer randomly crashes..

owh..
how did u xs the task manager?
or are u using any other tools to xs the processes thats ur pc runs?

sometimes the virus will auto-restart ur pc if u typed msconfig, regedit at the run prompt

QUOTE(liyen @ Mar 24 2006, 05:16 PM)

oh, sure i read through...

but it seems no solution is working still...

have u try restart ur pc in the safe mode and runs system restore?

« Next Oldest · Technical Support · Next Newest »