Tuesday, March 16, 2010


The brontok virus can be manually removed from your system by the following steps explained below:
Manual removal steps: Disconnect your computer from the network and disable file sharing, if any.
Disable System Restore (for Windows XP/Windows Me only).
For Windows XP:
Click Start.
Right-click My Computer and click on Properties.
Click the System Restore tab.
Select "Turn off System Restore" or "Turn off System Restore on all drives" check box. Start your machine in Safe mode.
How to start a computer in safe mode, pls refer to: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
Update your Anti-virus software with the current signature files and scan your computer with the Anti-virus to locate the worm and delete any files detected as the worm by clicking the DELETE button.
Delete the value from the registry.
You need to back up the registry before inputing any changes to it. Incorrect changes to the registry can result in lasting data loss or corrupted files. Modify the specified sub-keys only.
How to make a backup of the Windows registry, please refer at: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&src=sec_doc_nam
Click Start > Run. Type regedit Click OK.
Now that if the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. You can used a tool to resolve this problem.
Download this tool. Once downloaded, �right-click� the UnHookExec.inf file and click install. Then continue with the removal steps. http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html
Optional method to enable registry, please refer to: http://www.patheticcockroach.com/mpam4/index.php?p=28
Navigate to the sub-key that was detected by the anti-virus and delete the value.
Exit the Registry Editor.
If you are still unable to open your registry, the following steps can be tried.
Boot up the infected computer, but do not login to the server, leave it at the login prompt.
Start up another clean computer, worm-free computer which has an updated anti-virus software running and an active firewall running preventing all inbound connections.
From the clean computer, start REGEDIT.EXE and click on File -> File -> Connect Network Registry. Connect to the infected computer.
Modify the following values in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\NT\CurrentVersion\Winlogon to the following values:
"Userinit" = "C:\WINNT\system32\userinit.exe," "Shell" = "Explorer.exe"
(make sure that you enter the correct path to where Windows is installed. For example on NT4.0 it is WINNT)
After running the above steps, reboot the infected computer.
Using the clean computer, map the C$ share and scan it using the up to date anti-virus to remove any infected files on the infected computer. Then, you should be able to boot to the computer and then follow Steps 6 - Steps 11.
Run a full system scan using an updated version of Anti-virus software and delete any files detected as worm.
Download and run a process management tool or process viewer to eradicate all worm processes running on the infected machine. The process management device or the process viewer is available according to the machine's platform and can be downloaded free from the Internet. For example users can download and use the following process viewer: http://www.sysinternals.com/Utilities/ProcessExplorer.html
Delete the scheduled tasks included by the worm. Click the Start button, and then click Control Panel. (In Windows XP, switch to Classic View.) In the Control Panel window, double click Scheduled Tasks. Right click the task icon and select Properties from pop-up menu. The properties of the task will display. Delete the task if the content of the Run text box in the task pane matches the worm.
Enable the System Restore (for Windows XP/Windows Me only).
Re-scan your computer with a current version of Anti-virus to confirm that the computer is clean.
Re-connect your computer to the network once it is confirmed clean.

No comments:

Post a Comment