Brontok-I

system · July 9, 2006, 12:47am

My PC got Brontok-I. I installed avast home to clean up. It detected the virus and deleted infected files. But still virus warining window pops up occasionally when PC is idle. Everytime I saw this warning I delete the files but keep comming back.

Does this means avast failed to eradicate them?
What should I do

Update is regularly done so that virus definition is latest. Please advise.

mmiya

system · July 9, 2006, 10:20am

Hi mmiya…

Try a couple of online scans to see if that helps…

http://housecall.trendmicro.com/

http://www.ewido.net/en/onlinescan/

Best Regards…

Lisandro · July 9, 2006, 12:44pm

If a virus is replicant (coming and coming again), you should:

Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
Clean your temporary files.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
Use a-squared or ewido (trojan removers).

Other option is scanning in SafeMode (repeatedly press F8 while booting): http://support.microsoft.com/default.aspx?scid=kb;en-us;315222

system · July 10, 2006, 2:07am

Thanks for your advice.

I’ve tried www.ewido.net but IE blocked downloading ActiveX files from the site. I chose download from the option but seems not working. Nothing happen.

Do you know how to off the blocking?

Also tried on trendmicro site but IE got error while downloading the files.

Hmmm…

mmiya

Lisandro · July 10, 2006, 2:13am

Ewido does not use ActiveX components…
Try a link in other site, like at http://www.filehippo.com/download_ewido/ or click here

Which error? Can you post a screenshot of it?

system · July 10, 2006, 2:52am

Thanks for quick reply. image shots are attached. One is from trendmicro, other is from ewido.

I will try to down load you advised. Please allow me some time as it is more tha 8m bytes. I have only dial-up line.

regards,

mmiya

system · July 10, 2006, 5:43am

Hi mmiya…

Looks like the virus is effectively preventing/disabling any means of removing it. Try downloading a copy of Hijack This (HJT) here…

http://www.majorgeeks.com/download3155.html

and post a log here…

http://www.castlecops.com/

You will need to register with their site and please be sure to follow their instructions with respect to posting HJT logs.

Please let us know how it turns out.

Best Regards…

system · July 10, 2006, 9:28am

Or use BrontokWasher 1.5 Beta:
http://jeruk.padinet.com/~ertanto/bw.php
You may need to disable avast first and then run the tool.
Good luck.

system · July 11, 2006, 7:19am

Sure, Brontok can be clean with local (custom) Indonesian Brontok Cleaner
Just like TECH said:

disable system restore and use hijack perform together with BOOTSCAN Mode in AVAST

polonus · July 11, 2006, 7:29am

Hi iwannet,

I think in this way this could be done in the form of a bfu script as well.
Adopt Indonesian Brontok Cleaner for BFU. Run in safe mode, hopla.

This has been done, read here:
Download Brute Force Uninstaller (http://www.majorgeeks.com/Brute_Force_Uninstaller_BFU_d4714.html) and unzip it to its own folder (like c:\BFU)

Download the attached MiscTroj.zip file save it to the same folder you put the Brute Force Installer into. Then extract the MiscTroj.bfu file from the ZIP into that folder too.

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the Scriptfile to execute: box copy and paste c:\bfu\MiscTroj.bfu
The click the Execute button to run the script.

Wait for the Completed script execution box to popup and then press OK.
Click the Exit button to terminate the BFU program.

Afterwards attach a new HJT log so we can finished fixing what remains.

Some more information for the users of the removal tool can also be found up here:
http://forum.lowyat.net/lofiversion/index.php/t265366.html

polonus

system · July 11, 2006, 12:21pm

Hi Shino,

I tried brontok washer (http://jeruk.padinet.com/~ertanto/bw.php) but avast still detected quite a lot of brontok-I infected files on boot scan after scaned by bw. I’m not sure bw could remove brontok completely.

Thanks all guys for your advices.

mmiya

system · July 11, 2006, 9:31pm

Hi mmiya…

May I submit to you again my previous suggestion regarding HJT? : I’ve seen cases where this approach worked, it may with you.

Best Regards…

system · July 26, 2006, 5:41am

Thank you all for your advices. I must report the result and sorry for not responding as I was away from my PC.

I followed malware cleaning procedure at majorgeek.com suggested by ardvark. Finally Panda online scan found virus.

Thanks again

polonus · July 26, 2006, 5:58am

Hi mmiya,

You know that resident scanners can give panda online scan signatures as FP’s. So you’re advised to use another free online scanner, like Bitdefender or DrWebCureIt.

polonus

system · August 2, 2006, 9:39am

I downloaded brontokwasher from this site :

http://jeruk.padinet.com/~ertanto/bw.php

But avast (free version) detects it as brontok virus !!!

Anyone tried to download / scan brontok washer ?

Arshad

polonus · August 2, 2006, 11:16am

Hi arshadparvez,

Last update time: 2006-08-02,14:12:02

File size: 16109 bytes

bw.php - archive HTML

bw.php/Script.0 - OK
bw.php/Script.1 - OK
bw.php/Script.2 - OK
bw.php/Script.3 - OK
bw.php - OK

Probably a false positive, forward the file to avast.

polonus

Brontok-I

Announcements