i met (new ?) varian of brontok. my AVG sntivirus detect it as i-worm/brontok.fx
i,ve try to clean it up by “hal” or deleting the file… but it duplicate or regenerated again every certain period… anyone know how to fix this??
regards,
donny
Are you using avast and AVG antivirus on the same system ?
Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
avast may disable elements to avoid conflict so there is no way to compare if avast might have detected it otherwise. Malware names also aren’t standardised so one AV could call it a different name. If it is a new variant that avast can’t detect then you should send the sample to avast.
Send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject. Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.
You might want to change your avatar for another, resize or use this one. We try to keep avatars around 100 X 100 for those who don’t have high resolution monitors.
unfortunately i just wear “AVG Free antivirus”, i haven’t try avast yet… hehe… meanwhile i’ll try to catch one of the virus sample and send it to you…
thanks for listening… ;D
Well you have tried our support/help something which is by all accounts almost non-existent for the free version of AVG ;D. You have probably had mor ehelp form these the support forums for avast, perhaps you should try the program ;D
if there is a active virus running u can download process explorer…
http://www.snapfiles.com/get/processexplorer.html
a advanced version of the taskmanager and find the files from which the virus is starting up…
and kill the process…and remove the files.
if u plan to use avast…there is a option to scan all ur system files during startup
[ie;BOOT-TIME SCAN]
including “system volume restore information”.folder…from where the malware may infect again…
Name : Brontok.N
Alias: WORM_RONTKBR, W32/Rontokbro, W32.Rontokbro.X@mm, Email-Worm:W32/Brontok.N, Email-Worm.Win32.Brontok.n
Type: Email-Worm
Category: Malware
Platform: W32
Radar
CHECK FOR THESE PROCESSES
csrss.exe
inetinfo.exe
lsass.exe
services.exe
smss.exe
winlogon.exe
Some of the worm’s files have hidden, system, and read-only attributes. The worm can create its files with COM, EXE, and PIF extensions. Brontok worm creates multiple launch points for the copied files. Those include startup Registry keys as well as scheduled jobs
According to Mark Russinovich (author of the program) a better option with Process Explorer is to suspend processes- if a process is killed it may be started up again by another process which is monitoring it for just such an attempt to stop it. Once all malware processes have been identified and suspended, they can be killed.
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=359
(I watched this video somewhere without having to log on to MS, but can’t remember where now.)
thanks…point noted…i thought only files running under applications can start them selfs once u have terminated the application…i thought killing the process was the ultimate solution…
The processes are not restaring themselves but being restarted by another “watchdog” process- so it’s important to suspend all the malware processes before killing them.
This is the PP slide from Mark’s lecture on the subject:
Terminating Malicious ProcessesDon’t kill the processes
Malware processes are often restarted by watchdogs
Instead, suspend them
Note that this might cause a system hang for Svchost processes
Record the full path to each malicious EXE and DLL
After they are all asleep then kill them
Watch for restarts with new names…
Sorry, maybe its looked dumb but I really don’t get the meaning of suspend? To stop or kill the process it’s the common thing to do but to suspend…? How to do that?
Suspend is an option offered by the Process Explorer program:
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx
Hi donisaurus,
Good Indonesian removal tool can be found here:
http://www.kaer-media.org/penawar-brontok/
polonus