I was struck by this "Win32:Brontok-P, it created a few “.exe” with odd numbers as its name
it was totally deleted by Avast, but the problem is, on every startup, there will be a pop up command line
box telling me that 16-bit program cannot run or something, the registery isn’t clean yet, the registery still
tries to start the worms exe… I’ve searched msconfig, but it’s not there, so where can i delete this stupid and
annoying warning
thanks
config.nt
dos=high, umb
device=%SystemRoot%\system32\himem.sys
files=40
device=C:\PROGRA~1\ALWILS~1\Avast4\aswmonds.sys
autoexec.nt
@echo off
REM Install CD ROM extensions
lh %SystemRoot%\system32\mscdexnt.exe
REM Install network redirector (load before dosx.exe)
lh %SystemRoot%\system32\redir
REM Install DPMI support
lh %SystemRoot%\system32\dosx
all the lines with “REM” are removed
ok, whenever I startup windows, 2 cmd box will pop up with something like o9469086.exe, j90860854.exe… the numbers are not exact, just an example. The program (worm) is not there anymore, coz they are removed by avast, therefore windows will say “cannot run the programs, they cannot be found” someting like that… tried safe mode, there is no pop up… that means it’s a startup, but I just can’t find it in startup folder , msconfig, or even in registery.
ewido, how about spybot. I have that on my pc, I’ll try spybot first.
Ok.
Ok.
Did you run avast at boot time?
Ok, but ewido is more specialized in trojan cleaning than SpyBot
Did you run avast at boot time?
Boot time scan differs from manual scan? They just scan files, not the registery?
But it scans files with access denied by Windows.
If a file is in use by another process (program) and cannot be repaired/cleaned/moved/handled by avast! it could not being scanned.
Besides this, recurring infection is what you have.
A good thing is disable System Restore, boot, enable it again. If you find a virus keeps coming back after you delete it, it’s most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again.
tech, thanks for your help, i found this
http://www.viruslist.com/en/viruses/encyclopedia?virusid=96428
by kaspersky
The worm then registers itself in the system registry, ensuring that the worm file will be launched each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“Bron-Spizaetus”=“%Windir%\ShellNew\bronstab.exe”
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“Tok-Cirrhatus”=“%Documents and Settings%\User\Local Settings\Application Data\smss.exe”
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell”=“Explorer.exe %Windir%\eksplorasi.pif”
oh my god, its in HKLM …\Winlogon , previously I just looked for HKLM…\Run and found nothing… this encyclopedia is helpful
All these happen because I disable Avast’s “standard shield”, I thought web shield,is good enough and it appears that this worm came from my friend’s pen drive >:( …
Current avast 4.7 beta is a lot faster in terms of startup, it doesn’t not scan much less files on startup like 4.6
Living and learning… disabling Standard Shield… humm… don’t worth 8)
Yes, things are faster… a reason less to disable the residents.
Are you clean now?
Are you clean now?
hehe, very clean now, i deleted the wrong registery and windows connot login anymore… 
so reformat, I’ll never ever disable “standard shield”… a lesson… I really hate those malware authors, what are they thinking? Ruin ppl’s things
Which was the error message?
no error message, login and logout immediately,
I can start windows, but cannot login to account at all, even in save mode, I deleted something in the winlogon registery section.