Win32: Brontok drama

My firewall (disabled by Brontok) detects the worm and Avast! detects a serious problem but cannot name nor delete it. Every time I run a scan my computer goes to blue screen and restarts. I get the message from Avast! that a virus is operating in the memory and I should do a boot-up scan. During the boot-up scan, it quits halfway and reboots. I have tried every manual and numerous automatic removers but nothing works. I cannot find the following paths in the regedit:
—HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOption

—HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Bron-Spizaetus=“[%WINDOWS%]\ShellNew\RakyatKelaparan.exe”

—HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Tok-Cirrhatus-2322=“[%LOCAL_APPDATA%]\smss.exe”

—HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Tok-Cirrhatus-6810=“[%LOCAL_APPDATA%]\smss.exe”

—HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Tok-Cirrhatus-1563=“[%LOCAL_APPDATA%]\smss.exe”

I cannot do a search for any of the folders it creates either! I always come up empty-handed.

I DO have the following processes running:
smss.exe
services.exe
lsass.exe
csrss.exe
winlogon.exe

I DO NOT have:
inetinfo.exe
bronstab.exe

I can run folder options and also registry editor… so what’s up? Please help!

-= It seems like normal scans wont do, if you can still install Malwarebytes Antimalware, have time to download, install, update, scan…

-= If no, then, I suggest the use of Avast Bart CD

If you have the genuine Brontok,then you will have to wait for someone a bit more experienced.The fact you can use regedit,seems strange. There is a fake Brontok warning.

Please try and download MBAM.

You may have problems installing,updating,and running.If this is so,rename the set up file ( eg moon.exe ) Then install, if you cannot update,download the definitions manually,using another pc,and double click to install.Then go to C\program files\malwarebytes antimalware\ mbam.exe and rename mbam.exe, then double click on renamed file.

MBAM http://filehippo.com/download_malwarebytes_anti_malware/

MBAM updates http://www.gt500.org/malwarebytes/database.jsp

If I do a search for the processes(ie winlogon.exe, csrss.exe, lsass.exe ) I find them in the system32 folder and in service pack files. How could I not have the Brontok worm when my firewall and Avast! detects it, I have the processes running, and my PC keeps going to bluescreen and crashing?

BTW is Malwarebytes’ Anti-Malware trusted? I has detected 74 infected files so far… Kind of up there with the “virus scanners” that are a scam.

I find that question insulting. ??? Shows how VERY LITTLE you know about security
Where do you expect to find winlogon.exe, csrss.exe, lsass.exe

How does your firewall detect things ,when its been ’ disabled ’

Absolutely, we are NOT in the habit of suggesting untrustworthy applications.

MBAM is currently one of the best specialist anti-spyware/malware applications, you only have to check the forums to see it being widely used (see posters signatures and you will see it) and recommended.

Post the contents of its log and we can look into what it detected.

I’m sorry for apparently insulting you so badly. You DO NOT need to insult me in return. That is just uncalled for. I asked a simple question, that’s ALL. I WILL report you next time. I may not know as much about security as you do, that is why I am asking you. I found it suspicious, that’s ALL.

Thank you for telling me in a nice way :slight_smile:

Feel free, I wont be helping you anymore. I did not insult you.If you had any intelligence,you would realise that

Looks like you bit his shiney metal ass and he got upset ;D

Not sure what you mean YoKenny,I sent you a pm

This is a friendly forum and new members are welcome from the uber geek to the n00be that just installed avast!.

Using a computer can be quite intricate so when something is not clear sometimes further explanation is necessary geared to their understanding.

@haleybrontok
It is wise to be suspicious on today’s malware infested Internet with all the bogus malware removers and phishing scams happening now but the ratings of the posters are clearly displayed on the upper left of their ID and after a while you will see who are the best helpers.

-= By the way, I found some sort of a Brontok Removal Tool from Sophos: http://www.sophos.com/support/disinfection/brontok.html

-= You might probably need to rename the .exe file since Brontok is blocking files with wildcards related to Antivirus & Antispywares… For example, any word with the letters AVAST shall be terminated so naming it SOMETHING or anything else will help prevent it from being terminated… Somehow, if that is a new variant, this trick might not easily work…

I used the Brontok Removal Tool from Sophos and I think it’s gone ;D. My windows firewall isn’t popping up with the warning anymore and my browser doesn’t redirect me. Thanks!

-= Congratulations… Glad to help… ;D