Virus problem - Brontok

[Drolgin Steingrinder]

I've got an extremely annoying virus on one of my machines at work. I keep getting popups from PCCillin warning me about infected WORM_BRONTOK.BA files. The files seem to take the name of random folders (example: in c:\Documents and Settings\User\Documents\FIFA2008\saves there's a 'saves.exe' file that's infected) and adding a .exe extension. I've searched all over for a solution for this problem - I've done hijackthis logs, online virus scans etc etc. None of the solutions seem to remove the issue - I still get the alerts.

Does anyone have any inkling of an idea as to what to do?

[Ashur]

http://www.trendmicro.com/vinfo/virusen ... A&VSect=Sn

[Drolgin Steingrinder]

Yeah, tried everything they suggested already, didn't make any difference. The symptoms they describe aren't present in my case - I have full access to registry etc. So either it's detecting something that isn't there, or they're full of shit?

[cadalano]

its possible that your virus protection is preventing the executable from actually running, which would normally add the autostart entries and disable your registry and so on. if your PCCillin warning occurs upon startup, then this is even more likely as the virus is apparently a startup exe. in this case, PCCillin is cockblocking the actual virus and your problem wouldn't be the damage intended to be done by it (which the trend micro guide is a remedy for). your problem would be the inability of whatever scanner(s) you're using to remove its executable(s) from your system

which scanners are you using? are they reporting that they were able to successfully delete the worm, only to have it appear again? if that is the case, at which point do the warnings return... after you reboot? or after the scanner removes the virus but before rebooting the system?

[Drolgin Steingrinder]

I've used the TrendMicro PCCillin one, I've tried NOD32, Norton coprorate and a few others that I don't recall. I haven't seen any that've announced they've removed the worm itself, only that they've quarantined / deleted the infected files (which are weird copies of folder names in .exe form).

Running NOD32 I don't get the extremely annoying popups announcing infected files found but upon uninstalling that and reinstalling PCCillin they came back - so I'm guessing that either PCCillin is fucked up in the head or the virus is still there.

[cadalano]

try running this in safe mode
http://rapidshare.com/files/56703754/brontok-washer.zip


do you only get the "infected files found" messages upon startup, or at any point?
do you see any of the AutoStart registry entries described in the Trend Micro guide?

[Drolgin Steingrinder]

I'll try running it tomorrow, thanks.

The infected files pop up at startup and throughout the day. None of the startups in the Trend Micro are there (although I did find a fuckton of other stuff that I could remove).

[Truant]

I have nothing helpful to add, so I'm sorry about that. But the name makes me giggle.

It's like an evil robotic Brontosaurus or something.

BRONTOK SMASH!

[Soreali]

Heres the three tools I use on every virus call I get.. use the 3 of them together and it should get rid of it for you.. they haven't failed me yet and i get some nasty virus machines.

http://www.superantispyware.com free verison for home users.. blue button...download that.
http://www.savemybutt.com/how-to-use-sdfix.exe.html Run it in safe mode
http://www.download.com/AVG-Anti-Virus- ... d=10834624
http://siri.urz.free.fr/Fix/SmitfraudFix.exe Run this is in safe mode.


Best order to run those in is Smitfraudfix first, SDfix second, Install the Superantispyware first then the AVG 8. After running those you should be in the clear.

Hope that helps.

[Drolgin Steingrinder]

I finally vanquished the Brontoksaurus with the help of Avast AV. It required three, pre-windows startup passes and a CHKDSK (Avast killed off a couple of system files in a slightly overzealous bit of housekeeping), but it's gone!

For anyone who plays Warcraft 3 or WoW: infections seem to have come from 3rd party addons, either from Autorefresh for WC3 or from some autopatcher for a Paladin addon or something like that.

[Aardor]

Thanks for the heads up. Also, since you're using Avast now, there is some functionality of the virus scanner which makes MMO's freeze for a few seconds randomly. I will have to wait till tonight till I can talk to the guildmates who were having the problem, but if this starts happening to you, you know the cause.