Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.rontokbro.bb@mm


  • Please log in to reply
6 replies to this topic

#1 DarkMind

DarkMind

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 22 August 2007 - 06:48 AM

Hey all. I'm writing this on my laptop, but right now my PC is so infected I can barely do anything with it, really.

The problem starts like this, both my laptop and my PC are hooked up through wireless, and there was this period of time when I kept getting messages from Norton saying that it detected w32.rontokbro.b@mm attacking my laptop (not it's exact words, but you get what I mean).

Initially, I thought that it might be that my laptop was infected with this dreadful virus, and I was trying again and again to remove it, but I keep getting that message. It then dawned on me that it may be the PC itself that was infected, and that it was from there that the worm was attempting to break into my laptop. Right now, I've adopted the policy of not switching both of them on at the same time to prevent the virus from spreading further.

Anyhow, it's a rather tricky problem over at my PC. It goes like this:

1) I can't open any .exe file to scan and try to fix the problem
2) I can't get into SafeMode (every time I try to, the computer reboots after loading all the files for safemode).
3) I can't open the .reg file that changes the registry back to default for .exe's so that I can actually run them
4) Anything that has anything that has something to do with anti-spyware in its title is literally just another button for me to say "restart" now.
5) I know where majority of the worm's the files are, they're in the %UserProfile%/Local Settings/Application Data/ folder, like it says on Symantec's website, but they don't offer any advice as to how I can remove the problem without the use of their products.
6) They are, like always, running in the background and I can't stop them from running, and also I can't get into SafeMode (as mentioned)

I can't even run HJT now.

So... my PC is literally there to get murdered by the worm. Any help/advice is appreciated.

Thanks.

Edited by DarkMind, 22 August 2007 - 06:53 AM.


BC AdBot (Login to Remove)

 


m

#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:24 AM

Posted 22 August 2007 - 06:54 AM

Sounds like you've got real problems there.

One thing you could try is to burn a UBCD on your laptop, use it to boot the infected PC and run the anti-virus applications that it has.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:24 AM

Posted 22 August 2007 - 07:14 AM

Please download the Brontok Disinfection Tool and follow the instructions posted by Sophos.

Then download Sysclean Package and the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number).
Be sure to print out out and follow the instructions provided in the How to Use System Cleaner for performing a scan.
When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations. The scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system. This tool generates a log file (sysclean.log) in the same folder where the scan is completed.

Run Sysclean in normal mode if you still cannot get into safe mode.

For getting Hijackthis to run, change the .exe to something else such as .bat, .com, .pif, or .scr.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 DarkMind

DarkMind
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 22 August 2007 - 07:35 AM

I'll try that... But I think I might just resort to reformatting the computer altogether.

Anyway, do you know if AVG can detect/remove this virus, and also how I can fix infected thumb drives / external hard drives ?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:24 AM

Posted 22 August 2007 - 07:46 AM

You can try running AVG in SAFE MODE" but I doubt it will completely remove the infection. The Brontok Disinfection Tool should be used.

how I can fix infected thumb drives / external hard drives ?

What are they infected with?

Keeping Autorun enabled on USB and other removable drives has become a security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. When the removable media is inserted, autorun looks for autorun.inf which automatically can run a malicious file that you do not expect or intend to run. Read Danger USB! Worm targets removable memory sticks.

I recommend disabling the Autorun feature on USB drives as a method of prevention.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
  • After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
  • Uncheck the drives you want to disable AutoPlay on and click on Apply.
  • Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
  • Uncheck the box to disable Autoplay for a particular type of drive.
  • Click Apply.
See "Disable Autorun/AutoPlay" for instructions with screenshots.
When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 DarkMind

DarkMind
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 25 August 2007 - 05:18 AM

Sorry for the late reply, have been a bit busy so I couldn't try all the stuff you suggested..

Anyway, I ran the disinfection tool, and it worked... Kind of, it cleared most of the stuff (as I concluded from the hundreds of files that spawned from brontok being deleted by the tool...) I then proceeded to run SysClean, and AVG as well...

I'm still stuck with a problem, though. My computer still can't start in SafeMode...

Regarding the thumb drive, I think it was infected with the brontok as well.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:24 AM

Posted 25 August 2007 - 07:03 AM

Were you able to get Hijackthis to run by changing the .exe to something else such as .bat, .com, .pif, or .scr?

If so, then post your log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users