Disclaimer: I will not responsible any damage done to your computer. Just do it if you are confident with this instructions.What? What is this folder icon? How can it be the same name? Let's try to click it. Then the whole system was infected by brontok. *Sigh* This is what happen when we usually do the automatically clicking procedure. We were illussioned by human tricky mistakes.
So how can we cure our system back to normal? Ok follow this step and you'll be safe.
1. First and important step is if you're in network, disconnect your pc and disable any file sharing to prevent the worm from spreading. After that, download your preferred antivirus program such as AVG and their latest update using any clean pc.
Also download
UnHookExec.inf from Symantec. We will use this file to enable registry back to normal. Later on i will teach you how to use it. Transfer all the necessary file to your thumb drive or writable cd and put it on the infected pc. Make sure you thumb drive is set to read mode only.
2. Then disable System Restore to ensure that the worm will not be brought back to your system. You can turn it on later after you eliminate the worm.
3. According to trendmicro site, the worm will automatically close or terminate any program with the following name: Registry, Command Prompt, System Configuration, Anti-virus programs (etc: AVG, Avast, Trendmicro) and other specific names including Process Explorer. This means we can't use the Process Explorer to kill the worm.
So alternative to that third-party software is
Complete Process Manager (CPM). It's a shareware software which means you must pay to get full version. It's up to you whether to buy or not but you can use the full features in trial version.
4. Once you install the CPM, run it and search for the process that run with the name: crss.exe, inetinfo.exe, lsass.exe, services.exe, smss.exe, and winlogon.exe. Make sure it's not run by the System because you can't terminate process that run by the System. You can only kill/terminate the process that only run by yourself.
After you kill that process, kill the main worm process identified with a letter and number (%Windir%\j[RANDOM].exe and %Windir%\o[RANDOM].exe). In example, j0128237.exe or o218230.exe. Usually it has two process running in background.
5. Run the UnHookExec.inf file by right-clicking on it and choose install. Now you can access the Registry Editor. Go to Start->Run and type regedit. This will open Registry Editor program.
6. Follow this step to remove the worm entry in Registry Editor. You can find the key/subkey by using the search function from that editor.
Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\RunIn the right pane, delete the value:
"f3444Adm" = ""%UserProfile%\Local Settings\Application Data\dv[RANDOM]0x\yesbron.com""Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunIn the right pane, delete the value:
"f3444Adm" = ""%System%\s[RANDOM]\zh59[RANDOM].exe""Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\RunIn the right pane, delete the value:
"N7593c" = "%Windir%\_default[RANDOM].pif"Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run In the right pane, delete the value:
"N7593c" = "%Windir%\j[RANDOM].exe"
Navigate to the subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot In the right pane, delete the value:
"AlternateShell" = "c_[RANDOM]k.com"
Navigate and delete the subkey:
HKEY_CURRENT_USER\Software\Brontok
Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon In the right pane, reset the value:
"Userinit" = "%System%\userinit.exe,%Windir%\j[RANDOM].exe"
"Shell" = "Explorer.exe "%Windir%\o[RANDOM].exe""
To
"Userinit" = "%System%\userinit.exe"
"Shell" = "Explorer.exe"
Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced In the right pane, reset the values to their original values if known:
"Hidden" = "0"
"HideFileExt" = "1"
"ShowSuperHidden" = "0"
Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System In the right pane, reset the values to their original values if known:
"DisableRegistryTools" = "1"
7. After you done editing the registry value, now it's time to install and update your antivirus. When update complete, scan the whole system for any infected file and delete it. You can also move it to the vault if the file is important for further investigations. After the full scan is complete, reboot your computer.
8. If your windows was successfully loaded without any unnessary black dos window or something like that and when you check in your folder there's nothing duplicated directories, congratulations your pc is clean from the wilderness of brontok!
9. Do a full scan again if you suspect any malicious activity and don't forget to update your antivirus frequently.
That's all. I hope this removal instructions can help you remove that worm. If you got any comments and suggestion, do not hesitate to comment this article. Thanks.
Reference:
1.
Symantec Removal Instructions2.
MyCERT Special Alert - W32.Brontok Worm