How to get rid of Brontok?

October 2016

Brontok is a malicious email worm that retrieves email addresses from the computers and sends them emails.
It settles in the Windows Registry, can modify data on the computer, interferes with the normal operations by blocking access to certain websites including security websites and downloads files automatically. Malwarebytes Anti-Malware can be used to remove Brontok. The anti-malware software is free and can be downloaded from the internet and installed on the infected computer. The computer must be booted in safe mode for running the Anti-Malware to remove the Brontok worm. If using Windows Vista 7, the UAC has to be disabled before running the anti-malware.

What is a Brontok infection?

There are several variants, known as: W32/Rontokbro.gen@MM, W32.Rontokbro@mm, Worm/Brontok.a, Email-Worm.Win32.Brontok.a, Win32.Stration, Win32.Rontokbro.H, TR/Crypt.CFI.Gen, ....
Brontok is an email worm that can send infected emails to addresses retrieved from the infected computer.
  • It can spread via Email, Peer to Peer, external media (USB key, external hard drive, CD...)
  • Send infected messages to contacts from your Outlook address books
  • Modifies data on the computer
  • It settles in the Windows Registry.
  • Can block access to certain websites
  • Can block access to security websites
  • Can block security applications
  • Can download files automatically

Example of a HijackThis log:

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\KesenjanganSosial.exe"
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"

Example Brontok infection found:
C:\WINDOWS\KesenjanganSosial.exe = Worm.Brontok.c       
C:\WINDOWS\shell\NewRakyatKelaparan.exe= Worm.Brontok.c
C:\WINDOWS\system32\cmd-brontok.exe= Worm.Brontok.c
C:\WINDOWS\system32\user's Setting.scr= Worm.Brontok.c
C:\Documents and Settings\user\Local Settings\Application Data\services.exe= Worm.Brontok.c
C:\Documents and Settings\user\Local Settings\Application Data\lsass.exe= Worm.Brontok.c
C:\Documents and Settings\user\Local Settings\Application Data\winlogon.exe= Worm.Brontok.c
C:\WINDOWS\eksplorasi.exe= Worm.Brontok.d

Getting started

If you have Vista or 7:
  • You must disable UAC the time of disinfection.
  • If you have TeaTimer (Spybot resident), disable it otherwise it may impede disinfection:
  • Start Spybot, click Mode, select Advanced Mode.
  • On the left, click Tools, then Resident.
  • Uncheck the box to the "TeaTimer Resident " and then exit Spybot.

Method of disinfection

Several solutions are available:

First method: Clean XII sUBs

  • Download CleanX-II sUBs:
  • Disconnect from the internet .
  • Close all applications.
  • Disable and re-enable System Restore.
  • Right-click on Clean XII sUBs and "Run as Administrator" to start repair (UAC disabled).
  • You shall receive a warning message, click on OK.
  • At the end of the scan (which can take several minute),a report will generated.
  • Click on Start, Run and type %temp%\report.txt to view the report.
  • If the report shows the presence of infected files, run the tool again!

Second method: UsbFix

  • Download UsbFix (El desaparecido) on your desktop.
  • Important: Connect all the external sources of data to the PC (USB key, external hard drive, SD card, etc ...) without opening them.
  • Disconnect from the internet.
  • Temporarily disable your antivirus software.
  • Double-click on UsbFix.exe to launch the program
  • Click the Search button.
  • Let the tool work .
  • The UsbFix.txt report will be created at the end of the scan(C:\UsbFix.txt ).
  • Double-click on UsbFix.exe to launch the program again
  • Click on the Delete button.
  • The desktop will disappear and reappear in the end of the disinfection.
  • The UsbFix.txt report will be generated, post it on the security/viruses forum:

MalwareBytes' Anti-Malware

Fourth method: Dr Web

  • Download DR. Web CureIt
  • Double-click Launch.exe icon
  • On the page that appears, select "Start scan".
  • The analysis starts, infected items can be quarantine and/or disinfected.

Fifth method: Super antispyware

  • Download SUPERAntiSpyware
  • Install and update it.
  • Open SUPERAntiSpyware and click: Scan your Computer.
  • In the new window, you can choose from the items to be scannned (Drives, directories, etc. ..).

Other disinfection methods

Bitdedender - Brontok removal tool
Sophos - Brontok removal tool
- Brontok removal tool

Related :

This document entitled « How to get rid of Brontok? » from CCM ( is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.