is a malicious email worm that retrieves email addresses from the computers and sends them emails.
It settles in the Windows Registry
, can modify data on the computer, interferes with the normal operations by blocking access to certain websites including security websites and downloads files automatically. Malwarebytes Anti-Malware
can be used to remove Brontok
. The anti-malware software is free and can be downloaded from the internet and installed on the infected computer. The computer must be booted in safe mode
for running the Anti-Malware to remove the Brontok worm
. If using Windows Vista 7, the UAC
has to be disabled before running the anti-malware.
What is a Brontok infection?
There are several variants, known as: W32/Rontokbro.gen@MM, W32.Rontokbro@mm, Worm/Brontok.a, Email-Worm.Win32.Brontok.a, Win32.Stration, Win32.Rontokbro.H, TR/Crypt.CFI.Gen, ....
Brontok is an email worm that can send infected emails to addresses retrieved from the infected computer.
- It can spread via Email, Peer to Peer, external media (USB key, external hard drive, CD...)
- Send infected messages to contacts from your Outlook address books
- Modifies data on the computer
- It settles in the Windows Registry.
- Can block access to certain websites
- Can block access to security websites
- Can block security applications
- Can download files automatically
Example of a HijackThis log:
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\KesenjanganSosial.exe"
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
Example Brontok infection found:
C:\WINDOWS\KesenjanganSosial.exe = Worm.Brontok.c
C:\WINDOWS\system32\user's Setting.scr= Worm.Brontok.c
C:\Documents and Settings\user\Local Settings\Application Data\services.exe= Worm.Brontok.c
C:\Documents and Settings\user\Local Settings\Application Data\lsass.exe= Worm.Brontok.c
C:\Documents and Settings\user\Local Settings\Application Data\winlogon.exe= Worm.Brontok.c
If you have Vista or 7:
- You must disable UAC the time of disinfection.
- If you have TeaTimer (Spybot resident), disable it otherwise it may impede disinfection:
- Start Spybot, click Mode, select Advanced Mode.
- On the left, click Tools, then Resident.
- Uncheck the box to the "TeaTimer Resident " and then exit Spybot.
Method of disinfection
Several solutions are available:
First method: Clean XII sUBs
- Download CleanX-II sUBs:
- Disconnect from the internet .
- Close all applications.
- Disable and re-enable System Restore.
- Right-click on Clean XII sUBs and "Run as Administrator" to start repair (UAC disabled).
- You shall receive a warning message, click on OK.
- At the end of the scan (which can take several minute),a report will generated.
- Click on Start, Run and type %temp%\report.txt to view the report.
- If the report shows the presence of infected files, run the tool again!
Second method: UsbFix
- Download UsbFix (El desaparecido) on your desktop.
- Important: Connect all the external sources of data to the PC (USB key, external hard drive, SD card, etc ...) without opening them.
- Disconnect from the internet.
- Temporarily disable your antivirus software.
- Double-click on UsbFix.exe to launch the program
- Click the Search button.
- Let the tool work .
- The UsbFix.txt report will be created at the end of the scan(C:\UsbFix.txt ).
- Double-click on UsbFix.exe to launch the program again
- Click on the Delete button.
- The desktop will disappear and reappear in the end of the disinfection.
- The UsbFix.txt report will be generated, post it on the security/viruses forum: http://ccm.net/forum/viruses-security-7
Fourth method: Dr Web
- Download DR. Web CureIt
- Double-click Launch.exe icon
- On the page that appears, select "Start scan".
- The analysis starts, infected items can be quarantine and/or disinfected.
Fifth method: Super antispyware
- Download SUPERAntiSpyware
- Install and update it.
- Open SUPERAntiSpyware and click: Scan your Computer.
- In the new window, you can choose from the items to be scannned (Drives, directories, etc. ..).
Other disinfection methods
Bitdedender - Brontok removal tool
Sophos - Brontok removal tool
- Brontok removal tool
This document, titled « How to get rid of Brontok? », is available under the Creative Commons
license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM