Wednesday, August 22, 2007

Hack to save yourself: Remove Brontok Yourself

Hack against the Brontok virus…

I was full of heat, something ‘Me against Myself’ kind. It was frustrating to handle the virus that my vendor had gifted me with my new laptop (say congrats… And thanks a lot from my side!) Slow startup, error messages and other unwanted annoyances were such an embarrassment in class in front of my friends till yesterday when I thought to myself that it had to end anyway before that very sunset.

To understand what the virus was, I first checked the processes that were running in the system memory. No! There was nothing unusual in the memory. The same processes that I scrolled through, often, when I ever did find my system acting awkwardly slow and still found nothing more than the critical system processes that I couldn’t end and besides that, the only few programs that were actually in use. I had just installed a licensed copy of Tune-Up Utilities, so I thought this was a high-time that I tested its functions and capabilities. The first screen that opened showed me the options to stylize the appearance of my system and optimize the memory, besides the start up process manager. So I fired up the start up process manager and lo! in the very first place it showed me an entry “Bron-Spizaetus”. More than quickly, I disabled the entry first and then deleted it. But the thought that brontok virus could never be so easily taken down made me refresh the start up list again and man! This thing showed up again. Ah! Such an irritation.

Then I hit the [windows]+F button to look for all instances of anything that contained the letters “bron” and it showed one “Bronstab” named 42kb application which had the icon as of a folder. The very same kind that had formed in my friend’s pen drive named after another folder in the same location, which caught my attention because same location couldn’t have two folders by the same name and clicking on the second instance showed that it was an application with a folder-icon. So, the first thing I did was to delete it and decide not to attach any external storage devices till everything is set right. This application “bronstab.exe” in my notebook was a hidden file so I pointed the mouse to the tools menu to reach for the folder options. But to my surprise it wasn’t there in the first place.

Now, I knew that the registry had been modified so I tried going to the registry editor to undo the changes in [Microsoft\windows\currentversion\policies\ in HKCU and HKLM]. But just as I hit the return key after typing regedit in the run dialog, I got an error message saying that registry editing had been disabled by my administrator and the system restarted in an instant. This was making me sick. Group Policy Editor didn’t help either and even the same irritating restart effect when I tried opening the command prompt.

Confused in the start, I decided to revenge its doing and do some hacking for saving myself as I had no antivirus software installed at that time me to keep my times happy!

So I started my computer in safe mode with command prompt and typed the following command to enable registry editor:-

reg delete HKCU\software\microsoft\windows\currentversion\policies\system /v "DisableRegistryTools"
to delete the registry key called DisableRegistryTools

Now that my registry editor was enabled, I typed in explorer at the command prompt to get GUI. Now I opened the registry editor and followed this path to the list of the processes that were loaded into the memory on start up:-
HKLM\Software\Microsoft\Windows\Currentversion\Run

On the right side pane, I deleted the entries which contained 'Brontok' and 'Tok-' words.

After that I restarted my computer and followed this path in the registry editor and deleted this entry to restore the folder options:-
HKCU\Software\Microsoft\Windows\Currentversion\Policies\Explorer\ 'NoFolderOption' and restarted the system again.

Then I searched for *.exe files in all drives (searched in hidden files also) to remove all files which had folder-like icons.

Bingo! My notebook was now free from the Brontok virus, just by this simple method of hacking against the virus itself; without the use of any anti-virus software…
So by following the methods, step-by-step, that I have used you can also get over the Brontoks in your system.

Your feedback is valuable.