Brontok Virus Has disabled Registry Editor & Anti Virus Program

Hi,

I have a Windows 2003 server, which has been infected by Brontok virus (Rontokbro). I have symantecs suggested removal instructions (i.e scan the pc and manually edit the registry)> I would have no problem doing this but the virus has disabled registry editor, access to and antivirus websites. command prompt, server management, administrative tools, and the properties of the symantec services.

I have tried everything i can think of to get around this. The virus also runs in safe mode, so no luck there either. I have scanned the machine remotely, and come up blank there. Tried McAfee, and Zonealarm AV, but i cant install either of them. I did manage to deploy Symantec 9.0 to the box, but i can't run it, as any service/process with that word, or any other virus related word seems to get shut down almost immediately.

I have tried Xoftspy, which was advertised as a brontok removal tool, but it didn't managed to cure my problem either.

Can anyone help me with a way to re-enable registry editing, as at the minute i am considering buying a neck sized piece of rope and hanging myself!!

Backups are up to date (but obviously  contaminated), so rebuilding is an option, but one i would prefer to avoid if possible.
netforceieAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TheCleanerCommented:
Can you edit the registry remotely?  Try opening regedt32 from a remote XP or 2003 box, and click File, Connect Network Registry, and put in the name of the 2003 server you are trying to edit.

This might get you in to change the registry so that you can get some access back at the local server.
0
campbelcCommented:
I would try as TheCleaner suggested, also right click on My Computer, select Manage. Click on Action, select Connect to another Computer, type in the computer name of your server. Under services and applications make sure "Remote Registry" is also enabled and started.
0
netforceieAuthor Commented:
thanks. I have tried this, but i can't open the local user keys that most of the entries i need to remove are contained in.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

TheCleanerCommented:
seems trivial but have you googled "brontok virus" ?

There are some walkthroughs listed...
0
netforceieAuthor Commented:
i have tried that as well. All the walkthroughs assume you have working AV and can use regedit/regedt32. I haven't got either of those facilities, due to the virus.

its looking like a rebuild at the moment.
0
TheCleanerCommented:
Strange that remote registry access isn't working.

can you do an sfc /scannow from the server?
0
netforceieAuthor Commented:
I haven't tried scannow, but i will in the morning. Remote registry is working it just doesn't let you browse HKCU etc, which is really where i need to be.

Seems like a nasty virus, which could have been avoided by my client not letting their AV licennse lapse, and certin users being a bit brighter about what emails they open! As you can tell i'm a little annoyed at having to rebuild a server for something that could have been avoided.

Thanks for your help, Cleaner
0
netforceieAuthor Commented:
I have just found some (hopefully) useful tools on this site:

http://www.patheticcockroach.com/mpam4/index.php?p=28 

I can't guarantee they work on Server 2003, but they do seem to work on my XP Pro laptop. The vbs code seesm to work well at toggling enable/disable registry editing, so i will try this in the morning. I'm also using the Sophos cleaning tool at the minute on some data i know to be infected with Brontok. Hopefully between these two tools i can avoid a rebuild. and so can anyone else who finds themselves in this mess.


Hopefully the cockroach is not pathetic at all!!
0
TheCleanerCommented:
Go here too:

http://www.sysinternals.com/Utilities/autoruns.html

That program is pretty useful in seeing what is running on the server automatically.  Usually good for tracking down pesky viruses and adware.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
netforceieAuthor Commented:
I got this sorted in the end, using one of the registry editors i found on cockroach.com. Had a bit of a scare not being able to log into the server afterwards, but sorted that out too.

Everything is back up and running now.

Thanks for your help. CLeaner
0
sneak_nakataCommented:
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.