Brontok Virus Has disabled Registry Editor & Anti Virus Program
Hi,
I have a Windows 2003 server, which has been infected by Brontok virus (Rontokbro). I have symantecs suggested removal instructions (i.e scan the pc and manually edit the registry)> I would have no problem doing this but the virus has disabled registry editor, access to and antivirus websites. command prompt, server management, administrative tools, and the properties of the symantec services.
I have tried everything i can think of to get around this. The virus also runs in safe mode, so no luck there either. I have scanned the machine remotely, and come up blank there. Tried McAfee, and Zonealarm AV, but i cant install either of them. I did manage to deploy Symantec 9.0 to the box, but i can't run it, as any service/process with that word, or any other virus related word seems to get shut down almost immediately.
I have tried Xoftspy, which was advertised as a brontok removal tool, but it didn't managed to cure my problem either.
Can anyone help me with a way to re-enable registry editing, as at the minute i am considering buying a neck sized piece of rope and hanging myself!!
Backups are up to date (but obviously contaminated), so rebuilding is an option, but one i would prefer to avoid if possible.
I have a Windows 2003 server, which has been infected by Brontok virus (Rontokbro). I have symantecs suggested removal instructions (i.e scan the pc and manually edit the registry)> I would have no problem doing this but the virus has disabled registry editor, access to and antivirus websites. command prompt, server management, administrative tools, and the properties of the symantec services.
I have tried everything i can think of to get around this. The virus also runs in safe mode, so no luck there either. I have scanned the machine remotely, and come up blank there. Tried McAfee, and Zonealarm AV, but i cant install either of them. I did manage to deploy Symantec 9.0 to the box, but i can't run it, as any service/process with that word, or any other virus related word seems to get shut down almost immediately.
I have tried Xoftspy, which was advertised as a brontok removal tool, but it didn't managed to cure my problem either.
Can anyone help me with a way to re-enable registry editing, as at the minute i am considering buying a neck sized piece of rope and hanging myself!!
Backups are up to date (but obviously contaminated), so rebuilding is an option, but one i would prefer to avoid if possible.
I would try as TheCleaner suggested, also right click on My Computer, select Manage. Click on Action, select Connect to another Computer, type in the computer name of your server. Under services and applications make sure "Remote Registry" is also enabled and started.
ASKER
thanks. I have tried this, but i can't open the local user keys that most of the entries i need to remove are contained in.
seems trivial but have you googled "brontok virus" ?
There are some walkthroughs listed...
There are some walkthroughs listed...
ASKER
i have tried that as well. All the walkthroughs assume you have working AV and can use regedit/regedt32. I haven't got either of those facilities, due to the virus.
its looking like a rebuild at the moment.
its looking like a rebuild at the moment.
Strange that remote registry access isn't working.
can you do an sfc /scannow from the server?
can you do an sfc /scannow from the server?
ASKER
I haven't tried scannow, but i will in the morning. Remote registry is working it just doesn't let you browse HKCU etc, which is really where i need to be.
Seems like a nasty virus, which could have been avoided by my client not letting their AV licennse lapse, and certin users being a bit brighter about what emails they open! As you can tell i'm a little annoyed at having to rebuild a server for something that could have been avoided.
Thanks for your help, Cleaner
Seems like a nasty virus, which could have been avoided by my client not letting their AV licennse lapse, and certin users being a bit brighter about what emails they open! As you can tell i'm a little annoyed at having to rebuild a server for something that could have been avoided.
Thanks for your help, Cleaner
ASKER
I have just found some (hopefully) useful tools on this site:
http://www.patheticcockroach.com/mpam4/index.php?p=28
I can't guarantee they work on Server 2003, but they do seem to work on my XP Pro laptop. The vbs code seesm to work well at toggling enable/disable registry editing, so i will try this in the morning. I'm also using the Sophos cleaning tool at the minute on some data i know to be infected with Brontok. Hopefully between these two tools i can avoid a rebuild. and so can anyone else who finds themselves in this mess.
Hopefully the cockroach is not pathetic at all!!
http://www.patheticcockroach.com/mpam4/index.php?p=28
I can't guarantee they work on Server 2003, but they do seem to work on my XP Pro laptop. The vbs code seesm to work well at toggling enable/disable registry editing, so i will try this in the morning. I'm also using the Sophos cleaning tool at the minute on some data i know to be infected with Brontok. Hopefully between these two tools i can avoid a rebuild. and so can anyone else who finds themselves in this mess.
Hopefully the cockroach is not pathetic at all!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I got this sorted in the end, using one of the registry editors i found on cockroach.com. Had a bit of a scare not being able to log into the server afterwards, but sorted that out too.
Everything is back up and running now.
Thanks for your help. CLeaner
Everything is back up and running now.
Thanks for your help. CLeaner
here u can... use www.kaer-media.org/penawar-brontok
This might get you in to change the registry so that you can get some access back at the local server.