• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 360
  • Last Modified:

Brontok Virus Has disabled Registry Editor & Anti Virus Program

Hi,

I have a Windows 2003 server, which has been infected by Brontok virus (Rontokbro). I have symantecs suggested removal instructions (i.e scan the pc and manually edit the registry)> I would have no problem doing this but the virus has disabled registry editor, access to and antivirus websites. command prompt, server management, administrative tools, and the properties of the symantec services.

I have tried everything i can think of to get around this. The virus also runs in safe mode, so no luck there either. I have scanned the machine remotely, and come up blank there. Tried McAfee, and Zonealarm AV, but i cant install either of them. I did manage to deploy Symantec 9.0 to the box, but i can't run it, as any service/process with that word, or any other virus related word seems to get shut down almost immediately.

I have tried Xoftspy, which was advertised as a brontok removal tool, but it didn't managed to cure my problem either.

Can anyone help me with a way to re-enable registry editing, as at the minute i am considering buying a neck sized piece of rope and hanging myself!!

Backups are up to date (but obviously  contaminated), so rebuilding is an option, but one i would prefer to avoid if possible.
0
netforceie
Asked:
netforceie
1 Solution
 
TheCleanerCommented:
Can you edit the registry remotely?  Try opening regedt32 from a remote XP or 2003 box, and click File, Connect Network Registry, and put in the name of the 2003 server you are trying to edit.

This might get you in to change the registry so that you can get some access back at the local server.
0
 
campbelcCommented:
I would try as TheCleaner suggested, also right click on My Computer, select Manage. Click on Action, select Connect to another Computer, type in the computer name of your server. Under services and applications make sure "Remote Registry" is also enabled and started.
0
 
netforceieAuthor Commented:
thanks. I have tried this, but i can't open the local user keys that most of the entries i need to remove are contained in.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
TheCleanerCommented:
seems trivial but have you googled "brontok virus" ?

There are some walkthroughs listed...
0
 
netforceieAuthor Commented:
i have tried that as well. All the walkthroughs assume you have working AV and can use regedit/regedt32. I haven't got either of those facilities, due to the virus.

its looking like a rebuild at the moment.
0
 
TheCleanerCommented:
Strange that remote registry access isn't working.

can you do an sfc /scannow from the server?
0
 
netforceieAuthor Commented:
I haven't tried scannow, but i will in the morning. Remote registry is working it just doesn't let you browse HKCU etc, which is really where i need to be.

Seems like a nasty virus, which could have been avoided by my client not letting their AV licennse lapse, and certin users being a bit brighter about what emails they open! As you can tell i'm a little annoyed at having to rebuild a server for something that could have been avoided.

Thanks for your help, Cleaner
0
 
netforceieAuthor Commented:
I have just found some (hopefully) useful tools on this site:

http://www.patheticcockroach.com/mpam4/index.php?p=28 

I can't guarantee they work on Server 2003, but they do seem to work on my XP Pro laptop. The vbs code seesm to work well at toggling enable/disable registry editing, so i will try this in the morning. I'm also using the Sophos cleaning tool at the minute on some data i know to be infected with Brontok. Hopefully between these two tools i can avoid a rebuild. and so can anyone else who finds themselves in this mess.


Hopefully the cockroach is not pathetic at all!!
0
 
TheCleanerCommented:
Go here too:

http://www.sysinternals.com/Utilities/autoruns.html

That program is pretty useful in seeing what is running on the server automatically.  Usually good for tracking down pesky viruses and adware.
0
 
netforceieAuthor Commented:
I got this sorted in the end, using one of the registry editors i found on cockroach.com. Had a bit of a scare not being able to log into the server afterwards, but sorted that out too.

Everything is back up and running now.

Thanks for your help. CLeaner
0
 
sneak_nakataCommented:
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now