SysChat (
-   Computer Security (
-   -   Brontok AJ virus (

cleaver 05-12-2007 12:17 PM

Brontok AJ virus
I´ve currently been trying to get rid of the Brontok worm(think it´s the .AJ one) for a week and am finding it less than easy. It was passed onto my computer by a pen drive, I don´t have the net on it. I ran kaspersky antivirus which removed the dodgy exe files, but didn´t remove anything from the windows folders or the registry. I Have downloaded various tools, Bitdefender(which enabled me to access folder options again) Brontgui, the sophos tool and Brontok washer I think but none of them have got rid of it fully. There are still dodgy files in Windows System32 folder an probably elsewhere, but if I try to delete them, it says "access denied". Is there anyway to get rid of them?
Another thing.. if I bring up the task manager window and look at processes, I can see dodgy things like winlogon.exe and "smss" and lsass" or whatever it is running, if I try and remove them aagain it won´t let me. What exactly are these programs doing, and how can I remove them?
One final question.. in the state that my computer´s in, i.e, folder options available, registry edit available, no dodgy .exe files elsewhere but in win folders, no restarting, do u think it´s infectious still? I mean if I put a disk in, will it become infected? I have put a disk in and run antivirus on it and it doesn´t find anything, so I don´t know.
Also how do I check for dodgy things in the registry?
Thankyou very much for any help

mhookem 05-12-2007 02:57 PM

Hello Brontok,
'smss' and 'lsass' are system processes that you don't need to worry about, nor is winlogon.exe.

How do you know there are dodgy files in your system32 folder?

And if there are, can you give me some examples.

Be careful what you delete from the system32 folder!



cleaver 05-14-2007 01:48 PM

Thanks for ur reply.. ok didnĀ“t know those things were normal as Ć*tĀ“s what IĀ“ve read on various sites that those files were part of the virus!
Ok, well the virus checkers hasnĀ“t found the virus again since, which is a good sign, also everything seems normal. There are just a few files which IĀ“d like to check with u if thats ok.. I know some of them might be obviously normal to u but just bear with me.
in C\Windows, there is explorer.exe, it has a computer/monitor icon, and it opens a window with "my documents". That seems ok, but next to it thereĀ“s another file that says simply explorer, no visible file extension, and the file type says "Windows Explorer Command". The icon is a folder.
The other one is Windows.Shell.Manifest, which IĀ“m not sure what type of file it is.
In WIndows\system32, there is cdplayer.exe.manifest, and exe2bin.exe sapi.cpl.manifest and wvavcpl.cpl.manifest. It says the file type is MANIFEST.
If I open the task manager window, in the processes tab, IĀ“ve got two svchost.exe processes running, is that normal?
Also IĀ“ve got Explorer.EXE with the "exe" in capital letters. What do u think?
Thanku in advance for ur help..:happy:

mhookem 05-14-2007 04:09 PM

before I go too far, can I ask what operating system you are using?

All of the 'explorer' files you mentioned are fine, as are the svchost process which is used to check the services part of the registry and and build a list of services it must load for the relevant application.

The '.cpl' file extension indicates that it is a control panel item.

The '.manifest' is something to do with a reference between two or more applications, and it usually describes an assembly and its' contents

You should be able to open the manifest files with notepad.

I believe the exe2bin.exe is some kind of binary converter.

Let me know if you need any more help.



cleaver 05-15-2007 11:31 AM

Hi, thanks very much for your help.. IĀ“m using Windows XP pro. ItĀ“s my friendĀ“s computer anyway so IĀ“ve been a bit short on details!
So it looks as though the virus has gone then probably? So do u work in computers then? Thanks for taking the time to help :)

William_Wilson 05-15-2007 12:04 PM

it is true those processes are not part of the virus, but check carefully that there are not 2 copies running, as many viruses disguise their process name as a known windows process.

cleaver 05-16-2007 04:57 AM

Yeah thatĀ“s what IĀ“m worried about.. I think orginally there were copies of those processes made by the virus, but the antivirus or one of the removal tools hopefully got rid of them. There is more than one "svchost" or whatever itĀ“s called but maybe this is normal? I run the antivirus and the other tools and they donĀ“t find anything, so hopefully itĀ“s all gone. Oh, should the winlogon.exe have an icon like a window with a starry night sky and a moon?
Thanks for ur help!:)

cleaver 05-16-2007 05:05 AM

Oh btw one of tools named the virus as Brontok.H just to add some extra details.

mhookem 05-16-2007 09:20 AM

Hello Carrie,

The windows logon icons' fine. As William mentioned there are viruses that try to disguise themselves as genuine microsoft processes, although I'm sure he'll agree that there can be more than one copy of svchost.exe running.

You would need the ability to try and track what the svchost is loading, but this can get very technical, and is also an advantage of using anti-virus software.

It certainly seems like the virus has been dealt with, however if you want to keep looking to put your mind at ease I'll be more than happy to assist.

I don't actually work in the computer industry as such, I like Art. Which is why I started looking into web design and graphic design. Learning how the computer your using works is always helpful.



All times are GMT -4. The time now is 06:48 PM.

Copyright Ā© 2005-2013

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54