hello,
I´ve currently been trying to get rid of the Brontok worm(think it´s the .AJ one) for a week and am finding it less than easy. It was passed onto my computer by a pen drive, I don´t have the net on it. I ran kaspersky antivirus which removed the dodgy exe files, but didn´t remove anything from the windows folders or the registry. I Have downloaded various tools, Bitdefender(which enabled me to access folder options again) Brontgui, the sophos tool and Brontok washer I think but none of them have got rid of it fully. There are still dodgy files in Windows System32 folder an probably elsewhere, but if I try to delete them, it says "access denied". Is there anyway to get rid of them?
Another thing.. if I bring up the task manager window and look at processes, I can see dodgy things like winlogon.exe and "smss" and lsass" or whatever it is running, if I try and remove them aagain it won´t let me. What exactly are these programs doing, and how can I remove them?
One final question.. in the state that my computer´s in, i.e, folder options available, registry edit available, no dodgy .exe files elsewhere but in win folders, no restarting, do u think it´s infectious still? I mean if I put a disk in, will it become infected? I have put a disk in and run antivirus on it and it doesn´t find anything, so I don´t know.
Also how do I check for dodgy things in the registry?
Thankyou very much for any help

Hello Brontok,
'smss' and 'lsass' are system processes that you don't need to worry about, nor is winlogon.exe.

How do you know there are dodgy files in your system32 folder?

And if there are, can you give me some examples.

Be careful what you delete from the system32 folder!

Regards

Martin

Thanks for ur reply.. ok didn´t know those things were normal as ít´s what I´ve read on various sites that those files were part of the virus!
Ok, well the virus checkers hasn´t found the virus again since, which is a good sign, also everything seems normal. There are just a few files which I´d like to check with u if thats ok.. I know some of them might be obviously normal to u but just bear with me.
in C\Windows, there is explorer.exe, it has a computer/monitor icon, and it opens a window with "my documents". That seems ok, but next to it there´s another file that says simply explorer, no visible file extension, and the file type says "Windows Explorer Command". The icon is a folder.
The other one is Windows.Shell.Manifest, which I´m not sure what type of file it is.
In WIndows\system32, there is cdplayer.exe.manifest, and exe2bin.exe sapi.cpl.manifest and wvavcpl.cpl.manifest. It says the file type is MANIFEST.
If I open the task manager window, in the processes tab, I´ve got two svchost.exe processes running, is that normal?
Also I´ve got Explorer.EXE with the "exe" in capital letters. What do u think?
Thanku in advance for ur help..

Hello,
before I go too far, can I ask what operating system you are using?

All of the 'explorer' files you mentioned are fine, as are the svchost process which is used to check the services part of the registry and and build a list of services it must load for the relevant application.

The '.cpl' file extension indicates that it is a control panel item.

The '.manifest' is something to do with a reference between two or more applications, and it usually describes an assembly and its' contents

You should be able to open the manifest files with notepad.

I believe the exe2bin.exe is some kind of binary converter.

Let me know if you need any more help.

Regards

Martin

Hi, thanks very much for your help.. I´m using Windows XP pro. It´s my friend´s computer anyway so I´ve been a bit short on details!
So it looks as though the virus has gone then probably? So do u work in computers then? Thanks for taking the time to help
Carrie

it is true those processes are not part of the virus, but check carefully that there are not 2 copies running, as many viruses disguise their process name as a known windows process.

__________________

</Dream In Code>
-William. § (marvin_gohan)

Yeah that´s what I´m worried about.. I think orginally there were copies of those processes made by the virus, but the antivirus or one of the removal tools hopefully got rid of them. There is more than one "svchost" or whatever it´s called but maybe this is normal? I run the antivirus and the other tools and they don´t find anything, so hopefully it´s all gone. Oh, should the winlogon.exe have an icon like a window with a starry night sky and a moon?
Thanks for ur help!

Oh btw one of tools named the virus as Brontok.H just to add some extra details.

Hello Carrie,

The windows logon icons' fine. As William mentioned there are viruses that try to disguise themselves as genuine microsoft processes, although I'm sure he'll agree that there can be more than one copy of svchost.exe running.

You would need the ability to try and track what the svchost is loading, but this can get very technical, and is also an advantage of using anti-virus software.

It certainly seems like the virus has been dealt with, however if you want to keep looking to put your mind at ease I'll be more than happy to assist.

I don't actually work in the computer industry as such, I like Art. Which is why I started looking into web design and graphic design. Learning how the computer your using works is always helpful.

Regards

Martin