Archive

Archive for the ‘Uncategorized’ Category

Remove the Brontok worm

December 8, 2007 Leave a comment

Brontok is a computer worm which spreads through emails and USB drives. There are so many variants of brontok but they basically work similarly.How do I know if my system is infected?

  • You can’t start Regedit.exe
  • When trying to start any other registry editor, the system restarts
  • The system also restarts when executing certain EXE files
  • The presence of the following files:
    %WINDIR%\eksplorasi.pif
    %UserProfile%\Local Settings\Application Data\smss.exe
    %UserProfile%\Local Settings\Application Data\services.exe
    %UserProfile%\Local Settings\Application Data\lsass.exe
    %UserProfile%\Local Settings\Application Data\csrss.exe
    %UserProfile%\Local Settings\Application Data\inetinfo.exe
    %UserProfile%\Local Settings\Application Data\winlogon.exe
    %UserProfile%\Start Menu\Programs\Startup\Empty.pif
    %UserProfile%\Templates\WowTumpeh.com
    %WINDIR%\%CURRENT_USER%’s Setting.scr
    %WINDIR%\ShellNew\bronstab.exe
    All these files have the size of the worm’s main executable: 42,028 bytes(About 42 KB).

What does it do?

  • Disable Folder Options
  • Disable Registry Editor
  • Installs itself in the startup
  • When in memory, it will restart the system if any program involving the registry is started

How to remove Brontok?

Download and run this brontok removal tool from Bitdefender. This tool will kill the brontok process, restore folder options and registry editor and fix system startup.

Categories: Uncategorized

Unable to Open Hard or USB Flash Drive with Windows Script Host Cannot Find Script File autorun.vbs Error

December 8, 2007 Leave a comment

In some situation especially when anti-virus program has cleaned, healed, disinfected or removed a worm, trojan horse or virus from computer, there may be error happening whenever users try to open or access the drive by double clicking on the disk drive icon in Explorer or My Computer window to try to enter the drive’s folder. The problem or symptom happens in hard disk drive, portable hard disk drive or USB flash drive, and Windows will prompt a dialog box with the following message:

Windows Script Host

Can not find script file autorun.vbs.

Sometimes you will be asked to debug the VBScript with error code of 800A041F – Unexpected ‘Next’.

or

Choose the program you want to use to open this file with:

In this case, the “Always use the selected program to open this kind of file” option is grayed out.

The symptom occurs because when autorun.vbs is created by trojan horse or virus. The virus normally loads autorun.inf file to root folder of all hard drive or USB drive, and then execute autorun.bat file which contains script to apply and merge autorun.reg into the registry, with possible change to the following registry key to ensure that virus is loaded when system starts:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit=userinit.exe,autorun.exe

Finally, autorun.bat will call wscript.exe to run autorun.vbs.

When antivirus or security software detected the autorun.vbs file as infected, the file will be deleted or removed or quarantined. However, other files (autorun.*) and registry value still referring to autorun.vbs, and this document no longer exists, hence the error when users double click to open a drive folder.

To correct and solve this error, follow this steps:

  1. Run Task Manager (Ctrl-Alt-Del or right click on Taskbar)
  2. Stop wscript.exe process if available by highlighting the process name and clicking End Process.
  3. Then terminate explorer.exe process.
  4. In Task Manager, click on File -> New Task (Run…).
  5. Type “cmd” (without quotes) into the Open text box and click OK.
  6. Type the following command one by one followed by hitting Enter key:del c:\autorun.* /f /s /q /a
    del d:\autorun.* /f /s /q /a
    del e:\autorun.* /f /s /q /a

    c, d, e each represents drive letters on Windows system. If there are more drives or partitions available, continue to command by altering to other drive letter. Note that you must also clean the autorun files from USB flash drive or portable hard disk as the external drive may also be infected.

  7. In Task Manager, click on File -> New Task (Run…).
  8. Type “regedit” (without quotes) into the Open text box and click OK.
  9. Navigate to the following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  10. Check if the value name and value data for the key is correct (the value data of userint.exe include the path which may be different than C drive, which is also valid, note also the comma which is also needed):“Userinit”=”C:\WINDOWS\system32\userinit.exe,”

    If the value is incorrent, modify it to the valid value data.

Categories: Uncategorized Tags:

Hello world!

December 8, 2007 1 comment

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!

Categories: Uncategorized