I live in a foreign country (guess which one) & I've been having intermittent pop-ups from my AV (Command AV from Authentium) telling me that files are being quarantined & that these files were created by the W32/Brontok.BA@mm virus. OK, fine, I've been protected. But when I do a scan of my hard disk, no virus is detected. But I'll get the same pop-up again 20 minutes later or the next day...

I've found very little info online about this specific virus, but most of the info I've seen about Brontok viruses in general suggests that:

1. These viruses surface when a certain e-mail attachment is opened. (I can assure you I haven't opened any executable attachments.)

2. These viruses pop up a message in a foreign language about resisting corruption, pollution & moral decay, etc. (I can assure you I've seen no such message.)

It seems this "virus" becomes active only when I'm connected to the internet. When the AV pop-up shows that it is active, I pull up Task Manager to see the active processes & everything looks pretty normal.

A friend gave me Brontok-Washer to try, but that hasn't helped. I also tried some online scanner (don't remember anymore which one), but that hasn't helped either.

So far it seems no damage has been done, but I find this AV pop-up rather annoying as for several minutes I am unable to do anything other than watch my AV software quarantine files.

By the way, my wife's laptop has not had this problem, though we use the same network connection (DSL) & share files. One difference is that her laptop has AVG anti-virus.

Thoughts?

Try the Sophos tool, you will need to copy/paste this link into your browser:

http://www./computer-virus/brontok-jun19.htm

Then do some clean-up.

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

alternately use the tool from :

www.microsoft.com/security/malwareremove/default.msp

balaji v

Balaji, I tried downloading Microsoft's Malicious Software Removal Tool, and it said that it removed this virus & 2 others. However, the virus has appeared again since then...

Hi jabuck, I wanted to try your suggestions, but the link that you gave:
http://www./computer-virus/brontok-jun19.htm is invalid. (I tried removing the / after www. but it's still invalid.) Please advise...

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:41 AM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\sol.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sil.org/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [PDFpas] C:\Program Files\SIL\LingLink\PDFpas.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) -
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.taxsimple.com/tsweb/msrdp.cab
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/...
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/c...
O17 - HKLM\System\CCS\Services\Tcpip\..\{09171CAD-1E3F-489E-A611-C40920D2544D}: NameServer = 116.199.206.54,202.92.207.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{09171CAD-1E3F-489E-A611-C40920D2544D}: NameServer = 116.199.206.54,202.92.207.10
O17 - HKLM\System\CS3\Services\Tcpip\..\{09171CAD-1E3F-489E-A611-C40920D2544D}: NameServer = 116.199.206.54,202.92.207.10
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: BestSync Service (BestSyncSvc) - RiseFly Software - C:\Program Files\RiseFly\BestSync\BestSyncSvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 10153 bytes

There is nothing in the Hijack This log.

To get to the Sophos removal tool type brontok removal into google or your favorite browser. Scroll down to the Sophos link and click on it.

Next click BRONTGUI > click run> click run again> click accept> click Go.

Please run the BitDefender online scan this link BitDefender.com

You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.

I followed your instructions. BRONTGUI found nothing. When I tried running the BitDefender online scan, my laptop suddenly shut off while it was downloading its stuff.

This has happened before, usually when I'm trying to work on this virus. But then the next time I try to download the same thing, it succeeds.

In this case, BitDefender completed th second time, but only found files already quarantined by my AV. Meanwhile, the virus became active several times while BitDefender was running, and several more times since.

Here's the log...
-----
BitDefender Online Scanner

Scan report generated at: Sun, Dec 09, 2007 - 20:26:30

Scan path: C:\;D:\;

Statistics
Time 01:40:53
Files 247321
Folders 6868
Boot Sectors 3
Archives 8219
Packed Files 15995

Results
Identified Viruses 1
Infected Files 12
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 12

Engines Info
Virus Definitions 880913
Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins 14
Archive plugins 38
Unpack plugins 7
E-mail plugins 6
System plugins 1

Scan Settings
First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes

Scanned File Status

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\003935D3.EXE.Quarantined
Infected with: Win32.Brontok.E@mm

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\003935D3.EXE.Quarantined
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\003935D3.EXE.Quarantined
Deleted

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\00B25990.EXE.Quarantined
Infected with: Win32.Brontok.E@mm

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\00B25990.EXE.Quarantined
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\00B25990.EXE.Quarantined
Deleted

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DATA COMPAQ.EXE.Quarantined
Infected with: Win32.Brontok.E@mm

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DATA COMPAQ.EXE.Quarantined
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DATA COMPAQ.EXE.Quarantined
Deleted

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\MY MUSIC.EXE.Quarantined
Infected with: Win32.Brontok.E@mm

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\MY MUSIC.EXE.Quarantined
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\MY MUSIC.EXE.Quarantined
Deleted

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\MY PICTURES.EXE.Quarantined
Infected with: Win32.Brontok.E@mm

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\MY PICTURES.EXE.Quarantined
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\MY PICTURES.EXE.Quarantined
Deleted

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\MY PLAYLISTS.EXE.Quarantined
Infected with: Win32.Brontok.E@mm

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\MY PLAYLISTS.EXE.Quarantined
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\MY PLAYLISTS.EXE.Quarantined
Deleted

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\MY VIDEOS.EXE.Quarantined
Infected with: Win32.Brontok.E@mm

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\MY VIDEOS.EXE.Quarantined
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\MY VIDEOS.EXE.Quarantined
Deleted

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SAMPLE MUSIC.EXE.Quarantined
Infected with: Win32.Brontok.E@mm

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SAMPLE MUSIC.EXE.Quarantined
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SAMPLE MUSIC.EXE.Quarantined
Deleted

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SAMPLE PICTURES.EXE.Quarantined
Infected with: Win32.Brontok.E@mm

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SAMPLE PICTURES.EXE.Quarantined
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SAMPLE PICTURES.EXE.Quarantined
Deleted

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SAMPLE PLAYLISTS.EXE.Quarantined
Infected with: Win32.Brontok.E@mm

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SAMPLE PLAYLISTS.EXE.Quarantined
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SAMPLE PLAYLISTS.EXE.Quarantined
Deleted

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SHAREDDOCS.EXE.Quarantined
Infected with: Win32.Brontok.E@mm

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SHAREDDOCS.EXE.Quarantined
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SHAREDDOCS.EXE.Quarantined
Deleted

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SYNC PLAYLISTS.EXE.Quarantined
Infected with: Win32.Brontok.E@mm

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SYNC PLAYLISTS.EXE.Quarantined
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\SYNC PLAYLISTS.EXE.Quarantined
Deleted

have you disable System restore before running the m/s tool....

Right click on my comp->system restore->turn of on all drives....

then run the tool
balaji

balaji v

Thanks, balaji, for your suggestion. A few days ago I turned off System Restore and then ran the m/s tool. Then I had a couple days with intermittent internet access. So I did not see the virus directly, but I did see my laptop shut itself off while updating antivirus. This seemed suspicious, like the virus was still active. Sure enough, this morning, I saw the same old behavior: creating executable files with the same names as my shared folders. What do I try now?

Also, when is it safe to turn System Restore back on?

thanks

As you have the exact name ( Win32.Brontok.E ) I googled it & found there are lots of versions.

These 2 programs do remove Win32.Brontok.E, dont know if their online scan or trial versions will do it, you will have to try.

http://www.download.com/3000-8022_4...
Or,
http://research.sunbelt-software.co...

http://www.eset.com/
http://www.eset.com/onlinescan/

Here is another to try.

http://www.microsoft.com/security/e...

Hi Johnw,
thanks for your suggestions. By the way, the exact name of this virus is: W32/Brontok.BA@mm. I don't know if this is an alias for W32.Brontok.E or not.

I tried the online scan from www.eset.com. It seemed to run OK, but only reported the files previously quarantined by my AV software as needing to be cleaned. In other words, didn't work. In fact, the virus kicked into action while the scan was running, but ESET didn't detect it. Their online information seems to indicate that the downloadable version scans the same stuff as the online version, so I didn't bother downloading.

As for CounterSpy, I didn't try it. It is advertised as mainly a Spy/Ad remover. If I haven't succeeded with general-purpose AV software or those that specifically mention their ability to clean up Brontok, I don't suppose I will succeed with a Spy/Ad remover that claims to handle a few types of malware.

thanks, anyway

Johnw,
I had already tried the MS malware tools, as reported above. By the way, your link didn't work for me, so I did a search for Brontok on the MS site, and everything looked pretty much the same as it did last time. Their description of the Brontok virus doesn't quite match what I'm seeing...

thanks

Just had a look at the list of infections covered by this one I use myself toddho & your's are covered.

BOClean
http://www.comodo.com/boclean/bocle...
Forum
http://forums.comodo.com/index.php

Go for TREND MICRO antivirus.
They are masters in brontok removers.

Hi, it turns out my problem is the same as a virus from a prior posting: I-Worm/VB.GK. W32/Brontok.BA@mm was the name given by Authentium's Command Anti-virus. When I switched to AVG, the same behavior was attributed to I-Worm/VB.GK.

I have come to believe that the reason I cannot clean this virus from my system is that it is not on my system.

When the virus is running, if I disconnect the DSL cable, the virus stops dead. It only starts when the cable is connected. It only affects the folders under Shared Documents. To me this all points to a virus that is running on my ISP's server...

Am I completely off-base? Is there anything I can do if I'm right?

prathyush, if you will read the prior postings, you will see that TrendMicro's HiJackThis tool did not find anything to clean.