Recently, I encountered one of the biggest technical crises of my life thus far.

The Brontoc worm.

It not only infected one of our PCs at home, but my mom's laptop was also infected. Worse, our machines at work were also hit as a separate case. Our office machines, by the way, is a network of at least 30 computers.

Yep, the worm spread in all of 'em.

It was a nightmare. Really. Read full post...

People who have heard of this worm would agree with me, I'm sure.

I am now going to launch into a technical explanation with no actual reference; just typing out what I remember from all the websites I've read. Please correct me if I'm wrong.

The Brontoc worm is a virus that is spread over the Internet via e-mail, and from computer to computer via thumb drives. It also spreads within a local area network via the Shared Documents. It's a pesky worm, really.

What it does is that it wedges itself in your system registry so that even when you delete the "actual" virus file (if you locate it at all), it comes right back to life when you reboot. After making itself virtually invincible, it most conveniently turns your antivirus off. (Yes, it actually got past AVG. A feat few viruses are able to do.) Not only that; it also forbids you to check your task manager and your command prompt. Sometimes it even blocks your internet browser. Whenever its detects that you're doing something to kill it, Brontoc jumps up and closes whatever software you're trying to run. (And chuckles aside menacingly. Most irritating.)
Anyway, the bright side about Brontoc is: you'd still be able to use your PC without it going too bonkers. Just don't connect to the internet unless you want your computer to be flooded with spyware and other viruses, since...well...you're virtually a sitting duck in the malware-filled cyberspace, as you're without an antivirus, and Brontoc is barking, "Come one, come all!"

One of the viruses that got into my PC during this stage is one that replicates itself throughout your system drive. (Not sure what the name of this virus is.) In PCs, that's the system where your Windows is. In flash drives, that's the whole drive. It replicates itself, but then it uses a folder icon and inconspicuously names itself to be the same as the folder where it's in. For example, if the folder is C:\Sarah, it makes an exe file inside that folder and names it Sarah.exe. The icon is a folder, and if you're using the default setting that extensions of files are hidden, then it looks like an innocent folder, which it most certainly is not. If you're not careful, you'd get curious and open that "folder", and ultimately launch the virus all over again.

The lesson, therefore, is DO NOT READILY OPEN AN UNKNOWN FILE/FOLDER. Even if they don't look suspicious.

Back to Brontoc: Two weeks ago when I first detected it, I (and a friend who was helping me, and my brother, too) stayed up all night until 6 am just trying to fix it. (And this was right after a party at my house.) we tried many, many solutions online.

Did we fix it? No.

Brontoc is so smart: it blocks a~ll the software and solutions we found that were proven to work in the past. It was so amazingly impressive and phenomenally frustrating at the same time.

So, anyway, after weeks of searching (and when our office was hit by the self-same worm), our IT guy found a solution.

THANK GOD!!!

To do the solution we found, you need
1.) A CLEAN computer for downloading the stuff you need
2.) An internet connection
3.) A CD burner and a blank CD in which to put the downloaded stuff you have. Do NOT use a flash drive.

Let's get crackin'.

Stage 0: Cut access
Disconnect the infected PC from the Internet. Very very very important. This way, other viruses won't get in your unshielded system.

This, by the way should always be the thing you immediately do when you think your PC might be infected.

Stage 1: Search and Destroyyyyyy!!!
Download and install Spybot Search and Destroy. Amazingly enough, Brontoc doesn't block this baby. (If you're asking why we don't have Spybot S&D in the first place, it's because AVG worked perfectly well as our shield so far.)

Once you install S&D, DO NOT SCAN YET!!! Why? Er... because Brontoc might detect it? I can't really remember. Hehe. But, anyway, what we're trying to do is turn off Brontoc for the meantime so we can get rid of it without it being irritating. You can do that using the Windows task manager, but since Brontoc automatically closes that, we have to find a way to work around it.

Run S&D and click on Tools. If you don't see tools, go to Mode -> Advanced. Once in Tools, you should see a list of tools (like, duh) with check boxes on them. Check on Process List and System Start-up.

Let's work on Process list first. This shows your task manager. You should see a weird process like j8734987 or something similar. There should be about 5 or 6 entries, or maybe a whole lot more. But the point is: click on that suspicious process, and click Kill module. (Kill!!!)

Once that's done, go on over to System Start-up. This, on the other hand, shows stuff that load upon the system starts up. Thus, the name. Do the same. Kill every entry that has that similar suspicious s1234567 folder in its Key or Command Line. Basically, you need to delete ALL entries that has that type of string of characters.

So, yey! We turned off Brontoc! For now.

Stage 2: REMOVE~
Download GData Remover. This one right here is what will kill Brontoc, and all other viruses, spyware and malware it dragged in with it. Watching it see and get rid of said viruses is fun! Heeheehee. If you're asking why we didn't run this in the first place without all that search and destroy stage, I state again that Brontoc is a very smart prick, and might just block the Remover, too.

This process will be for about...hm...15 minutes or so.

Stage 3: Run a scan with your anti-virus software
GData Remover will prompt you to do this after it's done. Obey it.

I installed McAfee as a new anti-virus for this just to be sure. But if you prefer AVG, that's fine, too (that's what I used in one of our other PCs and it worked just fine). You can use Kapersky, or whatever else you've got.

Stage 4a: Check your registry
Okay. Now, this isn't required or anything, but it's better to be safe than sorry. See, when Brontoc infiltrated our system, it invited one of its friends, Blazefinder, for a party. One of the things Blazefinder did is it changed a registry entry that controls your Windows log in. After you've completed the first three steps of this pseudo-tutorial, our trusty programs may have had killed Blazefinder, but they did not fix the registry for you.

Don't believe me? Reboot and see that you will not be able to log in to Windows. A logon-logoff loop has been created, and that's most frustrating indeed. In case you DID reboot, skip on over to Stage 4b. If, however, you fortunately didn't, then read on (and yes, you can skip Stage 4b).

Run regedit by clicking on the Windows Start button, select Run, and type in regedit. Using the folders on the left, go to:

HKEY_LOCAL_MACHINE\Software\
Microsoft\WindowsNT\
CurrentVersion\Winlogon

On the left pane, look for the entry named userinit. The data should be:

C:\WINDOWS\system32\userinit.exe,

If not, set it to that.

YEY! You're done!!!

Stage 4b: Break the logon-logoff loop
I wasn't aware of the loop until I encountered it right after I rebooted my spyware-free system. I thought I was home free, but noOoOoOo~. I panicked. Seriously.

Anyway, I looked for solutions online. Some said to use the Windows installation CD and fix it via the recovery console. Others said use the CD to install; but instead of a fresh install, let the CD Repair the system. Theoretically, both solutions should work (they're supposed to overwrite the messed up registry with a proper one from the CD), and I guess maybe it DID work for other people.

Not for me, it seemed.

So, I eventually gave up and fresh installed Windows in one of my PCs just because I badly needed to work on that PC. But I didn't want to do that to ALL my infected PCs, so I charged on and looked for other solutions. I came across this heaven-sent blog entry, with detailed, easy-to-follow steps to fix the Windows XP logon-logoff loop with BartPE.

If that blog writer was beside me when I used his solution, I probably would have kissed him.

...

Or not.

I'd probably thank him over and over and over and over, though. Hehe.

So, yeah. The method worked. I won't explain it here because my post is long enough as it is. Go on over to his site and check it.





If you disregard all the time spent on research and trial and error, as well as the downloading and burning, I think the whole process from start to finish would take an hour, more or less. All these solutions we found on separate websites, and it really was a pain to go through the cycle of thinking you're done but you're not and so you look for another solution and do it and find out that there's still something else to fix.

I hope my blog post, a story of one of the most frustrating but exciting and immensely educational events in my life, will help you so that you don't have to go through all the trouble I went through.

MAN I'm glad that's over.

If you've got your own experience with Brontoc, or if this blog post somehow helped you, please don't forget to comment! Thanks!