Recently, some friends and colleagues called asking for help, saying that their computer was affected by virus.
Virus Identity
- Symantec = “W32.sillyDC”
- Panda AV = “W32/SexyGirl.A.worm”
How it Spreads?
- via removable storage devices(USB drive)
- Infected thumb drive will show these files: “MySexy.exe”, “User.exe” and “Sexy.Dat”.
Symptom
- Popup box appears after login into the Windows, with the title “BrO_AcT.exe”. It contains a message but I don’t remember what it is written, it kind of error message.
- All program/folder title bar ended with [:Restricted by BrO_Act:].
- When you try to open C:\Windows\System32 folder and certain program, explorer/program close itself.
- Right click My Computer, select Properties, select Computer, click Change button, you find that your computer name has been changed to “ReAct_User” (User = your username).
- Your Anti Virus has been deactivated.
- You can’t access Task Manager, Regedit, Msconfig, Folder option, and Command prompt.
What this Virus do?
- It will create and add the following files:-
- C:\Windows\system32\BrO_AcT.exe-C:\WINDOWS\default__.pif
- C:\WINDOWS\SYSTEM32\ReAct_User\svchost.exe
- C:\WINDOWS\SYSTEM32\ReAct_User\winlogon.exe
- C:\ReActLog (Something with this name)
- NTDETCH.com (on all your drive, root folder)
- Autorun.inf (on all your drive, root folder)
- Hundreds of files in C:\System Volume
- Information\_restore{7C0D0734-E9F5-4A30-ABD4-977206CFACB2}\RP411 (With name like
- A0062080.com, A0062083.pif, A0062092.exe and etc)
- C:\WINDOWS\system32\MySexy.exe
- C:\WINDOWS\system32\regedit.com
- C:\WINDOWS\system32\msconfig.com
- It also will copy itself to any portable USB drive connected to the infected system, and create these files
- Autorun.innf
- BrO_AcT.exe
- My_SeXy.exe
- Autorun.innf
How to remove?
(I not sure whether this work for every machine but I tried on a few, and it work pretty good. Good Luck trying and try at your own risk)
- Download “Reanimator” here. To edit remove the virus entry on registry.
- Download “BitDefender 10 Free Version” here.
- Unzip “Reanimator” into a USB Thumb Drive.
- Copy “BitDefender” into USB Thumb Drive.
- Logon Windows with your Administrator Account.
- Right Click “My Computer”, go to “System Restore” tab, Tick “Turn off System Restore on all drives”. Then click “OK” button.
- Restart your computer into “Safe Mode” (press F8 before the Windows XP loading screen appear and select Safe Mode).
- Copy “Reanimator” and “BitDefender” from your Thumb Drive to desktop and run “reanimator.exe”. (The program will scan your PC for virus, let it scan and click “Fix Problems” when it finish.
- Unplug your Thumb Drive. (Remember to scan for Antivirus or Format it before use on another PC).
- Search for “Related File” for the following file and select “Delete Marked Items”.
- BrO_AcT.exe
- Default_pif (click “Get it out!”, and “Get it out!” thenClick “Terminate” button.
- C:\WINDOWS\SYSTEMS32\ReAct_user\svchost.exe
- Click “Exit”
- Click “System.ini” tab, then empty the line.
- Then press “Alt+F4″ on your keyboard, to close the “RegRun Reanimator” window.
- Uninstall your existing Anti Virus, to prevent conflict. (Don’t reboot)
- Install the BitDefender v10.
- Double click “RootkitNO” in reanimator folder. Follow the step till complete, and the computer will reboot.
- Restart the computer into Normal Mode.
- Update BitDefender virus definition and scan the entire computer in deep to make sure all virus files is completely removed.
- Reboot PC once the AV scan complete.
- YEAH! your PC should be safe from the BrO_Act now!
To counter check, if everything is in order.
- Goto Start > Run > type “msconfig”
- Goto “Startup” tab
- Un-tick any unknown item, especially those that with “BrO_AcT”,”ReAct” and so on.
- Click “OK” and “Reboot”
Hope this do help you to clean your PC from the above Virus.
TIPS:
- Always have your Antivirus Definition update.
- Scan any removable storage before opening it files.
- Prevent open any unknown files, always scan for virus before running it.
Great info =)
it helps a lot dude
nice to hear that I do help you. Cheer!