Computer Security - Removing W32.Rontokbro.B@mm

02-26-2006, 11:14 AM

Removing W32.Rontokbro.B@mm

1. Disable System Restore (Windows Me/XP).

2. Restarted your computer in Safe mode

3. In safe mode run xp_secconsole.exe and in Windows explorer > uncheck
Disable Folder Options then in System Security > uncheck Disable
Regedit after that exit that application.

xp_secconsole.exe can be download from
http://www.dougknox.com/xp/utils/xp_secconsole.zip

4. Delete the following files:

%UserProfile%\Local Settings\Application Data\csrss.exe
%UserProfile%\Local Settings\Application Data\inetinfo.exe
%UserProfile%\Local Settings\Application Data\lsass.exe
%UserProfile%\Local Settings\Application Data\services.exe
%UserProfile%\Local Settings\Application Data\smss.exe
%UserProfile%\Local Settings\Application Data\winlogon.exe
%UserProfile%\Start Menu\Programs\Startup\Empty.pif
%UserProfile%\Templates\A.kotnorB.com
%Windir%\inf\norBtok.exe
%System%\3D Animation.scr

Note:
%System% is a variable that refers to the System folder. By default
this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32
(Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder.
By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt
(Windows NT/2000).
%UserProfile% is a variable that refers to the current user's profile
folder. By default, this is C:\Documents and Settings\[CURRENT USER]
(Windows NT/2000/XP).

Delete the directory:

%UserProfile%\Local Settings\Application Data\Bron.tok-3-3

5. delete the scheduled tasks added by the worm

Click Start, and then click Control Panel. (In Windows XP, switch to
Classic View.)
In the Control Panel window, double click Scheduled Tasks.
Right click the task icon and select Properties from pop-up menu.
The properties of the task is displayed.
Delete the task if the contents of the Run text box in the task pane,
matches the following:

%UserProfile%\Templates\A.kotnorB.com

Note that if you use removable storage media, it's sure that device
will be with that virus. So what you can do is here. Folder Options >
click View All file and folder and Click System file and folder. And
view your device there will be some virus files in your device. Just
give them SHIFT + DELETE. There you go, happy, your system is clean
now. Thanks for reading this.

By Thet Aung Min Latt

thetaung.amyanmar.com

Thet Aung Min Latt

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Removing dvd copy protection	Kliserup	DVD Video	2	01-26-2008 09:12 PM
Removing Trojan	Richard	A+ Certification	1	01-04-2006 04:01 PM
Problem after removing malware - Win 2K Pro	Albert Frankenstein	A+ Certification	11	10-18-2005 01:00 AM
Removing Macrovision for VHS	Mike	DVD Video	3	02-22-2005 05:16 AM
Need Advice on Removing Scuffs from A DVD	Hunter	DVD Video	2	12-15-2003 05:50 AM

02-26-2006, 11:14 AM	#1
	Removing W32.Rontokbro.B@mm Removing W32.Rontokbro.B@mm 1. Disable System Restore (Windows Me/XP). 2. Restarted your computer in Safe mode 3. In safe mode run xp_secconsole.exe and in Windows explorer > uncheck Disable Folder Options then in System Security > uncheck Disable Regedit after that exit that application. xp_secconsole.exe can be download from http://www.dougknox.com/xp/utils/xp_secconsole.zip 4. Delete the following files: %UserProfile%\Local Settings\Application Data\csrss.exe %UserProfile%\Local Settings\Application Data\inetinfo.exe %UserProfile%\Local Settings\Application Data\lsass.exe %UserProfile%\Local Settings\Application Data\services.exe %UserProfile%\Local Settings\Application Data\smss.exe %UserProfile%\Local Settings\Application Data\winlogon.exe %UserProfile%\Start Menu\Programs\Startup\Empty.pif %UserProfile%\Templates\A.kotnorB.com %Windir%\inf\norBtok.exe %System%\3D Animation.scr Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000). %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP). Delete the directory: %UserProfile%\Local Settings\Application Data\Bron.tok-3-3 5. delete the scheduled tasks added by the worm Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.) In the Control Panel window, double click Scheduled Tasks. Right click the task icon and select Properties from pop-up menu. The properties of the task is displayed. Delete the task if the contents of the Run text box in the task pane, matches the following: %UserProfile%\Templates\A.kotnorB.com Note that if you use removable storage media, it's sure that device will be with that virus. So what you can do is here. Folder Options > click View All file and folder and Click System file and folder. And view your device there will be some virus files in your device. Just give them SHIFT + DELETE. There you go, happy, your system is clean now. Thanks for reading this. By Thet Aung Min Latt thetaung.amyanmar.com Thet Aung Min Latt