Virus Threats and Removal Tools

You are here: HOME > COMPUTER > ANTIVIRUS

W32.Rontokbro.K@mm

Discovered: 25-Oct-05

Description:

W32.Rontokbro.K@mm is a mass-mailing worm that causes system instability. The email arrives with a blank subject line and an attachment of Kangen.exe.

Other Name:

WORM_Rontokbro.J

W32/Rontokbro

Win32.Robknot.B

W32/Rontokbro.gen@MM

Threat Level:

Medium

Type:

Worm

Systems Affected:

Windows All

Detection Date:

October 25, 2005
 

 

 

W32.RONTOKBRO.K removal procedures requires technical know-how on  computer troubleshooting. It is better to consult your LAN Administrator or Technical Persons to avoid additional damage on your computer.
 

MANUAL REMOVAL:

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected.
4. Use the Security Response "Tool to reset shell\open\command registry subkeys."
5. Delete any values added to the registry.

Navigate to the subkey and delete value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: "Bron-Spizaetus" = ""%Windir%\ShellNew\sempalong.exe""

Navigate to the subkey and delete value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value: "Tok-Cirrhatus" = "%UserProfile%\Local Settings\Application Data\smss.exe""

Navigate to the subkey and reset value to default if required:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: "Shell" = "Explorer.exe"

Navigate to the subkey and reset value to default if required:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: "NoFolderOptions" = "0" or "NoFolderOptions" = "1"

Navigate to the subkey and reset values to default if required:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced
Values:
"Hidden" = "0" or "Hidden" = "1"
"ShowSuperHidden" = "0" or "ShowSuperHidden" = "1"
"HideFileExt" = "0" or "HideFileExt" = "1"

7. Exit Registry and Restart the computer.


8. Delete the scheduled task.

To delete the scheduled tasks added by the worm
a. Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.)
b. In the Control Panel window, double click Scheduled Tasks.
c. Right click the task icon and select Properties from menu. The properties of the task is displayed.
d. Delete the task if the contents of the Run text box in the task pane, matches the following:
%UserProfile%\Templates\Brengkolang.com
 

9. Restart the computer.

10. In order to make sure that w32 rontokbro.k is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

 

  DOWNLOAD REMOVAL TOOLS:

Download and run any of these Anti-Spyware:

Spy Sweeper

Spyware Doctor

Pest Patrol

Spy Hunter

 

  DOWNLOAD REGISTRY TOOLS

Click here to download

 

  FREE ON-LINE VIRUS SCANNER

Click here to proceed

Copyright 2005 PRECISESECURITYdotCOM
All Rights Reserved

  

home | computer : securing your pc | antivirus | firewall | anti-spyware | links & resources
pda : securing your handheld | antivirus | security | top top picks | links & resources
cellphone : securing your cellphone | top picks | links & resources