Please guide me with this Hijack log Thank you

By seijyuro
Mar 31, 2006
  1. Hi my computer is infected by my friend's pen-drive because I am copying a folder from there and found out that the folder is actually application file but it is too late. His computer was infected by Rontokbro worm few days ago but he manage to clean it. However when I hijackthis my computer it is quite different from the 1 my friend infected. I have no clue is it Rontokbro or it is another type.

    I dont have antivirus installed in my new computer

    Thank You for your help
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions exactly.

    Then, post a fresh HJT log.

    Regards Howard :wave: :wave:
  3. seijyuro

    seijyuro TS Rookie Topic Starter

    Hi, I did follow all the step before I post this HJT log, but the virus close every application that I open even HJT and I only have like a second to save the log as fast as I can. I even tried it in safe mode. My friend told me that when he run in safe mode Rontokbro still able to load itself and active inside safe mode :(
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19


    1. Disable System Restore (Windows Me/XP).
    2. Update the virus definitions.
    3. Run a full system scan and delete all the files detected.
    4. Use the Security Response Tool HERE and follow the instructions.
    5. Delete any values added to the registry.

    Navigate to the subkey and delete value:
    Value: "Bron-Spizaetus" = ""%Windir%\ShellNew\sempalong.exe""

    Navigate to the subkey and delete value:
    Value: "Tok-Cirrhatus" = "%UserProfile%\Local Settings\Application Data\smss.exe""

    Navigate to the subkey and reset value to default if required:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Value: "Shell" = "Explorer.exe"

    Navigate to the subkey and reset value to default if required:
    Value: "NoFolderOptions" = "0" or "NoFolderOptions" = "1"

    Navigate to the subkey and reset values to default if required:
    "Hidden" = "0" or "Hidden" = "1"
    "ShowSuperHidden" = "0" or "ShowSuperHidden" = "1"
    "HideFileExt" = "0" or "HideFileExt" = "1"

    7. Exit Registry and Restart the computer.

    8. Delete the scheduled task.

    To delete the scheduled tasks added by the worm
    a. Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.)
    b. In the Control Panel window, double click Scheduled Tasks.
    c. Right click the task icon and select Properties from menu. The properties of the task is displayed.
    d. Delete the task if the contents of the Run text box in the task pane, matches the following:

    9. Restart the computer.

    10. In order to make sure that w32 rontokbro.k is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

    Then go and follow the instructions in the Link I gave you earlier.

    Regards Howard :)
  5. seijyuro

    seijyuro TS Rookie Topic Starter

    This computer is new and I don't have any antivirus yet so I cant run a full system scan :( . Is there any way except reformat?

    somehow I compare my HJT log with my friend HJT log (the 1 infected with Rontokbro) his log shows more symptoms of Rontokbro but mine is different. He has common infected file Bron-Spizaetus & Tok-Cirrhatus added in the registry value, but for mine I can only see something like random number folder with the infected files.
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Try this online scanner HERE.

    Regards Howard :)
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...