Please guide me with this Hijack log Thank you

Status
Not open for further replies.
S

seijyuro

Hi my computer is infected by my friend's pen-drive because I am copying a folder from there and found out that the folder is actually application file but it is too late. His computer was infected by Rontokbro worm few days ago but he manage to clean it. However when I hijackthis my computer it is quite different from the 1 my friend infected. I have no clue is it Rontokbro or it is another type.

I dont have antivirus installed in my new computer

Thank You for your help
 
Hi, I did follow all the step before I post this HJT log, but the virus close every application that I open even HJT and I only have like a second to save the log as fast as I can. I even tried it in safe mode. My friend told me that when he run in safe mode Rontokbro still able to load itself and active inside safe mode :(
 
MANUAL REMOVAL:

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected.
4. Use the Security Response Tool HERE and follow the instructions.
5. Delete any values added to the registry.

Navigate to the subkey and delete value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: "Bron-Spizaetus" = ""%Windir%\ShellNew\sempalong.exe""

Navigate to the subkey and delete value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value: "Tok-Cirrhatus" = "%UserProfile%\Local Settings\Application Data\smss.exe""

Navigate to the subkey and reset value to default if required:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: "Shell" = "Explorer.exe"

Navigate to the subkey and reset value to default if required:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: "NoFolderOptions" = "0" or "NoFolderOptions" = "1"

Navigate to the subkey and reset values to default if required:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\advanced
Values:
"Hidden" = "0" or "Hidden" = "1"
"ShowSuperHidden" = "0" or "ShowSuperHidden" = "1"
"HideFileExt" = "0" or "HideFileExt" = "1"

7. Exit Registry and Restart the computer.


8. Delete the scheduled task.

To delete the scheduled tasks added by the worm
a. Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.)
b. In the Control Panel window, double click Scheduled Tasks.
c. Right click the task icon and select Properties from menu. The properties of the task is displayed.
d. Delete the task if the contents of the Run text box in the task pane, matches the following:
%UserProfile%\Templates\Brengkolang.com


9. Restart the computer.

10. In order to make sure that w32 rontokbro.k is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

Then go and follow the instructions in the Link I gave you earlier.

Regards Howard :)
 
This computer is new and I don't have any antivirus yet so I cant run a full system scan :( . Is there any way except reformat?

somehow I compare my HJT log with my friend HJT log (the 1 infected with Rontokbro) his log shows more symptoms of Rontokbro but mine is different. He has common infected file Bron-Spizaetus & Tok-Cirrhatus added in the registry value, but for mine I can only see something like random number folder with the infected files.
 
Status
Not open for further replies.

Similar threads

B
Help with "special permissions" please
Replies
1
Views
515
Nelson28
N
F
Killed HDD with USB Dock. Please share advice/wisdom
Replies
3
Views
1K
bazz2004
B
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back