If it's adware you're looking to 'kill' there are a lot of programs to help you. I recomend SpyBot Search & Destroy but you can also try MS Malicious Software Removal Tool, Ad-Aware from Lavasoft, Spyware Doctor, SpywareBlaster etc. Just google (seems to be in the dictionary now) and find the program you like. If you need more help, please message me and I will be happy to assist you.
Additional Info.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your system with your Trend Micro antivirus product.
NOTE the path and file name of all files detected as WORM_RONTOKBRO.Y.
Trend Micro customers need to download the latest virus pattern file before scanning their system. Other users can use Housecall, the Trend Micro online virus scanner.
Terminating the Malware Program
Since this malware terminates the Windows Task Manager, it is necessary to use third party process viewers such as Process Explorer. You will need the name(s) of the file(s) detected earlier.
If the process you are looking for is not in the list displayed by Process Explorer, proceed to the succeeding solution set.
Download Process Explorer.
Extract the contents of the compressed (.ZIP) file to a location of your choice.
Execute Process Explorer by double-clicking procexp.exe.
In the Process Explorer window, locate the malware file(s) detected earlier.
Check if the value for the Current Directory is the same as the path of the malware file detected earlier.
Right-click one of the detected files, then click Kill Process Tree.
Do the same for all detected malware files in the list of running processes.
Close Process Explorer.
--------------------------------------------------------------------------------
*NOTE: On systems running Windows NT termination of malware program is no longer needed since it does become memory-resident on the aforementioned operating system.
Enabling the Registry Editor
This malware disables the Registry Editor. To re-enable this tool, perform the following steps:
Open a text editor, such as NOTEPAD. In the text editor, copy the following codes:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System]
"DisableRegistryTools"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\
CurrentVersion\Policies\System]
"DisableRegistryTools"=-
Save the file as {any file name}.REG
Double-click on the created .REG file to execute it.
Editing the Registry
This malware modifies the system's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:
HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003
Removing/Restoring Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Bron-Spizaetus = "%Windows%\ShellNew\sempalong.exe"
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Tok-Cirrhatus = "%Windows%\Application Data\smss.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows NT>CurrentVersion>Winlogon
In the right panel, locate the following entry:
On Windows ME, 2000, XP, and Server 2003
Shell = "Explorer.exe "%Windows%\Eksplorasi.exe""
On Windows NT
Shell = "Explorer.exe "\eksplorasi.exe""
Right-click on this registry entry and choose Modify. Change the value of this
Shell = "Explorer.exe"
On Windows 98 and NT, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Bron-Spizaetus = ""\ShellNew\sempalong.exe""
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Tok-Cirrhatus = ""\Media\smss.exe""
In the left panel, double-click the following:
HKEY_USERS>.DEFAULT>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Tok-Cirrhatus = ""\Media\smss.exe""
Removing Other Malware Entries from the Registry
Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Policies>Explorer
In the right panel, locate and delete the entry:
NoFolderOptions = "dword:00000001"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Policies>System
In the right panel, locate and delete the entry:
DisableCMD = "dword:00000000"
Restoring Other Modified Entries in the Registry
Again in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Explorer>Advanced
In the right panel, locate the following registry entry:
ShowSuperHidden = "dword:00000000"
Right-click on the registry entry and select Modify. Change the value to the following:
ShowSuperHidden = "dword:00000001"
Still in the right panel, locate and set the values of the following entries according to your preference:
Hidden = "dword:00000000"
HideFileExt = "dword:00000001"
Close Registry Editor.
Restoring AUTOEXEC.BAT on Windows 98 and ME
Open AUTOEXEC.BAT in Notepad using command prompt.
In the command prompt, type this text string in the Open input box then press Enter:
notepad c:\autoexec.bat
Delete the following entry created by the malware:
pause
Close AUTOEXEC.BAT and click Yes when prompted to save.
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure set(s).
Hope this helps!
2006-07-15 17:19:13
·
answer #1
·
answered by Anonymous
·
0⤊
0⤋
Looks like the file is still listed as part of your startup. To check, go to Start, then Run, and then type in msconfig. Click the Startup tab. Check the programs that Windows opens upon startup. If you see eksplorasi.exe or WORM_RONTOKBRO, uncheck it. This will make it so Windows won't look for it when you boot up.
2006-07-15 17:22:03
·
answer #3
·
answered by Gestalt 6
·
0⤊
0⤋