Tech Support Forum - View Single Post

**Deckard** · 10-12-2006, 10:58 PM

Can you do a Start>Search and look for eksplorasi.exe and sempalong.exe?

There appear to be several variants of Rontokbro, and I'm unclear of which one you have. They all appear to trigger a scheduled job, which is why I that that script look into your Tasks folder. Unfortunately, I didn't see anything there.

I've been doing some research. Let's try this script. Various flavors of Rontokbro change some registry settings, and I think that may be keeping us from actually seeing it on disk. Go to Start>Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

Code:

@ECHO OFF
>\localau.txt (
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
  reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Run"
  reg query "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot"
  reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer"
  reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
)
start /max \localau.txt

Save the file as "localau.bat". Make sure to save it with the quotes. Close Notepad. Double click on localau.bat and it should open up another Notepad with some text. Please post that text here.

Hang in there -- we will beat this.

10-12-2006, 10:58 PM	#21 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Can you do a Start>Search and look for eksplorasi.exe and sempalong.exe? There appear to be several variants of Rontokbro, and I'm unclear of which one you have. They all appear to trigger a scheduled job, which is why I that that script look into your Tasks folder. Unfortunately, I didn't see anything there. I've been doing some research. Let's try this script. Various flavors of Rontokbro change some registry settings, and I think that may be keeping us from actually seeing it on disk. Go to Start>Run and type in notepad and hit OK. Then copy and paste the following into Notepad: Code: @ECHO OFF >\localau.txt ( reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Run" reg query "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot" reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ) start /max \localau.txt Save the file as "localau.bat". Make sure to save it with the quotes. Close Notepad. Double click on localau.bat and it should open up another Notepad with some text. Please post that text here. Hang in there -- we will beat this. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006