W32.Rontockbro@mm - Page 2

**Deckard** · 10-12-2006, 10:58 PM

Can you do a Start>Search and look for eksplorasi.exe and sempalong.exe?

There appear to be several variants of Rontokbro, and I'm unclear of which one you have. They all appear to trigger a scheduled job, which is why I that that script look into your Tasks folder. Unfortunately, I didn't see anything there.

I've been doing some research. Let's try this script. Various flavors of Rontokbro change some registry settings, and I think that may be keeping us from actually seeing it on disk. Go to Start>Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

Code:

@ECHO OFF
>\localau.txt (
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
  reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Run"
  reg query "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot"
  reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer"
  reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
)
start /max \localau.txt

Save the file as "localau.bat". Make sure to save it with the quotes. Close Notepad. Double click on localau.bat and it should open up another Notepad with some text. Please post that text here.

Hang in there -- we will beat this.

localau · 10-12-2006, 11:57 PM

I ran the search, but neither file turned up.
Here's the results from the file:

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultDomainName REG_SZ LAU
DefaultUserName REG_SZ Owner
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
System REG_SZ
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD 0xffffffff
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0x0
passwordexpirywarning REG_DWORD 0xe
scremoveoption REG_SZ 0
AllowMultipleTSSessions REG_DWORD 0x1
UIHost REG_EXPAND_SZ logonui.exe
LogonType REG_DWORD 0x1
Background REG_SZ 0 0 0
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0x0
WinStationsDisabled REG_SZ 0
HibernationPreviouslyEnabled REG_DWORD 0x1
ShowLogonOptions REG_DWORD 0x0
AltDefaultUserName REG_SZ Owner
AltDefaultDomainName REG_SZ LAU

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SCLogon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell REG_SZ cmd.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun REG_DWORD 0x91

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools REG_DWORD 0x0

**Deckard** · 10-13-2006, 09:37 PM

I've been thinking about this all day. I'm wondering if I'm looking for a problem that really isn't there.

Let's go over what we do know. You've got Rontokbro in various folders und C:\Documents and Settings\All Users\Documents, but you don't have access to them. Something I should have done is to have you fix permissions on that folder so at least they'll be quarantined. This very well may take care of the problem, since you don't seem to be infected as far as I can determine.

Download this archive: http://deckard.be/tools/fix-rontokbro.zip and extract it to your Desktop. Double-click the fix.bat file contained within. It should briefly pop up a command window. Now run a scan with Norton. It should be able to quarantine those files now and hopefully that will be the end of this problem.

localau · 10-13-2006, 11:49 PM

YESSSSSSSSSSSSSSSSSS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Scan type: Manual Scan
Event: Virus Found!
Virus name: W32.Rontokbro@mm
File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ633.tmp
Location: Quarantine
Computer: LAU
User: Owner
Action taken: Quarantine succeeded :
Date found: Friday, October 13, 2006 10:57:34 PM

THANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUUUUU SOMUCH!!!!!!!!!!!
you've really gone the extra mile here... and i'm so happy that you did!!!! thankyouthankyouthankyouuuuuuuuu

**Deckard** · 10-13-2006, 11:55 PM

Truth be told, I should have done this much earlier and I apologize for that. I got caught up trying to determine if you were still infected.

Let's see if it comes back this weekend, but I'm hoping it's gone for good now.

localau · 10-14-2006, 03:38 PM

The notifications started showing up again. I attached a log of what norton's found today (just figured out how to do that...heh.) Let me know what you think. Sorry about this being so stubborn...

Edit: I guess you can't attach excel files, so i uploaded it instead. Here's the link: http://download.yousendit.com/F877D7041D39F33B

**Deckard** · 10-15-2006, 03:30 PM

If I'm reading the log right, Norton is reminding you what's in it's quarantine. We might as well flush it. Please follow Symantec's guide to clean out your Norton quarantine directory.

localau · 10-15-2006, 03:42 PM

Done. Let's see what happens.

localau · 10-16-2006, 07:14 PM

They're still showing up. Here's what's come up today:

http://download.yousendit.com/52084A5B5935B3B6

**Deckard** · 10-16-2006, 09:14 PM

How frustrating. I think it just locked itself away in that folder again.

Let's try this: make sure your AVG Anti-Spyware is up-to-date (start AVGAS and click the "Update now" link) and then boot to safe mode. Re-run the fix-rontokbro.bat file to unlock those files and re-run a scan with AVG Anti-Spyware while in safe mode. Keep that log because I want you to post it with your next reply. Reboot to normal mode.

Download Dr.Web Cureit
Download Dr.Web CureIt to the Desktop.

Doubleclick the drweb-cureit.exe file and Allow to run the express scan.
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured (in case if we need samples).
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Post the AVG log along with the Dr.Web scan after you reboot.

localau · 10-18-2006, 07:48 AM

ok. i attached the avg log, and here's the link for dr. web:

http://download.yousendit.com/759988A32A246410

**Deckard** · 10-19-2006, 12:19 AM

Okay, I think I found a removal tool that I believe will work. Let's try using it.

Please download CleanX-II and save it to your Desktop.

Disconnect/unplug the computer from the Internet.
Save any work which you're doing & close all other programs.
Double-click CleanX-II.exe
The tool will begin scanning your machine. Because this worm names it's files randomly, there are a series of cross-checks/verification processes to ensure that the tool does not remove legitimate files. Depending on the size of your drives, this scan may take several minutes. Please be patient during this period & allow it to complete it's task.
Once it has finished scanning, it will provide a log file, which will be saved to your Desktop with the name CleanX-II.txt. Please post that log.

localau · 10-19-2006, 12:47 AM

ok, done. the log is attached. let me know if it worked!

**Deckard** · 10-19-2006, 08:57 AM

Well, it doesn't look much different than the other removal tools we were throwing at it.

Is Norton still finding them?

localau · 10-20-2006, 12:12 AM

not so far.... hmmm...

localau · 10-20-2006, 02:53 PM

theyre back, actually

**Deckard** · 10-20-2006, 09:39 PM

You must be getting re-infected from a source outside your computer. Are you plugging in any flash/usb drives or sharing any files? I'm going to disable Autorun for your CD and removable drives, which is a good thing to do anyway.

Edit Regsitry
Go to Start>Run and type regedit, then click OK.

On the left side, click to highlight My Computer at the top.
Select Export from the File menu.
- Make sure in that window there is a tick next to "All" under Export Branch.
- Leave the "Save As Type" as "Registration Files".
- Under "Filename" put backup.
Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File>Exit.

This is so the registry can be restored to this point if we need it. It may take a minute, so just let it go until it's done.

Go to Start→Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"Autorun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

Save the file as "fix.reg". Make sure to save it with the quotes. Close Notepad. Double click on the fix.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Delete Autorun.inf
Go to Start→Search and look for autorun.inf. Delete all copies you find.

Re-run CleanX-II
Run CleanX-II on all your machines on your network. If you're using removable media, make sure you get them scanned, too. Post any logs.

Lastly, if you could find a copy of the virus, please upload it to http://deckard.be/submit/ so I can look at it.

localau · 10-20-2006, 10:32 PM

I found no entries for autorun.inf, but here's the log from cleanX-II. how do i find a copy of the virus?

**Deckard** · 10-20-2006, 10:35 PM

CleanX deleted all the copies you had; if they come back we can grab one from Norton's quarantine.

localau · 10-21-2006, 12:16 AM

yay! okay.

10-12-2006, 10:58 PM	#21 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Can you do a Start>Search and look for eksplorasi.exe and sempalong.exe? There appear to be several variants of Rontokbro, and I'm unclear of which one you have. They all appear to trigger a scheduled job, which is why I that that script look into your Tasks folder. Unfortunately, I didn't see anything there. I've been doing some research. Let's try this script. Various flavors of Rontokbro change some registry settings, and I think that may be keeping us from actually seeing it on disk. Go to Start>Run and type in notepad and hit OK. Then copy and paste the following into Notepad: Code: @ECHO OFF >\localau.txt ( reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Run" reg query "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot" reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ) start /max \localau.txt Save the file as "localau.bat". Make sure to save it with the quotes. Close Notepad. Double click on localau.bat and it should open up another Notepad with some text. Please post that text here. Hang in there -- we will beat this. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

10-13-2006, 09:37 PM	#23 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	I've been thinking about this all day. I'm wondering if I'm looking for a problem that really isn't there. Let's go over what we do know. You've got Rontokbro in various folders und C:\Documents and Settings\All Users\Documents, but you don't have access to them. Something I should have done is to have you fix permissions on that folder so at least they'll be quarantined. This very well may take care of the problem, since you don't seem to be infected as far as I can determine. Download this archive: http://deckard.be/tools/fix-rontokbro.zip and extract it to your Desktop. Double-click the fix.bat file contained within. It should briefly pop up a command window. Now run a scan with Norton. It should be able to quarantine those files now and hopefully that will be the end of this problem. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

10-13-2006, 11:55 PM	#25 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Truth be told, I should have done this much earlier and I apologize for that. I got caught up trying to determine if you were still infected. Let's see if it comes back this weekend, but I'm hoping it's gone for good now. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

10-14-2006, 03:38 PM	#26 (permalink)
localau Registered User Join Date: Oct 2006 Posts: 25 OS: windows xp	The notifications started showing up again. I attached a log of what norton's found today (just figured out how to do that...heh.) Let me know what you think. Sorry about this being so stubborn... Edit: I guess you can't attach excel files, so i uploaded it instead. Here's the link: http://download.yousendit.com/F877D7041D39F33B Last edited by localau; 10-14-2006 at 03:43 PM.

10-15-2006, 03:30 PM	#27 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	If I'm reading the log right, Norton is reminding you what's in it's quarantine. We might as well flush it. Please follow Symantec's guide to clean out your Norton quarantine directory. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

10-12-2006, 11:57 PM	#22 (permalink)
localau Registered User Join Date: Oct 2006 Posts: 25 OS: windows xp	I ran the search, but neither file turned up. Here's the results from the file: ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon AutoRestartShell REG_DWORD 0x1 DefaultDomainName REG_SZ LAU DefaultUserName REG_SZ Owner LegalNoticeCaption REG_SZ LegalNoticeText REG_SZ PowerdownAfterShutdown REG_SZ 0 ReportBootOk REG_SZ 1 Shell REG_SZ Explorer.exe ShutdownWithoutLogon REG_SZ 0 System REG_SZ Userinit REG_SZ C:\WINDOWS\system32\userinit.exe, VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl" SfcQuota REG_DWORD 0xffffffff allocatecdroms REG_SZ 0 allocatedasd REG_SZ 0 allocatefloppies REG_SZ 0 cachedlogonscount REG_SZ 10 forceunlocklogon REG_DWORD 0x0 passwordexpirywarning REG_DWORD 0xe scremoveoption REG_SZ 0 AllowMultipleTSSessions REG_DWORD 0x1 UIHost REG_EXPAND_SZ logonui.exe LogonType REG_DWORD 0x1 Background REG_SZ 0 0 0 DebugServerCommand REG_SZ no SFCDisable REG_DWORD 0x0 WinStationsDisabled REG_SZ 0 HibernationPreviouslyEnabled REG_DWORD 0x1 ShowLogonOptions REG_DWORD 0x0 AltDefaultUserName REG_SZ Owner AltDefaultDomainName REG_SZ LAU HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SCLogon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot AlternateShell REG_SZ cmd.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network ! REG.EXE VERSION 3.0 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun REG_DWORD 0x91 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ! REG.EXE VERSION 3.0 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools REG_DWORD 0x0

10-13-2006, 11:49 PM	#24 (permalink)
localau Registered User Join Date: Oct 2006 Posts: 25 OS: windows xp	YESSSSSSSSSSSSSSSSSS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Scan type: Manual Scan Event: Virus Found! Virus name: W32.Rontokbro@mm File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\APQ633.tmp Location: Quarantine Computer: LAU User: Owner Action taken: Quarantine succeeded : Date found: Friday, October 13, 2006 10:57:34 PM THANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUUUUU SOMUCH!!!!!!!!!!! you've really gone the extra mile here... and i'm so happy that you did!!!! thankyouthankyouthankyouuuuuuuuu

10-15-2006, 03:42 PM	#28 (permalink)
localau Registered User Join Date: Oct 2006 Posts: 25 OS: windows xp	Done. Let's see what happens.

10-16-2006, 07:14 PM	#29 (permalink)
localau Registered User Join Date: Oct 2006 Posts: 25 OS: windows xp	They're still showing up. Here's what's come up today: http://download.yousendit.com/52084A5B5935B3B6

10-16-2006, 09:14 PM	#30 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	How frustrating. I think it just locked itself away in that folder again. Let's try this: make sure your AVG Anti-Spyware is up-to-date (start AVGAS and click the "Update now" link) and then boot to safe mode. Re-run the fix-rontokbro.bat file to unlock those files and re-run a scan with AVG Anti-Spyware while in safe mode. Keep that log because I want you to post it with your next reply. Reboot to normal mode. Download Dr.Web Cureit Download Dr.Web CureIt to the Desktop. Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured (in case if we need samples). After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer because it could be possible that files in use will be moved/deleted during reboot. Post the AVG log along with the Dr.Web scan after you reboot. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

10-19-2006, 12:19 AM	#32 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Okay, I think I found a removal tool that I believe will work. Let's try using it. Please download CleanX-II and save it to your Desktop. Disconnect/unplug the computer from the Internet. Save any work which you're doing & close all other programs. Double-click CleanX-II.exe The tool will begin scanning your machine. Because this worm names it's files randomly, there are a series of cross-checks/verification processes to ensure that the tool does not remove legitimate files. Depending on the size of your drives, this scan may take several minutes. Please be patient during this period & allow it to complete it's task. Once it has finished scanning, it will provide a log file, which will be saved to your Desktop with the name CleanX-II.txt. Please post that log. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

10-19-2006, 08:57 AM	#34 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Well, it doesn't look much different than the other removal tools we were throwing at it. Is Norton still finding them? __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

10-20-2006, 12:12 AM	#35 (permalink)
localau Registered User Join Date: Oct 2006 Posts: 25 OS: windows xp	not so far.... hmmm...

10-20-2006, 02:53 PM	#36 (permalink)
localau Registered User Join Date: Oct 2006 Posts: 25 OS: windows xp	theyre back, actually

10-20-2006, 09:39 PM	#37 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	You must be getting re-infected from a source outside your computer. Are you plugging in any flash/usb drives or sharing any files? I'm going to disable Autorun for your CD and removable drives, which is a good thing to do anyway. Edit Regsitry Go to Start>Run and type regedit, then click OK. On the left side, click to highlight My Computer at the top. Select Export from the File menu. Make sure in that window there is a tick next to "All" under Export Branch. Leave the "Save As Type" as "Registration Files". Under "Filename" put backup. Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!) Click save and then go to File>Exit. This is so the registry can be restored to this point if we need it. It may take a minute, so just let it go until it's done. Go to Start→Run and type in notepad and hit OK. Then copy and paste the following into Notepad: Code: REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] "Autorun"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 Save the file as "fix.reg". Make sure to save it with the quotes. Close Notepad. Double click on the fix.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. Delete Autorun.inf Go to Start→Search and look for autorun.inf. Delete all copies you find. Re-run CleanX-II Run CleanX-II on all your machines on your network. If you're using removable media, make sure you get them scanned, too. Post any logs. Lastly, if you could find a copy of the virus, please upload it to http://deckard.be/submit/ so I can look at it. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

10-20-2006, 10:35 PM	#39 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	CleanX deleted all the copies you had; if they come back we can grab one from Norton's quarantine. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

10-21-2006, 12:16 AM	#40 (permalink)
localau Registered User Join Date: Oct 2006 Posts: 25 OS: windows xp	yay! okay.