|
|
|
W32/Rontokbro.U@MM Cannot remove it
|
Original Message
|
Name: pepo1979
Date: March 26, 2006 at 17:00:56 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove itOS: Win XPCPU/Ram: Athlon 1.8Model/Manufacturer: AMD |
Comment: Hi, i got the W32/Rontokbro.U@MM virus in my PC. I cannot run tools for delete the virus, even hijack, or other useful tools. So somebody know how to remove it! I spent 24 hs trying!!! Thanks Thanks for your support.
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: Firehawk
Date: March 26, 2006 at 17:26:10 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)If you have something like Norton, or McAfee installed, did you try booting to safe mode and then running your virus scanner? (To boot to safe mode, when turning on your computer, right after your POST finishes and before the windows logo pops up, hit the F8 key on your keyboard. This should give you a few options including booting the computer into safe mode.) Hope that helps.
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: NotNormal
Date: March 26, 2006 at 18:15:19 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)You may have the new x version.
http://securityresponse.symantec.com/avcenter/venc/data/w32.rontokbro.x@mm.html Attempts to end processes having the following names: * ahnlab
* aladdin
* Alicia
* Anti
* ash
* ashmaisv
* aswupdsv
* avast
* avg
* bitdef
* ccapps
* cclaw
* cillin
* ctfmon
* Dian
* diary
* foto
* hijack
* iexplorer
* kangen
* kill
* lexplorer
* machine
* Mariana
* mcaf
* mcv
* movzx
* mspatch
* nipsvc
* njeeves
* nod32
* nopdb
* nvcoas
* opscan
* panda
* peid
* poproxy
* remove
* riyani
* services.com
* siti
* sstray
* sysinter
* syslove
* systray
* trend
* tskmgr
* untukmu
* update
* virus
* vptray
* washer
* wscript
* xpshare
* zlh See if you can rename some tools.
(Example) change the name hijackthis to
jackthis.
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: savo (by sradevic)
Date: March 26, 2006 at 19:17:42 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)Aw, that's ugly.
Let's try brute force uninstaller.
I hope you can download it from my site. Put these files on a floppy or something.
http://forger.dotgeek.org/trydetectthisname/B0F1U.exe
http://forger.dotgeek.org/trydetectthisname/b0f1u.bfu
http://forger.dotgeek.org/trydetectthisname/m1s1cnf1g.exe m1s1cnf1g.exe is windows xp's msconfig
B0F1U.exe is Merijn's BFU (brute force uninstaller)
b0f1u.bfu is a script file for BFU Now, once you have the files inside your infected PC, it would be best to run them directly from a read-only floppy or burned CD (or directly from C:\, although i doubt it'll work), and then:
1)Run m1s1cnf1g.exe - Select "diagnostic startup", click OK and click RESTART.
This should disable most of the bad stuff. 2) Run B0F1U.exe after the restart and load script b0f1u.bfu 3) WAIT until you are prompted to restart the PC. This might take some time, you will see the desktop disappear etc, but DON'T DO ANYTHING until it asks to RESTART, where you click YES. 4) Scan with trend micro now. I can delete the files, but i need to know the names first. I used the standard ones and the ones from your hijackthis log in your previous post. Hope it works!
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: pepo1979
Date: March 27, 2006 at 02:31:11 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)In Safe mode programs cannot run also (norton, trend, etc).
Will try Bruteforce uninstaller. Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: savo (by sradevic)
Date: March 27, 2006 at 02:43:59 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)If all is successful, you can get back windows's lost files by putting in your cd drive your windows xp cd. Then go to start -> run -> type this:
sfc /scannow
Click OK, and it will start replacing windows lost files
Report Offensive Follow Up For Removal
|
|
Response Number 6
|
Name: pepo1979
Date: March 27, 2006 at 04:40:51 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)Now i've been run Bruteforce but has passed about 10 minutes... continue waiting??? Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 7
|
Name: savo (by sradevic)
Date: March 27, 2006 at 04:56:12 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)Yes, it should ask you soon enough.
hit ctrl+shift+esc and check in the Processes if it's active
Report Offensive Follow Up For Removal
|
|
Response Number 8
|
Name: pepo1979
Date: March 27, 2006 at 05:07:01 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)the hdd light is working...
in processes
inactive system process is on top the hdd is about 80 gb, could be it is looking for the files to be removed? Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 9
|
Name: pepo1979
Date: March 27, 2006 at 05:14:48 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)well, have restarted from the task manager. 30 mins have passed.
now, started and everything is the same. cannot open programs like antivirus, etc. Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 10
|
Name: savo (by sradevic)
Date: March 27, 2006 at 05:20:35 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)check for the program B0F1U.exe If it's not there, restart and try with this new script:
http://www.forger.dotgeek.org/trydetectthisname/b0f1u.bfu P.S. Did you click Execute? :)
Report Offensive Follow Up For Removal
|
|
Response Number 11
|
Name: pepo1979
Date: March 27, 2006 at 05:24:13 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)not on the list.
for sure, i clicked EXECUTE...
everything desappears except the background photo, but then, only hdd light was on... but never ask to reboot.
will try with the other .bfu Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 12
|
Name: pepo1979
Date: March 27, 2006 at 05:28:34 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)ok, do the same with the new script
but again, the hdd is working sometimes, but in task manager> inactive process 98CPU using
then m17988.exe working
and others... Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 13
|
Name: pepo1979
Date: March 27, 2006 at 05:29:59 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)i think the best will be to format the PC... and start from zero......... Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 16
|
Name: savo (by sradevic)
Date: March 28, 2006 at 04:17:28 Pacific
Subject: W32/Rontokbro.U@MM Cannot remove it |
Reply: (edit)Just for the record:
This process unfortunately didn't end well.
We removed the virus successfully.
But the problem was after the scan and after a simple restart, adding/removing software was corrupt along with internet connection issues.
My first guess would be the proxy. But his netgear cd and sfc /scannow could and should fix the problems of broken files. I'd like to thank pepo1979 for trying together with me. Unfortunately, windows reinstall was the last step to do :\
Report Offensive Follow Up For Removal
|
Use following form to reply to current message:
|
|
|
