Thursday, January 18, 2007

WORM_RONTOKBRO.Y versus me

This is the log of the war against the worm.

How did the enemy get it ?
It came along a couple of folders which was copied from a pen drive. It had the same folder name and looked exactly like a windows folder. In a hurry double clicked it, and the war began...

Battle 1: End Task
I immediately realized it was a virus because it opened the My Documents folder, which was unusual. Then soon I pressed Ctrl + Alt + Del to end task the program. But the battle was won by the virus, it restarted the computer ! But I got the exe name "eksplorasi.exe".

Battle 2: Regedit
In an effort to save my system, after rebooting tried to run the "regedit" registry editor where most viruses register in the

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

to start when the computer starts. But I failed in the battle again. It has disabled the registery editor.

Battle 3:Safe mode
In the next battle, I rebooted the computer in safe mode (F8 before booting in the OS choice menu and selecting Safe mode). Failed again, virus is as active in safe mode as in normal mode.

Battle 4:Rebooted into Win98
In the next battle booted into windows 98. Searched the entire windows drive for the file "eksplorasi.exe" found 1 in %Windows Directory%\. Deleted it! Next I searched for the entire windows directory for exe's that had the folder as the icon. Amazed by the number of copies it has already produced. Almost another 12-14 copies in various folders. Deleted them all .. Battle won! The enemies where shot down but the consequences remain...

Battle 5:Looked for allies from Google

Found some information.
Searched for eksplorasi.exe manual removal


Google


Battle 6: Capturing back the regedit
Capturing back the regedit was exciting. As hinted by an ally, the regedit was disabled by the following registry entry.
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
DisableRegistryTools = "dword:00000001"

By their advice I tried making a reg file that removed this entry. But I failed that battle too.

Battle 7: My own registry editor
Made up a quick registry editor that replaced the registry values to enable the registry again. And it was a success. Captured back the registry from the enemies.
Again from the advice of my ally, all deformations in the registry where restored to the previous state.

Download my registry enabler.

War won
Hurray the war was won by me.
Won a battle? let me know.

Information Allies Missed
+ The virus was present in the System_restore files.
+ Making reg files did not work as registry was disabled.
+ Group Policy gpedit.msc is disabled.

2 comments:

jash said...

hi,
I have the same virus in my system. I tried many antiviruses but no use.
Currently I have AVG that regulalry detects it and claims to have healed it. But the virus resurfaces.
I read your solution but since I dont hail from a TECH background, I dont know how to apply it.
Could you be kind enough to give me a step by step solution (Layman oriented) I hope I am not asking for too much.......

Arun Prabhakar said...

Since you do not hail from a TECH background, the better way is to Download another free anti virus.

Try "AOL Active Virus Shield".