jackieho.net

Lately, there is friends and colleagues PC got affected with this stupid virus, which spread from the share files via emails and networks.

I had tried with some of the tools and the re-animated help me to disable it and removing the auto-created execute file, which created by the virus, each time the computer start.

I have found the following step to manually removing it.

MANUAL REMOVAL:

1. Restart the computer using the Windows Recovery Console
2. Disable System Restore (Windows Me/XP).
3. Remove all the entries with 127.0.0.22 that the virus added

to the Windows hosts file.

4. Reinstall your Antivirus program.
5. Update the virus definitions.
6. Run a full system scan and clean or delete all detected
7. Delete any values added to the registry.

Navigate to the subkey and delete the value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
Value: “AlternateShell” = “c_[RANDOM]k.com”

Navigate to the subkey and delete the value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Value: “[RANDOM]” = “”%Windir%\j[RANDOM].exe”"

Navigate to the subkey and delete the value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies
\Explorer\Run
Value: “[RANDOM]” = “”%Windir%\_default[RANDOM].pif”"

Navigate to the subkey and delete the value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value: “[RANDOM]” = “”%System%\s[RANDOM]\zh59[RANDOM].exe”"

Navigate to the subkey and delete the value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies
\Explorer\Run
Value:
“[RANDOM]” = “”%UserProfile%\LocalSettings\Application Data\dv[RANDOM]0x\yesbron.com”"

Navigate to and delete the subkey:
HKEY_CURRENT_USER\Software\Brontok

Navigate to the subkey and reset the values if applicable:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Values:
“Userinit” = “%System%\userinit.exe,%Windir%\j[RANDOM].exe”
“Shell” = “Explorer.exe “%Windir%\o[RANDOM].exe”"

to:

“Userinit” = “%System%\userinit.exe”
“Shell” = “Explorer.exe”

Navigate to the subkey and reset the values if applicable:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Values:
“Hidden” = “0″
“HideFileExt” = “1″
“ShowSuperHidden” = “0″

Navigate to the subkey and reset the value if applicable:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Values: “DisableRegistryTools” = “1″

 

8. Exit registry editor and restart the computer.
***If it makes changes to Windows registry that may prevent you from running executable files. A tool to reset registry values to the default value is available for download.

9. Delete the scheduled tasks.

– Click Start > Settings > Control Panel > Scheduled Tasks.
- Right click on each task icon and select Properties from pop-up menu. The properties of the task are displayed.
- Delete the task if the contents of the Run text box in the task pane matches the following:
%UserProfile%\Local Settings\Application Data\dv[RANDOM]0x\yesbron.com

 

10. In order to make sure that W32.Rontokbro.AN@mm is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software.