win32:rontokbr-I2 Worm Infection
Symptoms
- Your registry is disabled
- Your system might be performing less than usual
Epilogue
I haven’t researched very well on this worm. It seems simple and is handled by just 2 files:
C:\WINDOWS\eksplorasi.exe
C:\WINDOWS\shellnew\sempalong.exe
Please note that I am not affiliated with any brands or software mentioned in this article.
Infection
The basic infection method is the worm adds itself to the “Shell” launch key for the system. This key in the registry is responsible for loading “explorer.exe” which is the parent of many other software that run on the PC.
Cure
The cure (as far as I can tell) for the strand that I encountered is simple. However, before trying it, I suggest you try out a-Squared Free. I find this software pretty reliable in detecting and removing ordinary trojans and worms (a feature lacking in most anti-virus I have tried).
We need the following tools for it (most of this is just to get to the registry, which this worm disables):
- ID System Optimizer (to enable the registry again)
- KillBox (to completely and safely delete the executables of the worm)
- Process Explorer (to detect and kill the worm’s processes)
Step 1. Run Process Explorer and try and locate the above named files running. If found, kill them.
Step 2. Use KillBox to delete the above files (I assume you have read their manual). If you have to, select the “Delete on ReBoot” option.
Step 3. Use ID System Optimizer to re-enable the Registry:
a. Navigate through “APPLICATIONS>Regedit>Disable Regedit”
b. When you click on “Disable Regedit”, a setting called “Enable Regedit” will appear on the right side. This will be turned to “No”. Click on it to make it “Yes”.
c. Click the “Apply Settings” button.
Step 4. Remove the infected key of the worm in the registry
a. Click “Run” from the Start Menu and type “regedit”. The registry opens. Now navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
b. Right-click on the “Shell” and select “Modify”. In the window that opens, you would see a text box called “Value Data” reading something like:
Explorer.exe “C:\WINDOWS\eksplorasi.exe”
c. Modify it to read ONLY “explorer.exe”. That is, delete the whole “C:\WINDOWS\eksplorasi.exe” part.
d. Also note the capital “E” in “explorer”. This usually gives an indication of an infection because the correct entry has a small “e”. If your value doesn’t include “C:\WINDOWS\eksplorasi.exe” but has a capital “E”, there is a possibility that the “explorer.exe” file might have been infected internally! [I could not verify this completely]
Step 5. Restart your PC
Prologue
These were the steps I took to remove the worm. I had discovered it by accident one day when the system gave a “File not found” error message showing this strangely named file “eksplorasi.exe”. [There’s probably a bug in the worm itself!] After some research on the Internet, I was able to find the name of the worm, but not much else. So I decided to document this, just for reference
The IT Tutor 
Thanks a million … I’ve been trying to solve this problem every time I opened my computer for the last 6 months with no use. Your answer was the only solution that worked out for me 🙂
Just PERFECT 🙂
thanks. my virus scanner every time display an infection message but I cannot find any virus. But the Explorer.exe in the registry is with capital E. Thats right, but the file seems to be ok
HELP Can I Just Format? And Re install windows I Cant Do this any More
Thank
Hi, if you’re sure you can get all the files you need from your computer before formatting, then its ok to do so. But the risk is that in taking out files, you might be taking the virus with you. In the end, even after formatting, the virus would return because it was in the files you recovered! But if you don’t recover any files and just format-reinstall Windows, the virus should disappear.
[…] The busiest day of the year was February 19th with 31 views. The most popular post that day was win32:rontokbr-I2 Worm Infection. […]