virus: worm.rontokbro.h

kizzibillet

I have three machines all inected by this virus rontokbro.h
1st machine - symantec will not load
2nd machine - I cannot install nothing on the machine eg. spy sweeper, symantec etc nothing gives error like file is currupt
3rd machine - registry is disable and a file c:/windows explorisc (something like that) keep on popping up everytime I log on

all points to this virus

is there anyway we can get rid of this virus.?

royal

Format. Seriously, formatting is the ONLY way to "ENSURE" that a system is virus free. I even strongly recommend it if the machine is connected to a corporate network. Others will say to go into the safe mode, install some tools, check the run section in registry, etc... I still say format.

seuss_ssues

I do agree to be 100% clean a format is the option. Unfortunately if your network is infected then a fresh client will definately get infected. If you have a properly laid out deployment network it will be segmented from the rest of your network and not directly connected to the rest of your network so you will be good.

I do normally clean, but i do understand the importance of fresh install when the time comes.

kizzibillet

thanks guys but to be hionest I dont wnat to wipe. firstly the users have softwares on the machine that are critical to thier work and they dont have the cd for them (yeah i told them never to do that again always have a copy of software installed on machine)

2ndly I wipe one fo the machines already and it is now infected with it. it seems it is the network but how can u clean a network. I am new to this but loving it.

should i take them all off the interent and clean with a antispyware software?

what about kaspersky? I am hearing alot about it?

awaiting reply

dtlokee

You could try booting to a Linux live CD and doing a virus scan from there, I've needed to do this a couple of times and have had good results.

Megadeth4168

You could also try downloading Ultimate Boot CD, boot your computer off of the CD you make and try running some of the included AV programs on there.

hetty

A reload would seem simpler. Probably have to shut down the network while trying to repair/reload everything anyway cause its a worm.
http://www.xblock.com/product_show.php?id=2845
http://www.symantec.com/security_response/writeup.jsp?docid=2005-092311-2608-99&tabid=2

dynamik

Once your system has been compromised, there's no telling what has been done to it. You could have rootkits on there and never know it. Buying the apps again may cost you significantly less in the long run (i.e. destruction or theft of sensitive information).

Ahriakin

Isolate the PCs that you know are infected, get them off your network (and don't even think of letting the users argue you out of this, they are placing all other data on your network at risk, no ifs/buts or maybes). If you can't do this then forget the whole thing, seriously don't even bother.

You need to close the infection vector before cleaning individual machines, as seen by the reinfection you mentioned. How does it propagate (ie. does it have WORM characteristics whereby it is self-propagating and you need to firewall your clients (not a bad idea anyway), or is it a common data source that is infected and when accessed is infecting the clients (e.g. email or common business files/spreadsheets etc). You need to know where it is coming from, shut down that vector by isolating it and patching/hardening your end systems against it, then clean/format the machines.
You should see about getting some sort of IDS/IPS running on your network to monitor for WORM traffic, it will greatly help you track infections like this and shut them down before they become widespread, your AV software is your LAST line of defense it should not be the one you rely on. SNORT is free and very effective.

Plantwiz

In a corporate setting......Client PCs do not belong to the individual user....they are part of a network and files should be saved to a network share to be properly backedup.

So quickest cleanup is a Format/Reinstall. However, that doesn't address the 'WHY' and 'HOW' did this happen.

THAT ASIDE

kizzibillet wrote:

thanks guys but to be hionest I dont wnat to wipe. firstly the users have softwares on the machine that are critical to thier work and they dont have the cd for them (yeah i told them never to do that again always have a copy of software installed on machine)

Tough.

It's a business network right? You have correct/proper licensing? So order up a spare media kit.

Again, how can this be addressed in the future? Possibly a network share in addition to a media kit maintained in a software vault.

When the machines are owned by the company, or purchased by the company for employees to complete work for the company.....the company SHOULD maintain the documents, the employee could have a backup copy, if necessary.

2ndly I wipe one fo the machines already and it is now infected with it. it seems it is the network but how can u clean a network. I am new to this but loving it.

What do you think permitted this? Is the Worm on your network? Is the user doing something/visiting websites/ opening e-mail that is infected?

Keep the user off the network until you can determine the source.....so you'll have your work cut-out as you probably cannot keep them offline for long.

should i take them all off the interent and clean with a antispyware software?

Yesterday.

Try an online scan like Housecall.
Or
as recommended already, try Ultimate Boot CD 4 Windows and some of their tools.

Have you attempted a scan from Safe Mode?
How about hanging the drive off another Box (either as a slave drive or via a USB attachment to run the AV from the clean/bench box to that drive?

what about kaspersky? I am hearing alot about it?

??? What are you hearing? This is a pretty old issue that's at most a distant problem.

awaiting reply

Good to ask for help....but also good to continue the legwork on your own too. Read up on the identified problem from the main AV players. They usually have a wealth of knowledge available.

kizzibillet

all of you were EXCELLENT! I appreciate the time you took to answer my questin. tonight I will be visiting the site and do just exactly what you all say and report to you the outcome!

Thanks a lot

kizzibillet

you must be wondering what happen

but I never get a chance to go the following 2 days but after getting the chance to go the Manager called me and told me he is using another technician instead becuase the virus is not that serious as I say it was.

I told him t was ok

but i appreciate all your help and tips TRUST me it did help me and my knowledge has increase

Thanks alot