Latest update on October 13, 2014 at 12:22 PM by Jean-François Pillou .
Issue
You are unable to open any folder from RUN or by clicking on Folder's shortcut. Earlier, as soon as the folder was opening, you were getting a messagebox,"Cannot find eksplorasie"
So you did the following changes:-
1) from REGEDIT, HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon
2) In the right panel, locate the following entry: On Windows ME, 2000, XP, and Server 2003 : Shell = "Explorere "%Windows%Eksplorasie" On Windows NT : Shell = "Explorere "eksplorasie""
Right-click on this registry entry and choose Modify. Change the value to this
Shell = "Explorere"
Solution
Eksplorasie is a component of the Worm.Brontok and Worm.Rontokbro.It that is typically transmitted via a Photo.zip email attachment. The standard email contains the following text in addition to the attachment: "Hi, I want to share my photo with you. Wishing you all the best. Regards," Once the zip file is opened, Windows Explorer generates a "My Pictures" folder. The worm disables antivirus software as well as system registry tools and access to the command prompt. It additionally allows hackers to access the infected computer remotely, steals passwords, confidential banking information and other personal data. Typically residing in Windows personal folders, it was discovered on July 2, 2007.
EKSPLORASI.EXE has been seen to perform the following behavior:
The Process is packed and/or encrypted using a software packing process
Executes a Process
This process creates other processes on disk
Makes outbound connections to other computers using NETBIOSOUT protocols
This Process Deletes Other Processes From Disk
Registers a Dynamic Link Library File
Reads your outlook address book
Can communicate with other computer systems using HTTP protocols
Adds a Link in the Start Menu
Disables Access to the Windows Registry Editior
Modifies Windows Security Policies to restrict/expand User Privileges on the machine
Modifies the Logon Screen Saver Settings
This Process tampers with Vulnerable System Files and Settings
Downloads hidden code from covert web sites
Creates new folders in the file system
Sets processes to start during user logon
Looks at the contents of the autoexec.bat file
Reads email address and phone book details
Uses DNS to retrieve the IP address for web sites
Creates, modifies or schedules batch jobs
Terminates Processes
Adds a Registry Key (RUN) to auto start Programs on system start up
Modifies the Windows Host File which could be used to stop you visiting specific web sites by redirecting you to alternative addresses without you knowing
Executes Processes stored in Temporary Folders
Changes to the file command map within the registry
Modifies Windows Initialization And System Settings Used On Start up
Can communicate with other computers using TCP protocols
Creates a TCP port which listens and is available for communication initiated by other computers
Writes to another Process's Virtual Memory (Process Hijacking)
Creates a new Background Service on the machine
Injects code into other processes
This Process is a file infector which modifies program files to include a copy of the infection
Creates new folders on the system
Copies files
Injects code into other processes
How to remove?
The Windows Registry contains extensive information about how your computer runs. Because removal of the virus requires extensive changes to the Windows Registry via the Registry Editor, it is important to back up the Registry prior to beginning the virus removal process.
Step 1
For infected Windows Vista computers:
Click "Start." Type "systempropertiesprotection" in the "Start Search" box.
Press "Enter." Type the password if prompted and click "Allow."
Once the most recent restore points display, go to the "System Properties" dialog box on the "System Protection" tab and click "Create."
Type the name for this backup and click "Create."
Once the backup has been created, click "OK" twice to exit.
For infected Windows XP computers:
Click "Start," "Run," type "Windowssystem32restorerstruie,"
Click "OK." Select a restore point on the Welcome page and click "Next."
Enter the name for the backup on the Create a Restore Point page and click "Create." Once the backup has been created, click "Close."
For infected Windows 2000 computers:
Use the Backup utility to create an Emergency Repair Disk.
For infected Windows 95 computers:
Restart the computer in safe mode and log in as an administrator.
Press "F8" after the first beep occurs during start up, before the display of the Microsoft Windows 95 logo. *Select the first option, to run "Windows in Safe Mode" from the selection menu.
Click "Start," "Run," type "cmd" in the text box and press "Enter."
At the command prompt type the following lines, pressing ENTER after each line:
cd windows
attrib -r -h -s system.dat
attrib -r -h -s user.dat
copy system.dat *.bu
copy user.dat *.bu
For infected Windows 98 and Windows Me computers:
Click "Start," "Run," type "scanregw," and click "OK."
Click "Yes" when prompted to back up the registry.
Click "OK" when notified that the Backup is complete.
For infected Windows NT computers:
Click "Start," "Run," type "Ntbackue" and click "OK" to use the NT Backup tool to back up the registry.
Step 2
If the operating system of the infected computer is either Windows Me or Windows XP, turn off System Restore while this fix is being implemented.
To turn off System Restore within Windows Me,
Click "Start," "Settings," "Control Panel."
Double-click on the "System" icon and select "File System" from the "Performance" tab.
Left-click on the "Troubleshooting" tab and check the "Disable System Restore" box. Click "OK."
To turn off System Restore within Windows XP, log in as an administrator and click "Start." Right-click on "My Computer," and select "Properties" from the shortcut menu.
Check the "Turn off System Restore" option for each drive on the "System Restore" tab.
Left-click "apply" and "yes" to confirm when prompted.
Click "OK."
Step 3
Restart the computer in safe mode and login as an administrator.
Press "F8" after the first beep occurs during start up, before the display of the Microsoft Windows logo.
Select the first option, to run "Windows in Safe Mode" from the selection menu.
Step 4
Remove any program files from the computer.
Go to "Start," "Control Panel," "Add/Remove Programs."
Remove any programs referencing "eksplorasie," "Worm.Brontok" or "Worm.Rontokbro.Y."
If none is listed,
continue to Step 5.
Step 5
Use the Windows Search tool to determine if "Eksplorasie" exists on the hard drive.
Go to "Start," "Search," "All Files and Folders."
Type "eksplorasie" in the "All or Part of the File Name" section.
Select "All Local Hard Drives" from the "Look in:" drop down list for the best results.
Click "Search."
Repeat this process for "bronstabe."
Step 6
Use the Windows Task Manager to end any eksplorasie processes that are running.
Press "Ctrl+Alt+Del" to open Task Manager.
Click "eksplorasie" within the "Processes" tab and click "End Process."
Locate and remove any reference to "bronstabe" as well.
Step 7
Click on "Start", "Run", type "msconfig" and press "Enter."
Remove checkmarks next to any "eksplorasie" or "bronstabe" entries on the "Startup" tab.
Save changes and exit to the desktop.
Step 8
Click on "Start," "Run," type "regedit" and press "Enter."
Press "Ctrl+F," type "eksplorasie" in the search field and delete all related entries.
Repeat the search for "bronstabe" and remove all related entries.
Then delete the following entry:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunTok-cirrhatus
Step 9
Use the Windows Search tool to locate and remove all temp files associated with the worm.
Go to "Start," "Search," "All Files and Folders." Type mp" in the "All or Part of the File Name" section.
Select "All Local Hard Drives" from the "Look in:" drop down list for the best results.
Click "Search." Right click on each occurrence of the file and select "Delete" from the shortcut menu.
Repeat the removal process for the following possible additional components:
eksplorasie
bronstabe
Tok-Cirrhatus
Tok-Cirrhatus-1761
Tok-Cirrhatus-1860
Delete the following only when located in the Application Data folder as the following share names of legitimate files located in the Windows System directory.
Documents and Settings{User Name}Local SettingsApplication Datawinlogone
Documents and Settings{User Name}Local SettingsApplication Datasmse
Documents and Settings{User Name}Local SettingsApplication Dataservicee
Documents and Settings{User Name}Local SettingsApplication Datalsase
Documents and Settings{User Name}Local SettingsApplication Datainetinfoe
Documents and Settings{User Name}Local SettingsApplication Datacsrse
Documents and Settings{User Name}TemplatesWowTumpeom f7jl
Documents and Settings{User Name}Start MenuProgramsStartupempty.pif
Note
Thanks to xpcman for this tip on the forum.