Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Me With After Effect Of A Worm! :'(


  • Please log in to reply
16 replies to this topic

#1 DeathRaven

DeathRaven

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 21 November 2006 - 10:53 AM

OK I have been looking all over the net for ways to remove a virus I got known as Worm Setrox A. It couses a file "rose.exe" to run everytime you left click on any drive in explorer. OK now I know what I am doing and have been able to remove the rose.exe files from my PC with manual and automatic programs (from Microtrend) And it worked! the virus it gone from all drives.

NOW the problem is that my pc still thiks it needs rose.exe to run for me to explore my drives. I think it has to do with my reg settings but thats a little out of my area.

PLEASE HELP its driving me insaine I can only open my drives by rightclicking and clicking open.
This must be simple for someone out there ^-^

(donno if this helps but if serching with regedit the only rose.exe file I find is C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rose.exe

If i delete it, it just comes back. I have tried all the steps in here http://www.trendmicro.com/vinfo/virusencyc...EA&VSect=Sn to manually remove it but with serching I cannot find any of the mentioned files i need to delete like autorun.inf, NTDETECT.COM, run.reg, systemdate.ini, systemfile.com and none are found at all. )


Thank you to anyone who took the time to read this and try help me.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:59 AM

Posted 21 November 2006 - 03:32 PM

hello DeathRaven, welcome to BC
try this first ... Run this MSFT application it has a registry scan in it
Windows Live OneCare

Be sure to clink ONLY on the box at mid page that says "FULL SERVICE SCAN "
It's below the image of a wrench.
This may take some time to run especially it it wants to run Defrag, but let it run
Post back with your results
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 DeathRaven

DeathRaven
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 22 November 2006 - 09:09 AM

OK first THANK YOU SO MUCH for helping me!
I have done the full scan and it found and deleted even more torjan files but even after that clicking on my c: drive still says cannot find rose.exe. This must be a registery problem right? the PC thinks it needs rose.exe to run! Please suggest a few more things I just dont wanna give up and format!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:59 AM

Posted 22 November 2006 - 10:28 AM

Hi again and you are welcome. Now please run Free scan HouseCall
Let us know
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Isaac Yaw

Isaac Yaw

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 22 November 2006 - 01:00 PM

hey i hope you can help me. My name is Isaac and i got a problem with my computer :thumbsup: everytime if i start
the computer at first a problem window comes C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rose.exe and other things what he canīt find i donīt really know it thing its a virus or so but how do i gonna remove it? i tried to remove it with the anitvirus but i canīt can you help me how do i gonna remove it and i installed an second antivirus programm and it still cant do it i hope you can help me.

and i got an other problem with my msn messenger it always send something to other people an link i donīt know what it is and after it send it to all the online user and offline user it closed all my window and it doesnīt do it one time is does it lots of time. Some pople said it is a worm but i donīt konw i hope u can help me...

Tanks

bye bye
Brownie

Edited by Isaac Yaw, 22 November 2006 - 01:06 PM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 AM

Posted 22 November 2006 - 01:31 PM

Delete any autorun.inf files you have in the root of your hard drives. For example open the C: drive and if you see an autorun.inf, delete it. Do that for your other partitions.

Do you still get the error now?

#7 Isaac Yaw

Isaac Yaw

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 23 November 2006 - 12:27 PM

hey but i canīt find any autorun.inf what can i doo???

#8 DeathRaven

DeathRaven
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 23 November 2006 - 01:07 PM

hey but i canīt find any autorun.inf what can i doo???


I cant find this or any other file stated in microtrends manual fix.

OK I have done the house call. And from micro trend tried all the manual steps. BUT the things I need to manualy delete are NOT found.

I have looked allll over the net. It seems not a single person has been able to find a cure for the virus after effect. Tho the virus itself is easy to remove.

TY again all and boopme ^-^

What we need is someone who knows WHY windows runs a command to run rose.exe when the real command should be "open" explorer.exe or something like that.


#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 AM

Posted 23 November 2006 - 01:13 PM

Download RegSrch.zip from here:

http://billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip it and then double-click on the regsrch.vbs file. When it runs it will prompt you for a string to search for. Enter rose.exe into that field and press enter.

It will run for a while silently and then create a report. Please paste the contents of that report into a reply to this topic.

*Note: If you have Norton script blocking installed, disable it or allow the script to run or this tool won't work!

#10 DeathRaven

DeathRaven
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 25 November 2006 - 05:47 PM

Download RegSrch.zip from here:

http://billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip it and then double-click on the regsrch.vbs file. When it runs it will prompt you for a string to search for. Enter rose.exe into that field and press enter.

It will run for a while silently and then create a report. Please paste the contents of that report into a reply to this topic.

*Note: If you have Norton script blocking installed, disable it or allow the script to run or this tool won't work!


Strange "no instance of rose.exe found" Damn was hoping this would find it!
I cannot believe no one so far online has found a fix for this yet. Thank you for trying Grinler! Any other ideas?

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 AM

Posted 26 November 2006 - 09:08 AM

* Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode.. other rootkitrevealers don't.

#12 DeathRaven

DeathRaven
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 26 November 2006 - 07:24 PM

* Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode.. other rootkitrevealers don't.



I its to long to paste my firefox crashes. Here is the zipped file http://deathraven.net/downloads/Results.zip
Unzipped its about 5MB plzplzplz have a look tho donno how this can help.


#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 AM

Posted 27 November 2006 - 04:08 PM

Where are you finding this in the registry?

C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rose.exe

#14 DeathRaven

DeathRaven
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 28 November 2006 - 02:20 PM

Hello everyone.
I would like to say a huge thank you to eveyone who helped me. After days of trying I deleted the virus and played around with regedit and am now free of it!

Again you guys are great!

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 AM

Posted 28 November 2006 - 05:33 PM

Can you let us know how you did it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users