Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"rose.exe"; The Malicious Files Are Just Invisible


  • Please log in to reply
6 replies to this topic

#1 RubyDotNet

RubyDotNet

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 24 November 2006 - 03:25 AM

I am infected with the "rose.exe" problem at office. I have 4 partitions in my hard disk. The OS (Win XP) was on C. I tried installing XP on D and booted from D but the "Autorun" option was still there for all the partitions. And clicking on it still launches "rose.exe". I tried reinstalling XP on C but to no avail. I cannot format C because my CD ROM is faulty I can't boot from it; I run the setup from the network. Plus I want to be able to clean the thing without formatting.

I know how to remove the autorun option (through registry) and the "dll" key but on restart, the autorun comes back because I can't delete rose.exe. The rose.exe file is invisible. I searched for it with "include hidden and system files" option and I also disabled system restore.

1) Where is rose.exe and how can I see and delete it?

2) I copied the backups of the projects I was working on to another system on the network. Those were C# desktop applications I was developing with VS.net 2006. After I clean the virus, will it be safe to work on those files again?

3) Will it be safe to copy back and use some other misc data?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:41 AM

Posted 24 November 2006 - 09:11 AM

Upon execution, this memory-resident worm drops a copy of itself as, rose.exe, in the root folder. It sets its file attributes to System, Read-only, and Hidden to avoid detection....

trendmicro.com/vinfo

You can try running your anti-virus in "SAFE MODE". The malware process must be terminated. There are manual removal instructions under the "Solutions" tab in the Trend Micro link provided above. This involves making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own. Improper changes to the registry could adversely affect your computer and render it inoperable. ERUNT is an excellent FREE tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 RubyDotNet

RubyDotNet
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 25 November 2006 - 12:04 PM

Hehe thank you for your prompt reply quietman :thumbsup:

Actually I had the "Hide protected OS files" option checked. That's why I couldn't see any "rose.exe". It's all cool now hehe I've done it all manually :flowers:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:41 AM

Posted 25 November 2006 - 12:52 PM

Good job. Now you should SET A NEW RESTORE POINT to prevent reinfection from an old restore point. Any malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to set a new RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Edited by quietman7, 25 November 2006 - 12:54 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 RubyDotNet

RubyDotNet
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 25 November 2006 - 01:19 PM

OK I sure will do this right away on my next working day.

So nice of you quietman :thumbsup:

Are you people paid or something for this?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:41 AM

Posted 25 November 2006 - 03:02 PM

Are you people paid or something for this?

No. We are a community of volunteers who assist others such as yourself.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 DeathRaven

DeathRaven

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 25 November 2006 - 05:52 PM

Wait a sec so you were able to get the PC to stop from trying to run rose.exe if you left click any drive? I have deleted the virus (all rose.exe files gone) BUT my PC keeps trying to run it if i left click a drive. Please tell me exatily what you did in regedit ruby!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users