Virus Help - Cant get rid of it...

jabaroon

Hey All,

I have somehow managed to get infected with the Ronoper virus and I simply CANT manage to get rid of it. Here's what I have done so far:

- Full scan using latest Norton. It detects all of the infections, but is unable to clean some of them as they are system files such as wow32.dll, msgina.dll and navlogon.dll.

- Reboot to SAFE mode and done the same as the above. However, in this case, it is still unable to remove the above files.

- While in SAFE mode, cleaned everything that I possibly could (leaving only those few system files behind. Performed a REPAIR installation of XP and thought that it would solve the problem. No dice, as soon as the installation completed, the PC rebooted and a virus scan showed almost 60 new infections (including the system files mentioned above).

- Rebooted to SAFE mode and did a full clean again. This left the usual suspects behind. So next, I did a fresh install into a different directory on C:. I was absolutely gob-smacked when the PC booted and the fresh install of XP had over 60 infections (in the system32 directory alone).

I am ABSOLUTELY stumped by this one. I have no idea how it is re-infecting the system and am at my wits end.

Can anyone suggest anything?

Ta,
Jab

PS - I cant simply yank the drives from the box and slave them on another PC and do a scan that way. Reason is because my C: is a SATA Raid 1 array.

Ciaran500

Try disabling system restore as alot of viruses hide in there. Virus scanners can't get in there.

Saruman

not familiar with the virus but try stinger in safe mode. its possible virus preventing norton from working.

NotMe

I assume you can't delete those files because they are being used by windows. You should download HijackThis to delete those files.
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
You just select the files you want to delete and then reboot and it will delete them when windows is starting up.

Nukem

First bit of advice google the Virus in question, bound to turn up a solution.

Soultion 2 is check this thread some great gear and rip that b*tch off you comp.

Saruman

take note of all files you cant remove then do it from dos.
either from a bootdisk with ntfs support like hirens, or from
the console by booting off os cd

jabaroon

Will try the suggestions above. However, I think that what is happening is that when the scan finishes with Dir_X and quarantines File_A, it moves on to Dir_Y. But while it is scanning in Dir_Y, the processes that are already running (even in safe mode) are re-infecting files in Dir_X.

It is really frustrating....

Will try suggestions above and get back to you. I am really tearing my hair out at this stage!!

Jab

osmethod

Symantecs reccomendation of how to remove your virus...

http://securityresponse.symantec.com/avcenter/venc/data/w32.ronoper.worm.html

osmethod

jabaroon

Been there, done that....
None of the registry keys exist on my system....
Yet the re-infection continues...

Very frustrating!!

osmethod

Disable the "Sytem Restore" on all drives and then follow the procedure as close as possible... (if a reg key is missing just continue with the procedure).

Since you've re-installed once allready and seemingly re-infected yourself perhaps re-install again but use a "zero filling" tool first to ensure there is no data on the drive!

http://mirror.href.com/thestarman/asm/mbr/WIPE.html#HOW

osmethod

jabaroon

Wow...this just gets better and better.....

Decided to try AVG to see if it could do any better than NAV. Guess what?....as soon as I install it, Ronoper infects one of its DLL's so that it cant run a scan!

With a bit of trickery and re-installing etc...I managed to get AVG to run, but it doesn't even detect the worm?!

More worryingly, it doesn't even detect that it -- itself -- has been infected!

Am hopefull that the solution to the problem lies with disabling system restore. Back later with the results!!

Cheers,
JAb

jabaroon

Still no luck....

Does anyone know of any specialist forums that do virus advise?...Something similar to boards, but where the content is virus and worm related?...

Im guessing that someone somewhere must have come accross this type of situation before??!!!....and that there has to be a way to remove the worm without doing a full low-level format of the disk and starting fresh!

Google isn't turning up anything of use (and where it has, I have tried everything suggested)

Any help appreciated,
Tx,
Jab

greglo23

try here http://wilders.org/

Nukem

Did you try http://www.2-spyware.com/remove-w32-ronoper-b.html
Sorry if ya have