View Full Version : W32/Ronoper-G worm

03-08-2004, 09:53 AM
unfortunately i need help for yet another worm/virus infecting my computer. this time i am trying to find out how to fix the W32/Ronoper-G worm. somehow this worm attatches itself to .exe files and changes the icons on the to a jpeg image icon and won't allow the programs to be executed. It also has something to do with systools.exe-- there doesn't seem to be much info on the net about this worm so i was hoping someone could help me out. thanks alot.

by the way here is my hijackthis log

Logfile of HijackThis v1.97.7
Scan saved at 8:53:31 AM, on 3/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Netscape\Netscape 6\Netscp.exe
C:\Documents and Settings\Trey\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = https://customer.symantec.com/NASApp/web/PlsqlServlet/su_substatus.picklang?p_contact_id=476732557&p_checksum=5018CAB4&p_vendor_id=&p_vendor_tag=
R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Trey\Application Data\Mozilla\Profiles\default\hlri04o4.slt\prefs.j s)
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [System Toolkit] C:\Trey\1\programs\DoomCln-KB836528-v3-ENU.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Bigfix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

03-08-2004, 11:12 AM
You have couple of trojans and couple of other malware. The way to start is run one or two of the free web based AV scanners. Cure any malware found.

security.symantec.com/ (security.symantec.com)
housecall.trendmicro.com/ (housecall.trendmicro.com)
www.ravantivirus.com/scan/ www.ravantivirus.com/scan)

After the scans, Download, Install and Run Spybot Search & Destroy (http://security.kolla.de/).Check for updates. Close all Internet Explorer windows, hit 'Check for Problems', Let it fix everything it finds that's pre-checked in red.


Download and run AdAware (http://www.lavasoftusa.com/AdAware ). Again, be sure to update it before running. Then quarantine and cure the malware.

Reboot and post a fresh HijackThis log. Note to run the HJT from a permanent folder, not from the temp directory.

03-08-2004, 09:55 PM
It is an IRC related worm:
sophos (http://www.sophos.com/virusinfo/analyses/w32ronoperg.html)