1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[SOLVED] Windows ME corrupted files, etc.

Discussion in 'Virus & Other Malware Removal' started by punkguy103, Oct 5, 2001.

Thread Status:
Not open for further replies.
Advertisement
  1. punkguy103

    punkguy103 Thread Starter

    Joined:
    Sep 24, 2000
    Messages:
    28
    i have windows ME on my computer, and lately it has been doing very strange things, even more than usual. for one, when i try to open documents, whether they're video files, images, or text, it converts it to a 40.5k .exe file that won't open. i can't figure out how to change it back. i've lost 2 full movies this way, several images, and one text document. also, many of my files (.html, .mp3, .jpg) no longer open in their default programs. they just sit there. i looked at the properties and they all say open with some program called "sysrnj." i changed them to the defaults, tried again, and they still don't open by double-clicking, i have to open the program and open them from there. thirdly, the icons for everything seem to change randomly. all my .jpg's appear with winamp logos, my shortcuts are notepad files, and my text files are photoshop projects, among others. these are only a couple of the problems i've been having. if anybody has any suggestions or knows where i can find updates that fix any or all of these problems, PLEASE let me know. i'm afraid i'm going to lose important information, and it's such a pain to back up a 20-gig hard drive. thanks
     
  2. Sponsor

  3. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    just got back...

    The McAfee instructions look good; I would also read and compare with the symantec instructions you can get through this link:

    http://www.helpdesk.umd.edu/alerts/virus/blebla.shtml

    In addition to following those instructions, you will probably need to run one or more registry repair tools.

    One is the exefix08 file available at the Reticulated Toys link. The second, which I believe will restore the proper file associations for your image and multimedia files is this one from the Maryland helpdesk link:

    http://www.helpdesk.umd.edu/alerts/virus/blebla/files.shtml

    The readme.txt also contains full instructions for repair and for running the blebla.inf

    You will need to download and run the blebla.inf file.
     
  5. punkguy103

    punkguy103 Thread Starter

    Joined:
    Sep 24, 2000
    Messages:
    28
    thanks for the suggestions. i looked at the links and downloaded the rx-pack, and updated norton, which found no viruses. i tried booting it in safe mode, but F8 doesn't do anything and i can't figure out any other way. i searched for the files in normal mode and didn't find anything other than sysrnj. let me know what i should do next. thanks
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    There are several ways to get to safe mode, usually tapping the f8 key or pressing the ctrl key immediately on startup will get the boot menu. But if that doesn't work, go to Start and run msconfig. Click on the Advanced tab and put a check in "enable startup menu". This will cause the boot menu to appear each startup until it is unchecked. The "helpdesk" readme.txt gives good instructions for this: http://www.helpdesk.umd.edu/alerts/virus/blebla/Readme.txt

    The same instructions should apply for WinME

    Did you try running the blebla.inf file from the Maryland helpdesk link?

    If that fails to correct the problems, it may be possible to fix things by restoring a previous registry. But this depends on how long you have had the infection. There should be 4 days backups available. The 5th or oldest often does not restore.

    In WinME to restore a registry you must boot with a startup disk, selecting minimal boot. When the a:\> prompt displays, type and enter each line:

    c:
    cd windows
    scanreg /restore

    you can use the arrow keys to select a registry. But if you select one that does not predate the problem, you risk restoring any registry corrections that were made by the patches. They would have to be run again. Be sure to remove the boot disk so as not to reboot to the a:\> prompt afterwards. If you don't do a restore, just ctrl-alt-del to reboot.

    By the way, it is very strange that Norton is not declaring sysrnj an infected file. Try pointing it directly to it. This is the Blebla worm!
     
  7. rmboxx

    rmboxx

    Joined:
    Aug 17, 2000
    Messages:
    54
  8. punkguy103

    punkguy103 Thread Starter

    Joined:
    Sep 24, 2000
    Messages:
    28
    i've determined that i have to wait until monday so i can call norton and pay for an upgrade bcause apparently my anti-virus software hasn't updated itself since october of 2000. anybody know where i could get this update for free? the program came with the computer so i just assumed it was registered and i would get free updates. let me know. at any rate, after i get it updated i can do a real scan and see what turns up. thanks
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  10. punkguy103

    punkguy103 Thread Starter

    Joined:
    Sep 24, 2000
    Messages:
    28
    allright, i scanned my hard drive with the web-based scanner and it found 5 different viruses in 11 files. (troj bo2k.c, js nimda.a, joke small, troj blebla.b, and pe magistr.b) it said they were all uncleanable. i went to the norton site and tried downloading the update, but it said my subscription had expired, so i'm going to call first thing tommorrow and get it updated. let me know if there's anything else i should do in the meantime. thanks
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You are going to have a lot of manual work to do even if you get Norton updated.

    I would follow through on the instructions I gave for blebla, you should also review these links for magistr, nimda and joke (which you can ignore).

    http://www.symantec.com/avcenter/venc/data/[email protected]

    http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

    There is a fixtool available for nimda. Even after running it you will need to replace the riched20.dll


    Norton may remove the trojan (troj bo2k.c) , but you can also try a trial version of moosoft:

    http://www.moosoft.com/

    Also download the Rx-Pack from the Reticulated Toys site. After doing as much as you can to repair blebla, nimda, magistr and the trojan, run the Startuplog.com file and post the contents of the Startuplog.txt file here. Magistr in particular usually requires additional manual registry editing.

    If at any time you lose the ability to run exe files, run the exefix08 file available in the Rx-Pack.

    http://home.earthlink.net/~rmbox/Reticulated/Toys.html
     
  12. punkguy103

    punkguy103 Thread Starter

    Joined:
    Sep 24, 2000
    Messages:
    28
    ok, i downloaded and installed the update for norton 2002. it scanned the drive and only found 5 infected files. 3 were blebla and one was nimda. all of them were unrepairable and were quarrantined instead. however, it said it couldn't quarrantine the 5th file, which is windows/system/vmgr.exe. (virus name: backdoor.trojan) it said to delete it, but i hit skip. is it safe to delete this file? i'm a little wary deleting execute files in the windows system directory. also, why did the other 6 files that i found last night not turn up in the scan today? let me know...hopefully i can get all this fixed soon. thanks
     
  13. punkguy103

    punkguy103 Thread Starter

    Joined:
    Sep 24, 2000
    Messages:
    28
    i just scanned it with "the cleaner," and apparently that system file is Back Orifice. i have no idea how it made its way into my computer...anyway, should i delete it? norton is telling me to, but i'm still not so sure...
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You can delete those files. In some cases that may result in exe programs not running because the registry has been altered to look for them instead of the normal shell open command. If that happens, run the exefix08 file.

    Remember all those problems with mp3, jpg and other files may remain unless you follow the instructions for repairing the registry for the blebla infections. (I don't know if the updated Norton will make the needed repair) The maryland help desk link tells what to do there. The blebla.inf file must be run (right click on it and select "install".

    After you are done with all this, run the StartupLog.com file and post the StartupLog.txt file (not stubbpaths) here.
     
  15. punkguy103

    punkguy103 Thread Starter

    Joined:
    Sep 24, 2000
    Messages:
    28
    i started the comp in safe mode and searched for the blebla files, but none of them turned up. (again) so, i ran all 3 of the .ini files and scanned with norton, and nothing turned up. i made a copy of my startup.log and posted it. am i done? let me know if there's anything else i should do. thanks
     

    Attached Files:

  16. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't see any viral related entries there. Are all your programs and files opening normally now?

    You might want to review this thread and remove MDM (Machine Debug Manager) as I instructed Vicki -- it is an unneeded resource hog. Also if you run Lavasoft's Ad-aware it will detect Webhancer, a nasty piece of spyware. If you choose to remove it, be sure you understand the method of restoring a backup which Ad-aware creates. I would not try uninstalling it through Add\Remove as I have seen more problems result from that than using Ad-Aware. A bad uninstall can leave you without internet connectivity.

    http://forums.techguy.org/showthread.php?s=&threadid=55239
     
  17. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/54934

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice