Solved

Crazy with CMD. Virus? urgent heeeelp

Posted on 2002-06-23
4
505 Views
Last Modified: 2012-05-04
Hi there.

I ran a potentially dangerous EXE file and then my pc started to do something weird:

whenever I am not connected to the net, a DOS command prompt opens and runs continously CMD.EXE. I ran "process expert" to find viruses and I got that CMD.EXE is running REGEDIT.EXE

wow. If that's not a virus then what is it?!

I have Norton Antivirus and Dr Web and none found anything. When I tried to rename cmd.exe, it reappeared. When I renamed regedit.exe, a message came up and said that moo.reg could not be found or something like that.

There are no entries on sarc.com or antivirus.com for moo.reg.

Any ideas? Does this virus thing sound familiar?
THANKS
0
Comment
Question by:FacuAdmin
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
pjknibbs earned 200 total points
ID: 7102729
Haven't heard of anything like this, but you should be able to nip this behaviour in the bud by running REGEDIT and checking HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (also RunOnce, RunServices, and the same three keys in HKEY_CURRENT_USER). Somewhere in there is likely to be the command which is attempting to install this stuff into your Registry.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 7102809
What was the EXE you ran?

CMD.exe is your command prompt. Since this is a 32bit executable it can access the registry. It sounds like what ever the EXE is that you ran has not finished doing what ever it was trying to do. It may be a virus but at this point it does not come across as if it is a virus. Have you rebooted the system since this started? If not I would suggest doing so since it could be something that is stuck in memory and just needs to be flushed.

Since the CMD.exe is a system file when you renamed it the system automatically replaced it with a backup of the file which is usually housed in the C:\WINNT\system32\dllcache folder.

If you are unable to track down the problem perhaps doing a System Restore may be help.

HOW TO: Restore the Operating System to a Previous State in Windows XP (Q306084)
http://support.microsoft.com/default.aspx?scid=kb;en-us;q306084


The Crazy One
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 7102831
It also sounds like whatever this EXE was is tyring to use the file moo.reg to make a registry setting and can't locate it where it thinks the file should be. moo.reg is probably harmles since if it is residing on the disk you could open the file in notepad to see what registry settings it is trying to make. Do a search on your harddrive to see if you can locate a file name moo.reg.
0
 

Author Comment

by:FacuAdmin
ID: 7102955
Hey there.

Looking at the RUN and RUNSERVICES again (I had checked before) I became suspicious of Explorer32.exe a file that was listed as "Windows Explorer Update Build 1142"

So I went back to the antiviruses pages and looked for that string.

VOILA! the name of the virus is W32.Kwbot.Worm as in www.sarc.com. I just had to delete the registry entry for Explorer32.exe. Wonder if I have to delete the file too...

The STRANGE thing is that NAV did not detect it, but it has been listed on June 18th so it's probably an even newer variant of the same virus.

As for why I got CMD running ever other sec it's most likely because as soon as I ran the infected EXE I got scared and erased it before rebooting.

Thanks!
Thanx for the help
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now