Solved

Crazy with CMD. Virus? urgent heeeelp

Posted on 2002-06-23
4
523 Views
Last Modified: 2012-05-04
Hi there.

I ran a potentially dangerous EXE file and then my pc started to do something weird:

whenever I am not connected to the net, a DOS command prompt opens and runs continously CMD.EXE. I ran "process expert" to find viruses and I got that CMD.EXE is running REGEDIT.EXE

wow. If that's not a virus then what is it?!

I have Norton Antivirus and Dr Web and none found anything. When I tried to rename cmd.exe, it reappeared. When I renamed regedit.exe, a message came up and said that moo.reg could not be found or something like that.

There are no entries on sarc.com or antivirus.com for moo.reg.

Any ideas? Does this virus thing sound familiar?
THANKS
0
Comment
Question by:FacuAdmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
pjknibbs earned 200 total points
ID: 7102729
Haven't heard of anything like this, but you should be able to nip this behaviour in the bud by running REGEDIT and checking HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (also RunOnce, RunServices, and the same three keys in HKEY_CURRENT_USER). Somewhere in there is likely to be the command which is attempting to install this stuff into your Registry.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 7102809
What was the EXE you ran?

CMD.exe is your command prompt. Since this is a 32bit executable it can access the registry. It sounds like what ever the EXE is that you ran has not finished doing what ever it was trying to do. It may be a virus but at this point it does not come across as if it is a virus. Have you rebooted the system since this started? If not I would suggest doing so since it could be something that is stuck in memory and just needs to be flushed.

Since the CMD.exe is a system file when you renamed it the system automatically replaced it with a backup of the file which is usually housed in the C:\WINNT\system32\dllcache folder.

If you are unable to track down the problem perhaps doing a System Restore may be help.

HOW TO: Restore the Operating System to a Previous State in Windows XP (Q306084)
http://support.microsoft.com/default.aspx?scid=kb;en-us;q306084


The Crazy One
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 7102831
It also sounds like whatever this EXE was is tyring to use the file moo.reg to make a registry setting and can't locate it where it thinks the file should be. moo.reg is probably harmles since if it is residing on the disk you could open the file in notepad to see what registry settings it is trying to make. Do a search on your harddrive to see if you can locate a file name moo.reg.
0
 

Author Comment

by:FacuAdmin
ID: 7102955
Hey there.

Looking at the RUN and RUNSERVICES again (I had checked before) I became suspicious of Explorer32.exe a file that was listed as "Windows Explorer Update Build 1142"

So I went back to the antiviruses pages and looked for that string.

VOILA! the name of the virus is W32.Kwbot.Worm as in www.sarc.com. I just had to delete the registry entry for Explorer32.exe. Wonder if I have to delete the file too...

The STRANGE thing is that NAV did not detect it, but it has been listed on June 18th so it's probably an even newer variant of the same virus.

As for why I got CMD running ever other sec it's most likely because as soon as I ran the infected EXE I got scared and erased it before rebooting.

Thanks!
Thanx for the help
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ROOT\*0700\1_0_13_0_0_0 8 159
Hyper V vm 4 143
Asus ks2003 driver XP 32 33 160
Updates for XP? 26 89
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question