Solved

Crazy with CMD. Virus? urgent heeeelp

Posted on 2002-06-23
4
495 Views
Last Modified: 2012-05-04
Hi there.

I ran a potentially dangerous EXE file and then my pc started to do something weird:

whenever I am not connected to the net, a DOS command prompt opens and runs continously CMD.EXE. I ran "process expert" to find viruses and I got that CMD.EXE is running REGEDIT.EXE

wow. If that's not a virus then what is it?!

I have Norton Antivirus and Dr Web and none found anything. When I tried to rename cmd.exe, it reappeared. When I renamed regedit.exe, a message came up and said that moo.reg could not be found or something like that.

There are no entries on sarc.com or antivirus.com for moo.reg.

Any ideas? Does this virus thing sound familiar?
THANKS
0
Comment
Question by:FacuAdmin
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
pjknibbs earned 200 total points
ID: 7102729
Haven't heard of anything like this, but you should be able to nip this behaviour in the bud by running REGEDIT and checking HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (also RunOnce, RunServices, and the same three keys in HKEY_CURRENT_USER). Somewhere in there is likely to be the command which is attempting to install this stuff into your Registry.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 7102809
What was the EXE you ran?

CMD.exe is your command prompt. Since this is a 32bit executable it can access the registry. It sounds like what ever the EXE is that you ran has not finished doing what ever it was trying to do. It may be a virus but at this point it does not come across as if it is a virus. Have you rebooted the system since this started? If not I would suggest doing so since it could be something that is stuck in memory and just needs to be flushed.

Since the CMD.exe is a system file when you renamed it the system automatically replaced it with a backup of the file which is usually housed in the C:\WINNT\system32\dllcache folder.

If you are unable to track down the problem perhaps doing a System Restore may be help.

HOW TO: Restore the Operating System to a Previous State in Windows XP (Q306084)
http://support.microsoft.com/default.aspx?scid=kb;en-us;q306084


The Crazy One
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 7102831
It also sounds like whatever this EXE was is tyring to use the file moo.reg to make a registry setting and can't locate it where it thinks the file should be. moo.reg is probably harmles since if it is residing on the disk you could open the file in notepad to see what registry settings it is trying to make. Do a search on your harddrive to see if you can locate a file name moo.reg.
0
 

Author Comment

by:FacuAdmin
ID: 7102955
Hey there.

Looking at the RUN and RUNSERVICES again (I had checked before) I became suspicious of Explorer32.exe a file that was listed as "Windows Explorer Update Build 1142"

So I went back to the antiviruses pages and looked for that string.

VOILA! the name of the virus is W32.Kwbot.Worm as in www.sarc.com. I just had to delete the registry entry for Explorer32.exe. Wonder if I have to delete the file too...

The STRANGE thing is that NAV did not detect it, but it has been listed on June 18th so it's probably an even newer variant of the same virus.

As for why I got CMD running ever other sec it's most likely because as soon as I ran the infected EXE I got scared and erased it before rebooting.

Thanks!
Thanx for the help
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now