FacuAdmin
asked on
Crazy with CMD. Virus? urgent heeeelp
Hi there.
I ran a potentially dangerous EXE file and then my pc started to do something weird:
whenever I am not connected to the net, a DOS command prompt opens and runs continously CMD.EXE. I ran "process expert" to find viruses and I got that CMD.EXE is running REGEDIT.EXE
wow. If that's not a virus then what is it?!
I have Norton Antivirus and Dr Web and none found anything. When I tried to rename cmd.exe, it reappeared. When I renamed regedit.exe, a message came up and said that moo.reg could not be found or something like that.
There are no entries on sarc.com or antivirus.com for moo.reg.
Any ideas? Does this virus thing sound familiar?
THANKS
I ran a potentially dangerous EXE file and then my pc started to do something weird:
whenever I am not connected to the net, a DOS command prompt opens and runs continously CMD.EXE. I ran "process expert" to find viruses and I got that CMD.EXE is running REGEDIT.EXE
wow. If that's not a virus then what is it?!
I have Norton Antivirus and Dr Web and none found anything. When I tried to rename cmd.exe, it reappeared. When I renamed regedit.exe, a message came up and said that moo.reg could not be found or something like that.
There are no entries on sarc.com or antivirus.com for moo.reg.
Any ideas? Does this virus thing sound familiar?
THANKS
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It also sounds like whatever this EXE was is tyring to use the file moo.reg to make a registry setting and can't locate it where it thinks the file should be. moo.reg is probably harmles since if it is residing on the disk you could open the file in notepad to see what registry settings it is trying to make. Do a search on your harddrive to see if you can locate a file name moo.reg.
ASKER
Hey there.
Looking at the RUN and RUNSERVICES again (I had checked before) I became suspicious of Explorer32.exe a file that was listed as "Windows Explorer Update Build 1142"
So I went back to the antiviruses pages and looked for that string.
VOILA! the name of the virus is W32.Kwbot.Worm as in www.sarc.com. I just had to delete the registry entry for Explorer32.exe. Wonder if I have to delete the file too...
The STRANGE thing is that NAV did not detect it, but it has been listed on June 18th so it's probably an even newer variant of the same virus.
As for why I got CMD running ever other sec it's most likely because as soon as I ran the infected EXE I got scared and erased it before rebooting.
Thanks!
Thanx for the help
Looking at the RUN and RUNSERVICES again (I had checked before) I became suspicious of Explorer32.exe a file that was listed as "Windows Explorer Update Build 1142"
So I went back to the antiviruses pages and looked for that string.
VOILA! the name of the virus is W32.Kwbot.Worm as in www.sarc.com. I just had to delete the registry entry for Explorer32.exe. Wonder if I have to delete the file too...
The STRANGE thing is that NAV did not detect it, but it has been listed on June 18th so it's probably an even newer variant of the same virus.
As for why I got CMD running ever other sec it's most likely because as soon as I ran the infected EXE I got scared and erased it before rebooting.
Thanks!
Thanx for the help
CMD.exe is your command prompt. Since this is a 32bit executable it can access the registry. It sounds like what ever the EXE is that you ran has not finished doing what ever it was trying to do. It may be a virus but at this point it does not come across as if it is a virus. Have you rebooted the system since this started? If not I would suggest doing so since it could be something that is stuck in memory and just needs to be flushed.
Since the CMD.exe is a system file when you renamed it the system automatically replaced it with a backup of the file which is usually housed in the C:\WINNT\system32\dllcache
If you are unable to track down the problem perhaps doing a System Restore may be help.
HOW TO: Restore the Operating System to a Previous State in Windows XP (Q306084)
http://support.microsoft.com/default.aspx?scid=kb;en-us;q306084
The Crazy One