Challenging XP Problem:

MikeJD87 · #1 09-26-2005, 08:18 PM

Recently I was infected with a Trojan that labeled itself MC-58-12-0000140.exe. It brought with it the regular lot of other malicious scripts: rooted deep in C:\WINDOWS\System32....

I use the program Autorun (Autorunsc), which detects all scripts designed to auto-start after you boot up. I rebooted in safe mode and ran the program, finding all the scripts that I had booting up (the most major of which was in my Registry (the MC....exe file)) I deleted them all and removed all traces of them and I have had no direct problems involving them since. However, my problem lies with DOS and DOS commands.

During the time in which I had been infected with the MC.exe (also known as "a.exe"), it disabled my use of Task Manager, and my ability to type "ping...", "cmd", "regedit" etc. in the Start/Run window. After deleting the files, I can now fully use my Task Manager, and I can use my other DOS commands (ping, cmd, etc.)--but only to a certain extent. I must type in "cmd.exe", "ping.exe .." etc. for them to actually work. When I do type in simply "cmd" in the Run window, I get an error messages reading as follows:

"16 bit MS-DOS Subsystem
C:\WINDOWS\system32\cmd.com
config.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application."

As some of you already may be thinking, "of course, it's the symptoms of the W32 bug", I've already thought the same thing. I've checked my registry for the p2pnetworking.exe file, and I've also checked for the CMD.com, Ping.com, Netstat.com etc. etc. files within the System32 folder--none of them are there.

So basically I still have the symptoms of the W32 bug, without actually having the files that should be underlying the bug itself....

Any suggestions on what may be wrong or how I can fix this?

P.S: I'm running on Windows XP Professional 2002

Thanks.

Cache · #2 09-27-2005, 08:11 AM

Did you make sure you could view hidden and system files when looking for these .com files?

If not:
Open explorer-->Tools-->Folder Options-->View-->place a check in the box "Show hidden files and folders" and UNcheck the box for "Hide protected operating system files". Then try looking for the files again.

MikeJD87 · #3 09-27-2005, 02:00 PM

Quote:

Originally Posted by cache

Did you make sure you could view hidden and system files when looking for these .com files?

If not:
Open explorer-->Tools-->Folder Options-->View-->place a check in the box "Show hidden files and folders" and UNcheck the box for "Hide protected operating system files". Then try looking for the files again.

Yes, I am able to view all hidden files. The thing is: I actually did find a CMD.com file in System32: and I deleted it: however, that was the only one, and even upon deleting it, it did not solve my problem.

MikeJD87 · #4 09-27-2005, 10:41 PM

Update:

I found out by searching around that somehow my Command.com file was missing....very odd considering without it I shouldn't have been able to even reboot my computer successfully. Anyways, I've downloaded a fix and have replaced the Command.com file to C:\WINDOWS\system32. However, I am still stuck with a similar problem. Whenever I try and run simply "cmd" or "ping", the DOS window opens for about one second and then automatically closes (without any error message attached).

What can I do to fix this?

blinky54 · #5 09-27-2005, 11:43 PM

Just go to Start>All Programs>Accessories and click on Command Prompt.

MikeJD87 · #6 09-28-2005, 01:11 AM

Yes, I know how to still access all of the .exe files by simply typing in .exe at the end. What I'm wondering is simply why? I used to be able to simply type in "cmd", or "ping microsoft.com -t", but now I am forced to type in "cmd.exe" or "ping.exe micrsoft.com -t".

I understand it is a small and pety thing, but it is annoying the crap out of me, and I would like to try and get it fixed.

Cache · #7 09-28-2005, 07:48 AM

Try run this tool:
http://securityresponse.symantec.com...stry.keys.html

and have a read through the links bellow:
http://securityresponse.symantec.com...2.alcra.a.html

http://support.microsoft.com/default...b;en-us;324767

MikeJD87 · #8 09-28-2005, 01:09 PM

Quote:

Originally Posted by cache

Try run this tool:
http://securityresponse.symantec.com...stry.keys.html

and have a read through the links bellow:
http://securityresponse.symantec.com...2.alcra.a.html

http://support.microsoft.com/default...b;en-us;324767

Thanks for the response cache: however, if I use that tool, won't that reset my entire Registry (basically removing all the stuff I have installed on my comp now etc.)?

Also: another extension of the problem is if I insert a new CD (for example a video game), it will bring up the auto-play of the game, however, it is unable to install the game: I have to manually install it all.

Cache · #9 09-28-2005, 03:34 PM

Bit of a pickle this one ehh. If you dont feel happy about running the norton tool then dont, it may not help you anyway.

Really you need to be sure you dont have any nasties left on your machine.
Try both these online virus scans:
http://housecall.trendmicro.com/
and
http://www.pandasoftware.com/products/activescan.htm

Let us know how it go's.

MikeJD87 · #10 09-28-2005, 08:23 PM

Thanks for the links to the other scanners.

I never thought to use any other scanner besides my fully updated version of Norton Anti-virus 2005. Unfortunately, both the panda and the Micro-trend scanners found tons of stuff: 600 viruses, hundreds of spyware cookies and about 2 dozen trojans.

They couldn't delete any of them.

I was able to manually delete all the viruses (contained by luck? in one folder).

The trojans and cookies--had no path listed, therefore I could not manually delete them..however they were all variants of the AGOBOT. (something) with tons of randomly generated extensions (AD, RQ etc.) And also there was a bot named MUGLY.I.

I cannot seem to find them to delete them...Any help there on what I should do? My system for some reason randomly started acting up again WHILE I was running those scans and that's when everything started getting detected--even Norton began detecting the old MC-58 bug again and it detected that I had W32.ALCRA.D--both of which I re-deleted...

It seems I've been more infected than I first thought...

What should I do to clear up the worms and cookies etc.?

SoulCheese · #11 09-28-2005, 08:36 PM

Quote:

Originally Posted by cache

Really you need to be sure you dont have any nasties left on your machine.
Try both these online virus scans:
http://housecall.trendmicro.com/
and
http://www.pandasoftware.com/products/activescan.htm

Let us know how it go's.

Jeez, both of those Online Scanners ONLY support IE. Damn you Microsoft! ./raises fist

And for your problem, considering the amount of viruses and junk that could be scattered everywhere in the registry and folders ect, I'd probably suggest you quickly move and valueable information that you can't afford to lose and reformat. =\ Save you lots of time, plus if you havn't in a while it's always good too.

MikeJD87 · #12 09-28-2005, 08:57 PM

Quote:

Originally Posted by SoulCheese

Jeez, both of those Online Scanners ONLY support IE. Damn you Microsoft! ./raises fist

And for your problem, considering the amount of viruses and junk that could be scattered everywhere in the registry and folders ect, I'd probably suggest you quickly move and valueable information that you can't afford to lose and reformat. =\ Save you lots of time, plus if you havn't in a while it's always good too.

Basically just move all my important documents off etc, and then...to reformat as your saying, what should I do?

Format C:\ ?

MikeJD87 · #13 09-28-2005, 09:07 PM

Also: I wasn't sure, but I took a screenshot of my Task Manager processes: some of the system processes look suspicious.

The only ones that are missing from that picture are the following:

SCardSvr.exe LOCAL SERVICE 00 3,020 K
spoolsv.exe SYSTEM 00 5,740 K
System SYSTEM 00 244 K
System Idle Process SYSTEM 97 28 K

I'm slightly curious about the multiple SVCHOST.EXE files and also the LSASS.EXE, CSRSS.EXE etc files. I know they are all legitimate files, however, many trojans I know duplicate and make files named the same thing...wasn't sure how to tell the difference.

MikeJD87 · #14 09-28-2005, 10:34 PM

Quote:

Originally Posted by MikeJD87

Also: I wasn't sure, but I took a screenshot of my Task Manager processes: some of the system processes look suspicious.

The only ones that are missing from that picture are the following:

SCardSvr.exe LOCAL SERVICE 00 3,020 K
spoolsv.exe SYSTEM 00 5,740 K
System SYSTEM 00 244 K
System Idle Process SYSTEM 97 28 K

I'm slightly curious about the multiple SVCHOST.EXE files and also the LSASS.EXE, CSRSS.EXE etc files. I know they are all legitimate files, however, many trojans I know duplicate and make files named the same thing...wasn't sure how to tell the difference.

Well, I'm very glad to report that after doing a little research, and downloading a few cleaners, I was able to isolate the W32 and remove it fully. "cmd" etc. and everything else works fine now. Boy am I happy

Thanks to everyone here for the support and looking into my problem, I certainly appreciate it.

SoulCheese · #15 09-28-2005, 10:38 PM

You could do that, or if you have a Flash Drive, and or just a data CD you could make, hopefully no virus' will transfer through the files. And from your Processes, #1: I would get rid of msmsgs unless you use it, and point32 doesn't look all too familiar, other than that it looked ok.

(THere is only a few select ways of removing msmsgs, msconfig will just reenable it ect(Another Microsoft scheme!!), so try the following under "run" :
RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove

If for you that doesn't work(like some ppl /shrug) go through the steps on this site. http://www.theeldergeek.com/messenger_removal.htm

Goodluck!