My System32 Foldesr has attribute SH

G

Guest

I tried to run cmd from the run command and I got an error message saying
that cmd is not a valid win32 Application. While trying to figure out what
the problem was, I discovered that my system32 folder was hidden and had the
hidden check box disabled. I was able to open cmd from inside the folder (by
double clicking on it), it worked, but many commands would not work e.g.
ping.com.
When I checked the system32 attributes from DOS with the attrib coomand the
folders has SH as its attributes. I tried to reset these attributes with the
attrib command again but it will not reset.

Anyway, the question is, what is the cause of this problem and how do I
solve it?
By the way, this is clean system with latest updates and service packs.

Thanks
 
G

Guest

I was able to remove SH from the system32 folder by clearing all at once. I
still can't get cmd and other commands to run from the command line.
 
W

Wesley Vogel

You have a trojan or virus or a worm.

Ping.com is added by a trojan/virus/worm. Ping.exe is the correct file.

You probably also have cmd.com that is added by a trojan/virus/worm.

Typing cmd in the Run Command probably tries to open cmd.com instead of
cmd.exe.

..com files are executed before .exe files.

Typing cmd.exe in the Run command may open cmd.exe.

Typing %windir%\system32\cmd.exe in the Run command may open cmd.exe.

Update your antivirus software and run a complete scan.

Update whatever anti-spyware applications that you have and run a full
system scan with each one.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also drops
the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
G

Guest

Thanks a lot.
THat works
EARaddar

Wesley Vogel said:
You have a trojan or virus or a worm.

Ping.com is added by a trojan/virus/worm. Ping.exe is the correct file.

You probably also have cmd.com that is added by a trojan/virus/worm.

Typing cmd in the Run Command probably tries to open cmd.com instead of
cmd.exe.

..com files are executed before .exe files.

Typing cmd.exe in the Run command may open cmd.exe.

Typing %windir%\system32\cmd.exe in the Run command may open cmd.exe.

Update your antivirus software and run a complete scan.

Update whatever anti-spyware applications that you have and run a full
system scan with each one.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also drops
the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
EARaddar said:
I tried to run cmd from the run command and I got an error message saying
that cmd is not a valid win32 Application. While trying to figure out what
the problem was, I discovered that my system32 folder was hidden and had
the hidden check box disabled. I was able to open cmd from inside the
folder (by double clicking on it), it worked, but many commands would not
work e.g. ping.com.
When I checked the system32 attributes from DOS with the attrib coomand
the folders has SH as its attributes. I tried to reset these attributes
with the attrib command again but it will not reset.

Anyway, the question is, what is the cause of this problem and how do I
solve it?
By the way, this is clean system with latest updates and service packs.

Thanks
Click to expand...
Click to expand...
 
W

Wesley Vogel

Antivirus and antispyware apps find anything?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
EARaddar said:
Thanks a lot.
THat works
EARaddar

Wesley Vogel said:
You have a trojan or virus or a worm.

Ping.com is added by a trojan/virus/worm. Ping.exe is the correct file.

You probably also have cmd.com that is added by a trojan/virus/worm.

Typing cmd in the Run Command probably tries to open cmd.com instead of
cmd.exe.

..com files are executed before .exe files.

Typing cmd.exe in the Run command may open cmd.exe.

Typing %windir%\system32\cmd.exe in the Run command may open
cmd.exe.

Update your antivirus software and run a complete scan.

Update whatever anti-spyware applications that you have and run a full
system scan with each one.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also
drops the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
EARaddar said:
I tried to run cmd from the run command and I got an error message
saying that cmd is not a valid win32 Application. While trying to
figure out what the problem was, I discovered that my system32 folder
was hidden and had the hidden check box disabled. I was able to open
cmd from inside the folder (by double clicking on it), it worked, but
many commands would not work e.g. ping.com.
When I checked the system32 attributes from DOS with the attrib coomand
the folders has SH as its attributes. I tried to reset these attributes
with the attrib command again but it will not reset.

Anyway, the question is, what is the cause of this problem and how do I
solve it?
By the way, this is clean system with latest updates and service packs.

Thanks
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

where has my system32 folder gone???? 3
Cannot delete file named "CAFESLKT." 5
Alcan.D Virus infection - Want to delete .com files 2
can't unset read-only attribute 1
Set hidden attribute alll files directories starting with . (dot) 3
Favorites Folder Read Attribute Un-Set by saving new file so custom Icon DISAPPEARS ! 1
How to add a context menu option for AVI files? 1
How to really get rid of RECYCLER and "System volume Information" folders? (Not only turn off featur 12

Top