Unable to open regedit.exe or cmd.exe - conflicker?

[Sandiyan]

On my home computer(XP sp3 with IE8), I am unable to start regedit.exe or
cmd.exe - when type these commands in start\run it doesn't bring the app.
Also, getting svchost error - after connecting to isdn and in the middle of
surfing the internat. I can run services.msc and eventvwr.exe though. I am
assuming its a variant of conflicker?
I run antivirus product MS Onecare and am uptodate on updates and done a
full scan using onecare.
Searched on internet and some instructions to prevent virus requires you
modifying entries in regedit...if I cannot get regedit/cmd to work I am in
deeeeep trouble.... pls help.

thanks, Sandiyan

 

[R. McCarty]

Several of the Security software vendors provide a stand-alone tool
to remove all 3 of the Conficker worms. You would need to boot the
PC to Safe Mode with Networking to obtain. The latest MS MRT
will also detect and remove the Conficker threat.
http://support.microsoft.com/kb/890830
No single security product is considered adequate. You'd be well
advised to add Windows Defender, Malwarebytes and Spybot to
your mix of real time/detect & remove tools.

 

[Al Falfa]

On my home computer(XP sp3 with IE8), I am unable to start regedit.exe
or cmd.exe - when type these commands in start\run it doesn't bring the
app. Also, getting svchost error - after connecting to isdn and in the
middle of surfing the internat. I can run services.msc and eventvwr.exe
though. I am assuming its a variant of conflicker? I run antivirus
product MS Onecare and am uptodate on updates and done a full scan using
onecare.
Searched on internet and some instructions to prevent virus requires you
modifying entries in regedit...if I cannot get regedit/cmd to work I am
in deeeeep trouble

Sandiyan,
It may be enough to copy C:\WINDOWS\system32\cmd.exe to dmc.COM and
C:\WINDOWS\regedit.exe to editreg.COM in another folder. If not, then
get xp_emegencyutil.exe to create usable copies of REGEDIT, MSCONFIG
and Task Mgr from http://www.dougknox.com/xp/utils/xp_emerutils.htm

In editreg.COM or Copy_of_Regedit.com go to
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT
\ CurrentVersion \ Image File Execution Options

Look at any keys named cmd.exe, msconfig.exe, regedit.exe,
taskmgr.exe and delete any value name "Debugger".

 

[Jose]

Sandiyan,
 It may be enough to copy C:\WINDOWS\system32\cmd.exe to dmc.COM and
C:\WINDOWS\regedit.exe to editreg.COM in another folder. If not, then
get xp_emegencyutil.exe to create usable copies of REGEDIT, MSCONFIG
and Task Mgr fromhttp://www.dougknox.com/xp/utils/xp_emerutils.htm

 In editreg.COM or Copy_of_Regedit.com go to
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT
 \ CurrentVersion \ Image File Execution Options

 Look at any keys named cmd.exe, msconfig.exe, regedit.exe,
taskmgr.exe and delete any value name "Debugger".

Some viruses will recognize these commands you try to run, like
regedit, cmd, etc. and just not allow them to run based on their name
alone. They can also prevent you from going to sites that offer anti
virus programs, scans, etc. The virus knows about such important
programs and web sites because they were programmed to look for such
things and not let you do it.

Try making a copy of c:\windows\regedit.exe and call it c:\windows
\sandiyan.exe and see if you can run c:\windows\sandiyan.exe from
Start, Run. If that works, you have outsmarted the virus because it
doesn't know or care about sandiyan.exe, but you probably still have
the virus and now you must get rid of it.

Plus, in order to find a virus, malware, etc. the scanning program has
to know to look for it. That is what the definition/database files
are supposed to do. Not every scanning program is likely to know
about everything, so you might want to use a couple good ones. Maybe
you have a virus that your MS Onecare does not know about.

The Malwarebytes offering is popular here (and others) and is free,
but conficker is known to prevent you from going to anti virus sites
like that because it doesn't want you to be able to detect it. You
may have to boot in Safe Mode, or download it someplace else
temporarily... Many options.

Finally, be sure you keep up to date on the Microsoft updates,
especially the security ones.

Let us know what you find out.

 

[Al Falfa]

On my home computer(XP sp3 with IE8), I am unable to start
regedit.exe or cmd.exe - when type these commands in start\run it
doesn't bring the app. Also, getting svchost error  - after
connecting to isdn and in the middle of surfing the internat. I can
run services.msc and eventvwr.exe though. I am assuming its a variant
of conflicker? I run antivirus product MS Onecare and am uptodate on
updates and done a full scan using onecare.
Searched on internet and some instructions to prevent virus requires
you modifying entries in regedit...if I cannot get regedit/cmd to
work I am in deeeeep trouble

Al Falfa wrte:

Sandiyan,
 It may be enough to copy C:\WINDOWS\system32\cmd.exe to dmc.COM and
C:\WINDOWS\regedit.exe to editreg.COM in another folder. If not, then
get xp_emegencyutil.exe to create usable copies of REGEDIT, MSCONFIG
and Task Mgr fromhttp://www.dougknox.com/xp/utils/xp_emerutils.htm

 In editreg.COM or Copy_of_Regedit.com go to
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT
 \ CurrentVersion \ Image File Execution Options

 Look at any keys named cmd.exe, msconfig.exe, regedit.exe,
taskmgr.exe and delete any value name "Debugger".

Some viruses will recognize these commands you try to run, like regedit,
cmd, etc. and just not allow them to run based on their name alone ...

Try making a copy of c:\windows\regedit.exe and call it c:\windows

\sandiyan.exe and see if you can run c:\windows\sandiyan.exe from Start,
Run ...

You replied to my post and seem to have not noticed that I had already
suggested to Sandiyan to copy and rename regedit (and cmd) .exe. If you
had replied directly to him, I would not have mentioned it.

 

[Sandiyan]

Thank you for all your responses - I am excited to get my hands dirty to get
this worm nailed! I'll let you know how I progress...
Sandiyan.

 

[Elmo]

On my home computer(XP sp3 with IE8), I am unable to start regedit.exe or
cmd.exe - when type these commands in start\run it doesn't bring the app.
Also, getting svchost error - after connecting to isdn and in the middle of
surfing the internat. I can run services.msc and eventvwr.exe though. I am
assuming its a variant of conficker?
I run antivirus product MS Onecare and am uptodate on updates and done a
full scan using onecare.
Searched on internet and some instructions to prevent virus requires you
modifying entries in regedit...if I cannot get regedit/cmd to work I am in
deeeeep trouble.... pls help.

thanks, Sandiyan

Try this download to a working machine. You burn the image to a blank
CD then boot the infected machine to it; it clears out the malware.
This is software from Avira.

http://forums.techarena.in/tips-tweaks/1157825.htm

Just download the .exe rather than the ISO.

Afterwards the fix suggested should get CAD, etc. working again. Here's
Kelly's solution:

Line 275. Lift Restrictions - TM, Regedit and CMD
http://www.kellys-korner-xp.com/xp_tweaks.htm

 

[Kasia]

I has the same issue:
- when trying to open command prompt through Run -> cmd the background would
flicker and if I had any Windows Explorer windows open, they would get
closed.
- random issues with internet connection
- AVG didn't run the update because was claiming there is no internet
connection (although I was able to use browsers at that time and open
webpages).

What worked for me:
- downloaded to USB drive (seems to be important) ComboFix and SmitFraudFix
- restart in Safe mode with Networking
- run ComboFix from USB drive, followed instructions
- restarted in Normal mode, finished ComboFix cleanup
- restarted again in Safe mode with Networking, run SmitFraudFix, option
2.Clean
- after SmitFraudFix was done, closed it and tested Run-> cmd and this time
it worked OK
- restarted in normal mode, RUn -> cmd working OK here as well.

AVG was now able to update virus definitions and no more issues with internet.

 

[Sandiyan]

All resolved now:
Renaming of cmd/regedit worked.
Actually, I was missing some MS updates including .Net 3.5(which was about
250MB).
Copied all MS updates and malwarebytes and installed - malwarebytes picked
minor malware.
Then there was a persistant Trojan.win32.Delf that Onecare wouldn't
qurantine/delete.
Finally, I took the plunge of deleting my profile(which cleared out lot of
user based malware files and etc)
All is OK now.
thanks, Sandiyan,