XP Task manager, Regedit, Command prompt

[Guest]

I cannot run Task Manager through pressing CTRL+ALT+DELETE, or right-clicking
the Task bar and clicking on "Task manager." When I try either method to
open Task manager, the computer does not take any action at all, but when I
used the Emergency Taskmanager's copies of Regedit, MSConfig and Command
Prompt backup's(http://windowsxp.mvps.org/ToolsQuit.htm), they work perfectly.

Also, when I go to Run -> Cmd.exe OR Run -> Regedit.exe, Command Prompt
appears breifly with a lot of corrupt-looking characters and the motherboard
beeps once, before giving me the error message "C:/Windows/ system32/cmd.com
The NTVDM CPU has encountered an illegal instuction. CS:0557 IP:ffe4 OP:fe ff
1d 09 21 Choose 'close' to terminate the application;" choosing "close" or
"ignore" both cause the application to exit. This same error messgae for
CMD.exe and Regedit.exe.

I've scanned my C: and D: drives for all viruses and spyware (D: is a
separate portion of C: which has encrypted backup files, in case of a system
failure), both come up completely clean. Can someone please help me get
these to work again?

 

[Wesley Vogel]

You have a trojan/worm/virus.

cmd.com is *NOT* an XP file, it's added by a trojan/worm/virus.

*Update* your antivirus software and run a complete scan.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also drops
the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html



--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

I have tried all of the instrucions on the links you provided me; none of the
appropriate registries or text/.com files exist. I updated my antispyware
and antivirus software files, they both still come up clean. Now what?

You have a trojan/worm/virus.

cmd.com is *NOT* an XP file, it's added by a trojan/worm/virus.

*Update* your antivirus software and run a complete scan.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also drops
the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html



--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I cannot run Task Manager through pressing CTRL+ALT+DELETE, or
right-clicking the Task bar and clicking on "Task manager." When I try
either method to open Task manager, the computer does not take any action
at all, but when I used the Emergency Taskmanager's copies of Regedit,
MSConfig and Command Prompt
backup's(http://windowsxp.mvps.org/ToolsQuit.htm), they work perfectly.

Also, when I go to Run -> Cmd.exe OR Run -> Regedit.exe, Command Prompt
appears breifly with a lot of corrupt-looking characters and the
motherboard beeps once, before giving me the error message "C:/Windows/
system32/cmd.com The NTVDM CPU has encountered an illegal instuction.
CS:0557 IP:ffe4 OP:fe ff 1d 09 21 Choose 'close' to terminate the
application;" choosing "close" or "ignore" both cause the application to
exit. This same error messgae for CMD.exe and Regedit.exe.

I've scanned my C: and D: drives for all viruses and spyware (D: is a
separate portion of C: which has encrypted backup files, in case of a
system failure), both come up completely clean. Can someone please help
me get these to work again?

 

[Guest]

I have attempted all of the instructions on both links you provided; when I
tried to go delete the appropriate Registries, none of them existed. Also, I
was told to delete the mallicous files; none of them existed. What should I
do? I also updated my spyware and antivirus software, neither of them
detected anything.

You have a trojan/worm/virus.

cmd.com is *NOT* an XP file, it's added by a trojan/worm/virus.

*Update* your antivirus software and run a complete scan.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also drops
the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html



--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I cannot run Task Manager through pressing CTRL+ALT+DELETE, or
right-clicking the Task bar and clicking on "Task manager." When I try
either method to open Task manager, the computer does not take any action
at all, but when I used the Emergency Taskmanager's copies of Regedit,
MSConfig and Command Prompt
backup's(http://windowsxp.mvps.org/ToolsQuit.htm), they work perfectly.

Also, when I go to Run -> Cmd.exe OR Run -> Regedit.exe, Command Prompt
appears breifly with a lot of corrupt-looking characters and the
motherboard beeps once, before giving me the error message "C:/Windows/
system32/cmd.com The NTVDM CPU has encountered an illegal instuction.
CS:0557 IP:ffe4 OP:fe ff 1d 09 21 Choose 'close' to terminate the
application;" choosing "close" or "ignore" both cause the application to
exit. This same error messgae for CMD.exe and Regedit.exe.

I've scanned my C: and D: drives for all viruses and spyware (D: is a
separate portion of C: which has encrypted backup files, in case of a
system failure), both come up completely clean. Can someone please help
me get these to work again?

 

[Wesley Vogel]

Jamie,

Doug Knox's Emergency Msconfig, Regedit, Task Manager utility creates a
folder, C:\EmergencyUtils In this folder is Regedit.com. Regedit.com is
just a copy of regedit.exe that is renamed.

In your original post you mention C:\Windows\system32\cmd.com. That is the
cmd.com that I was referring to.

Do a Search for the following files in C:\Windows\system32

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

You need to be able to Search for Hidden or System Files or else you may not
find the files even if they are there.

1. Click Start, click Search, click All files and folders and then click
More advanced options.
2. Click to select the Search system folders and Search hidden files and
folders check boxes.

Or you can set to display Hidden files and folders...

Start | Settings | Control Panel | Folder Options | View tab
Check:
Display the contents of system folders
Show hidden files and folders
UNCheck:
Hide protected operating system files
Click Apply | Click OK

[[Hidden files and folders will appear dimmed to indicate they are not
typical items.]]

And then do a Search.

You need to find out if the above files are on your machine and, if they
are, get rid of them.

If you type cmd in Start | Run and cmd.com exists in C:\WINDOWS\system32 or
C:\WINDOWS, it will try to open instead of cmd.exe.

If you type REGEDIT in Start | Run and REGEDIT.COM exists in
C:\WINDOWS\system32 or C:\WINDOWS, it will try to open instead of
regedit.exe.

Upper or lowercase letters make no difference.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I have tried all of the instrucions on the links you provided me; none of
the appropriate registries or text/.com files exist. I updated my
antispyware and antivirus software files, they both still come up clean.
Now what?

You have a trojan/worm/virus.

cmd.com is *NOT* an XP file, it's added by a trojan/worm/virus.

*Update* your antivirus software and run a complete scan.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also
drops the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html



--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I cannot run Task Manager through pressing CTRL+ALT+DELETE, or
right-clicking the Task bar and clicking on "Task manager." When I try
either method to open Task manager, the computer does not take any
action at all, but when I used the Emergency Taskmanager's copies of
Regedit, MSConfig and Command Prompt
backup's(http://windowsxp.mvps.org/ToolsQuit.htm), they work perfectly.

Also, when I go to Run -> Cmd.exe OR Run -> Regedit.exe, Command Prompt
appears breifly with a lot of corrupt-looking characters and the
motherboard beeps once, before giving me the error message "C:/Windows/
system32/cmd.com The NTVDM CPU has encountered an illegal instuction.
CS:0557 IP:ffe4 OP:fe ff 1d 09 21 Choose 'close' to terminate the
application;" choosing "close" or "ignore" both cause the application to
exit. This same error messgae for CMD.exe and Regedit.exe.

I've scanned my C: and D: drives for all viruses and spyware (D: is a
separate portion of C: which has encrypted backup files, in case of a
system failure), both come up completely clean. Can someone please help
me get these to work again?

 

[Guest]

I scanned for the files you mentioned and deleted them. Now when I use Run
-> CMD or Run -> Regedit, they both work fine; but Task manager will not
appear when I press CTRL+ALT+DELETE, or when I right click the Taskbar and
cilck "Task Manager." Are there registries I should edit or something?

Jamie,

Doug Knox's Emergency Msconfig, Regedit, Task Manager utility creates a
folder, C:\EmergencyUtils In this folder is Regedit.com. Regedit.com is
just a copy of regedit.exe that is renamed.

In your original post you mention C:\Windows\system32\cmd.com. That is the
cmd.com that I was referring to.

Do a Search for the following files in C:\Windows\system32

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

You need to be able to Search for Hidden or System Files or else you may not
find the files even if they are there.

1. Click Start, click Search, click All files and folders and then click
More advanced options.
2. Click to select the Search system folders and Search hidden files and
folders check boxes.

Or you can set to display Hidden files and folders...

Start | Settings | Control Panel | Folder Options | View tab
Check:
 Display the contents of system folders
 Show hidden files and folders
UNCheck:
 Hide protected operating system files
Click Apply | Click OK

[[Hidden files and folders will appear dimmed to indicate they are not
typical items.]]

And then do a Search.

You need to find out if the above files are on your machine and, if they
are, get rid of them.

If you type cmd in Start | Run and cmd.com exists in C:\WINDOWS\system32 or
C:\WINDOWS, it will try to open instead of cmd.exe.

If you type REGEDIT in Start | Run and REGEDIT.COM exists in
C:\WINDOWS\system32 or C:\WINDOWS, it will try to open instead of
regedit.exe.

Upper or lowercase letters make no difference.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I have tried all of the instrucions on the links you provided me; none of
the appropriate registries or text/.com files exist. I updated my
antispyware and antivirus software files, they both still come up clean.
Now what?

You have a trojan/worm/virus.

cmd.com is *NOT* an XP file, it's added by a trojan/worm/virus.

*Update* your antivirus software and run a complete scan.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also
drops the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html



--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Jamie Elmore <Jamie (e-mail address removed)> hunted and pecked:
I cannot run Task Manager through pressing CTRL+ALT+DELETE, or
right-clicking the Task bar and clicking on "Task manager." When I try
either method to open Task manager, the computer does not take any
action at all, but when I used the Emergency Taskmanager's copies of
Regedit, MSConfig and Command Prompt
backup's(http://windowsxp.mvps.org/ToolsQuit.htm), they work perfectly.

Also, when I go to Run -> Cmd.exe OR Run -> Regedit.exe, Command Prompt
appears breifly with a lot of corrupt-looking characters and the
motherboard beeps once, before giving me the error message "C:/Windows/
system32/cmd.com The NTVDM CPU has encountered an illegal instuction.
CS:0557 IP:ffe4 OP:fe ff 1d 09 21 Choose 'close' to terminate the
application;" choosing "close" or "ignore" both cause the application to
exit. This same error messgae for CMD.exe and Regedit.exe.

I've scanned my C: and D: drives for all viruses and spyware (D: is a
separate portion of C: which has encrypted backup files, in case of a
system failure), both come up completely clean. Can someone please help
me get these to work again?

 

[Wesley Vogel]

Do you get an error message? Or nothing happens at all?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I scanned for the files you mentioned and deleted them. Now when I use
Run -> CMD or Run -> Regedit, they both work fine; but Task manager will
not appear when I press CTRL+ALT+DELETE, or when I right click the
Taskbar and cilck "Task Manager." Are there registries I should edit or
something?

Jamie,

Doug Knox's Emergency Msconfig, Regedit, Task Manager utility creates a
folder, C:\EmergencyUtils In this folder is Regedit.com. Regedit.com is
just a copy of regedit.exe that is renamed.

In your original post you mention C:\Windows\system32\cmd.com. That is
the cmd.com that I was referring to.

Do a Search for the following files in C:\Windows\system32

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

You need to be able to Search for Hidden or System Files or else you may
not find the files even if they are there.

1. Click Start, click Search, click All files and folders and then click
More advanced options.
2. Click to select the Search system folders and Search hidden files and
folders check boxes.

Or you can set to display Hidden files and folders...

Start | Settings | Control Panel | Folder Options | View tab
Check:
 Display the contents of system folders
 Show hidden files and folders
UNCheck:
 Hide protected operating system files
Click Apply | Click OK

[[Hidden files and folders will appear dimmed to indicate they are not
typical items.]]

And then do a Search.

You need to find out if the above files are on your machine and, if they
are, get rid of them.

If you type cmd in Start | Run and cmd.com exists in C:\WINDOWS\system32
or C:\WINDOWS, it will try to open instead of cmd.exe.

If you type REGEDIT in Start | Run and REGEDIT.COM exists in
C:\WINDOWS\system32 or C:\WINDOWS, it will try to open instead of
regedit.exe.

Upper or lowercase letters make no difference.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I have tried all of the instrucions on the links you provided me; none
of the appropriate registries or text/.com files exist. I updated my
antispyware and antivirus software files, they both still come up clean.
Now what?

:

You have a trojan/worm/virus.

cmd.com is *NOT* an XP file, it's added by a trojan/worm/virus.

*Update* your antivirus software and run a complete scan.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also
drops the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html



--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Jamie Elmore <Jamie (e-mail address removed)> hunted and
pecked:
I cannot run Task Manager through pressing CTRL+ALT+DELETE, or
right-clicking the Task bar and clicking on "Task manager." When I
try either method to open Task manager, the computer does not take any
action at all, but when I used the Emergency Taskmanager's copies of
Regedit, MSConfig and Command Prompt
backup's(http://windowsxp.mvps.org/ToolsQuit.htm), they work
perfectly.

Also, when I go to Run -> Cmd.exe OR Run -> Regedit.exe, Command
Prompt appears breifly with a lot of corrupt-looking characters and
the motherboard beeps once, before giving me the error message
"C:/Windows/ system32/cmd.com The NTVDM CPU has encountered an
illegal instuction. CS:0557 IP:ffe4 OP:fe ff 1d 09 21 Choose 'close'
to terminate the application;" choosing "close" or "ignore" both
cause the application to exit. This same error messgae for CMD.exe
and Regedit.exe.

I've scanned my C: and D: drives for all viruses and spyware (D: is a
separate portion of C: which has encrypted backup files, in case of a
system failure), both come up completely clean. Can someone please
help me get these to work again?

 

[Wesley Vogel]

taskmgr.exe = Windows TaskManager

See if taskmgr.exe exists in C:\WINDOWS\system32 If it does, what happens
if you double click it?

Is there a copy of taskmgr.exe in C:\WINDOWS\system32\dllcache?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I scanned for the files you mentioned and deleted them. Now when I use
Run -> CMD or Run -> Regedit, they both work fine; but Task manager will
not appear when I press CTRL+ALT+DELETE, or when I right click the
Taskbar and cilck "Task Manager." Are there registries I should edit or
something?

Jamie,

Doug Knox's Emergency Msconfig, Regedit, Task Manager utility creates a
folder, C:\EmergencyUtils In this folder is Regedit.com. Regedit.com is
just a copy of regedit.exe that is renamed.

In your original post you mention C:\Windows\system32\cmd.com. That is
the cmd.com that I was referring to.

Do a Search for the following files in C:\Windows\system32

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

You need to be able to Search for Hidden or System Files or else you may
not find the files even if they are there.

1. Click Start, click Search, click All files and folders and then click
More advanced options.
2. Click to select the Search system folders and Search hidden files and
folders check boxes.

Or you can set to display Hidden files and folders...

Start | Settings | Control Panel | Folder Options | View tab
Check:
 Display the contents of system folders
 Show hidden files and folders
UNCheck:
 Hide protected operating system files
Click Apply | Click OK

[[Hidden files and folders will appear dimmed to indicate they are not
typical items.]]

And then do a Search.

You need to find out if the above files are on your machine and, if they
are, get rid of them.

If you type cmd in Start | Run and cmd.com exists in C:\WINDOWS\system32
or C:\WINDOWS, it will try to open instead of cmd.exe.

If you type REGEDIT in Start | Run and REGEDIT.COM exists in
C:\WINDOWS\system32 or C:\WINDOWS, it will try to open instead of
regedit.exe.

Upper or lowercase letters make no difference.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I have tried all of the instrucions on the links you provided me; none
of the appropriate registries or text/.com files exist. I updated my
antispyware and antivirus software files, they both still come up clean.
Now what?

:

You have a trojan/worm/virus.

cmd.com is *NOT* an XP file, it's added by a trojan/worm/virus.

*Update* your antivirus software and run a complete scan.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also
drops the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html



--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Jamie Elmore <Jamie (e-mail address removed)> hunted and
pecked:
I cannot run Task Manager through pressing CTRL+ALT+DELETE, or
right-clicking the Task bar and clicking on "Task manager." When I
try either method to open Task manager, the computer does not take any
action at all, but when I used the Emergency Taskmanager's copies of
Regedit, MSConfig and Command Prompt
backup's(http://windowsxp.mvps.org/ToolsQuit.htm), they work
perfectly.

Also, when I go to Run -> Cmd.exe OR Run -> Regedit.exe, Command
Prompt appears breifly with a lot of corrupt-looking characters and
the motherboard beeps once, before giving me the error message
"C:/Windows/ system32/cmd.com The NTVDM CPU has encountered an
illegal instuction. CS:0557 IP:ffe4 OP:fe ff 1d 09 21 Choose 'close'
to terminate the application;" choosing "close" or "ignore" both
cause the application to exit. This same error messgae for CMD.exe
and Regedit.exe.

I've scanned my C: and D: drives for all viruses and spyware (D: is a
separate portion of C: which has encrypted backup files, in case of a
system failure), both come up completely clean. Can someone please
help me get these to work again?

 

[Guest]

When I double click it, it says "Another program is currently using the file."

When I double click on the one that resided in C:\Windows\System32\DLLCache,
it comes up normally and the Task Bar Tray icon appears.

?

taskmgr.exe = Windows TaskManager

See if taskmgr.exe exists in C:\WINDOWS\system32 If it does, what happens
if you double click it?

Is there a copy of taskmgr.exe in C:\WINDOWS\system32\dllcache?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I scanned for the files you mentioned and deleted them. Now when I use
Run -> CMD or Run -> Regedit, they both work fine; but Task manager will
not appear when I press CTRL+ALT+DELETE, or when I right click the
Taskbar and cilck "Task Manager." Are there registries I should edit or
something?

Jamie,

Doug Knox's Emergency Msconfig, Regedit, Task Manager utility creates a
folder, C:\EmergencyUtils In this folder is Regedit.com. Regedit.com is
just a copy of regedit.exe that is renamed.

In your original post you mention C:\Windows\system32\cmd.com. That is
the cmd.com that I was referring to.

Do a Search for the following files in C:\Windows\system32

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

You need to be able to Search for Hidden or System Files or else you may
not find the files even if they are there.

1. Click Start, click Search, click All files and folders and then click
More advanced options.
2. Click to select the Search system folders and Search hidden files and
folders check boxes.

Or you can set to display Hidden files and folders...

Start | Settings | Control Panel | Folder Options | View tab
Check:
 Display the contents of system folders
 Show hidden files and folders
UNCheck:
 Hide protected operating system files
Click Apply | Click OK

[[Hidden files and folders will appear dimmed to indicate they are not
typical items.]]

And then do a Search.

You need to find out if the above files are on your machine and, if they
are, get rid of them.

If you type cmd in Start | Run and cmd.com exists in C:\WINDOWS\system32
or C:\WINDOWS, it will try to open instead of cmd.exe.

If you type REGEDIT in Start | Run and REGEDIT.COM exists in
C:\WINDOWS\system32 or C:\WINDOWS, it will try to open instead of
regedit.exe.

Upper or lowercase letters make no difference.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Jamie Elmore <[email protected]> hunted and pecked:
I have tried all of the instrucions on the links you provided me; none
of the appropriate registries or text/.com files exist. I updated my
antispyware and antivirus software files, they both still come up clean.
Now what?

:

You have a trojan/worm/virus.

cmd.com is *NOT* an XP file, it's added by a trojan/worm/virus.

*Update* your antivirus software and run a complete scan.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also
drops the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html



--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Jamie Elmore <Jamie (e-mail address removed)> hunted and
pecked:
I cannot run Task Manager through pressing CTRL+ALT+DELETE, or
right-clicking the Task bar and clicking on "Task manager." When I
try either method to open Task manager, the computer does not take any
action at all, but when I used the Emergency Taskmanager's copies of
Regedit, MSConfig and Command Prompt
backup's(http://windowsxp.mvps.org/ToolsQuit.htm), they work
perfectly.

Also, when I go to Run -> Cmd.exe OR Run -> Regedit.exe, Command
Prompt appears breifly with a lot of corrupt-looking characters and
the motherboard beeps once, before giving me the error message
"C:/Windows/ system32/cmd.com The NTVDM CPU has encountered an
illegal instuction. CS:0557 IP:ffe4 OP:fe ff 1d 09 21 Choose 'close'
to terminate the application;" choosing "close" or "ignore" both
cause the application to exit. This same error messgae for CMD.exe
and Regedit.exe.

I've scanned my C: and D: drives for all viruses and spyware (D: is a
separate portion of C: which has encrypted backup files, in case of a
system failure), both come up completely clean. Can someone please
help me get these to work again?

 

[Wesley Vogel]

Very strange.

Something still has a hold of the taskmgr.exe in C:\Windows\System32.
The two taskmgr.exe files appear to be different programs.

Try this. Copy the taskmgr.exe from C:\Windows\System32\DLLCache and paste
into C:\Windows\System32. Answer Yes to the message Would you like to
replace the existing file.

If you do not get the above message, try deleting both copies of taskmgr.exe
from C:\Windows\System32.

Run the System file Checker (sfc.exe).

what it does...
[[System File Checker gives an administrator the ability to scan all
protected files to verify their versions. If System File Checker discovers
that a protected file has been overwritten, it retrieves the correct version
of the file from the cache folder (%Systemroot%\System32\Dllcache) or the
Windows installation source files, and then replaces the incorrect file.
System File Checker also checks and repopulates the cache folder.]]

Load your XP CD in your CD drive.

Start | Run | Type or paste: sfc /scannow | Click OK

It will take a while to run.

If SFC.EXE did anything it will be in the Event Viewer.

Open the Event Viewer...
Start | Run | Type: eventvwr | Click OK |
Click System | Look at any Windows File Protection
entries

Also try these free virus scans, you still have the remnants of something
bad.

Panda Activescan, the online scan
http://www.pandasoftware.com/produc...5D4-4DA2-B310-B1DBEC2971F2}&NRCACHEHINT=Guest

Trend Micro - Free online virus Scan - Scan Now
http://housecall.trendmicro.com/housecall/start_corp.asp

Kaspersky free online virus scanner
http://www.kaspersky.com/remoteviruschk.html

Free online malware scan.

THE PARASITE FIGHT QUICK FIX PROTOCOL
http://aumha.org/a/quickfix.php

Some information about malware.

Dealing with Unwanted Spyware and Parasites
http://www.mvps.org/winhelp2002/unwanted.htm

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

When I double click it, it says "Another program is currently using the
file."

When I double click on the one that resided in
C:\Windows\System32\DLLCache, it comes up normally and the Task Bar Tray
icon appears.

?

taskmgr.exe = Windows TaskManager

See if taskmgr.exe exists in C:\WINDOWS\system32 If it does, what
happens if you double click it?

Is there a copy of taskmgr.exe in C:\WINDOWS\system32\dllcache?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I scanned for the files you mentioned and deleted them. Now when I use
Run -> CMD or Run -> Regedit, they both work fine; but Task manager will
not appear when I press CTRL+ALT+DELETE, or when I right click the
Taskbar and cilck "Task Manager." Are there registries I should edit or
something?

:

Jamie,

Doug Knox's Emergency Msconfig, Regedit, Task Manager utility creates a
folder, C:\EmergencyUtils In this folder is Regedit.com. Regedit.com
is just a copy of regedit.exe that is renamed.

In your original post you mention C:\Windows\system32\cmd.com. That is
the cmd.com that I was referring to.

Do a Search for the following files in C:\Windows\system32

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

You need to be able to Search for Hidden or System Files or else you
may not find the files even if they are there.

1. Click Start, click Search, click All files and folders and then
click More advanced options.
2. Click to select the Search system folders and Search hidden files
and folders check boxes.

Or you can set to display Hidden files and folders...

Start | Settings | Control Panel | Folder Options | View tab
Check:
 Display the contents of system folders
 Show hidden files and folders
UNCheck:
 Hide protected operating system files
Click Apply | Click OK

[[Hidden files and folders will appear dimmed to indicate they are not
typical items.]]

And then do a Search.

You need to find out if the above files are on your machine and, if
they are, get rid of them.

If you type cmd in Start | Run and cmd.com exists in
C:\WINDOWS\system32 or C:\WINDOWS, it will try to open instead of
cmd.exe.

If you type REGEDIT in Start | Run and REGEDIT.COM exists in
C:\WINDOWS\system32 or C:\WINDOWS, it will try to open instead of
regedit.exe.

Upper or lowercase letters make no difference.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Jamie Elmore <[email protected]> hunted and pecked:
I have tried all of the instrucions on the links you provided me; none
of the appropriate registries or text/.com files exist. I updated my
antispyware and antivirus software files, they both still come up
clean. Now what?

:

You have a trojan/worm/virus.

cmd.com is *NOT* an XP file, it's added by a trojan/worm/virus.

*Update* your antivirus software and run a complete scan.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in
the Windows system folder. It does this so it can compress itself.
It also drops the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html



--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Jamie Elmore <Jamie (e-mail address removed)> hunted and
pecked:
I cannot run Task Manager through pressing CTRL+ALT+DELETE, or
right-clicking the Task bar and clicking on "Task manager." When I
try either method to open Task manager, the computer does not take
any action at all, but when I used the Emergency Taskmanager's
copies of Regedit, MSConfig and Command Prompt
backup's(http://windowsxp.mvps.org/ToolsQuit.htm), they work
perfectly.

Also, when I go to Run -> Cmd.exe OR Run -> Regedit.exe, Command
Prompt appears breifly with a lot of corrupt-looking characters and
the motherboard beeps once, before giving me the error message
"C:/Windows/ system32/cmd.com The NTVDM CPU has encountered an
illegal instuction. CS:0557 IP:ffe4 OP:fe ff 1d 09 21 Choose 'close'
to terminate the application;" choosing "close" or "ignore" both
cause the application to exit. This same error messgae for CMD.exe
and Regedit.exe.

I've scanned my C: and D: drives for all viruses and spyware (D: is
a separate portion of C: which has encrypted backup files, in case
of a system failure), both come up completely clean. Can someone
please help me get these to work again?