Virus on my computer?

[dfi]

I just scanned my computer with a squared, antivir, spybot, adaware, and a rootkit detector. Nothing came up. But then I noticed that run -> "regedit" did nothing, but "regedit.exe" works. Then, even worse, I noticed I couldn't see system32, even though hidden files were displayed.

A quick searched on the net, and it seemed like I had worm alcan a/b and its variants. Apparently it hides system32 and various .com files, such as regedit.com, etc. So I removed attributes on system32 and the files it was suppose to create, and found the following:

regedit.com
cmd.com
tasklist.com
ping.com
tracert.com

As well as 2 registry entries for regedit.com and cmd.com. All these files were created on the same date, same time. A search for all files created on this date yielded only these files.

However, these files are only 2kb. Also, I don't have any of the other symptoms or files of the worm described. Now I don't know what to think. Supposedly this worm is associated with p2p programs, such as limewire. I do have limewire installed but I rarely use it. I do't know if these files came in with it somehow, but I don't have any of the other symptoms described. Also, my computer and router are blocking all ping requests and only necessary ports are open. I use a separate, limited privilege account for every day use as well. Somehow this thing still got through. And none of my antivirus or spyware tools found it. What the heck is going on? Is this a virus, worm, or something else?

 

[Creig]

Maybe the following will help. You might want to read through the entire thread I've linked to at the bottom of this post before doing anything to make sure it applies to your situation. But it appears to be related.

The reason you can't open regedit by typing "regedit.exe" and not regedit alone, is because some worms create a new file called "regedit.com" in your system (this will execute first than the .exe). Follow this instructions to remove all this files.

- Click here to download Killbox by Option^Explicit.
- Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
- In the killbox program, select the Delete on Reboot option.
- Copy the file names below to the clipboard by highlighting them and pressing Control-C:
Code:
C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com
- Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
- Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After the reboot regedit should work again.

http://www.ozzu.com/ftopic44857.html

 

[mechBgon]

I use a separate, limited privilege account for every day use as well. Somehow this thing still got through.

...

I do have limewire installed

There's one possible "somehow." Limited accounts don't stop you from elevating to Admin and installing stuff that might be packing a malicious payload.

If it were me, I'd burn the whole hard drive to the ground with DBAN, then reinstall Windows, set it up securely, and not break the "chain of trust" anywhere. No re-using any executables, drivers, programs, utiliities that the old Windows installation ever touched.

If that sounds too drastic, download a 30-day trial version of Kaspersky Antivirus Personal 6 and install it. Go into its Settings panel and max out all the settings, including Riskware, and max out all the sliders to HIGH in the Protection and Scan panels. Now run an update, reboot into Safe Mode, and launch Kaspersky from the Start > All Programs menu and run a full Scan My Computer while you're in Safe Mode.

 

[beggerking]

Originally posted by: Creig
Maybe the following will help. You might want to read through the entire thread I've linked to at the bottom of this post before doing anything to make sure it applies to your situation. But it appears to be related.

The reason you can't open regedit by typing "regedit.exe" and not regedit alone, is because some worms create a new file called "regedit.com" in your system (this will execute first than the .exe). Follow this instructions to remove all this files.

- Click here to download Killbox by Option^Explicit.
- Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
- In the killbox program, select the Delete on Reboot option.
- Copy the file names below to the clipboard by highlighting them and pressing Control-C:
Code:
C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com
- Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
- Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After the reboot regedit should work again.

http://www.ozzu.com/ftopic44857.html

:thumbsup:

 

[dfi]

Originally posted by: Creig
Maybe the following will help. You might want to read through the entire thread I've linked to at the bottom of this post before doing anything to make sure it applies to your situation. But it appears to be related.

The reason you can't open regedit by typing "regedit.exe" and not regedit alone, is because some worms create a new file called "regedit.com" in your system (this will execute first than the .exe). Follow this instructions to remove all this files.

- Click here to download Killbox by Option^Explicit.
- Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
- In the killbox program, select the Delete on Reboot option.
- Copy the file names below to the clipboard by highlighting them and pressing Control-C:
Code:
C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com
- Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
- Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After the reboot regedit should work again.

http://www.ozzu.com/ftopic44857.html

I guess I wasn't specific enough. I've already done a search, as well as attrib -a -r -s -h, on the list of files you have identified above. Of all the ones you have identified, the five that existed were cmd.com, regedit.com, tasklist.com, tracert.com, and ping.com. So I've already been able to isolate those files, as well as remove the two registry settings. So my regedit, cmd, etc, all work again without needing the .exe extension.

The thing that I'm concerned about is that there's something I haven't caught. I'm not sure if there's anything else that is still around. I'm not even sure how those files got into the system folder. Only thing I can think of is that I may have ran limewire once or twice as admin.

I don't know if I will completely reformat over this. Kasperasky, at highest scan level, found nothing. Nod32 is scanning right now and has found nothing so far. I don't know what I'm going to do if four virus scanners, two spyware detector, and a rootkit detector comes up with nothing.

 

[beggerking]

the worm may have created these files, and your antivirus software may have "cured" them.. you should be fine..

 

[Talcite]

that or he has a rootkit...

 

[beggerking]

not likely but true.. he might need to try booting from a cd or floppy / usb..

 

[Sforsyth]

I had this happen to me once nothing was wrong I think.

 

[dfi]

Well, long story short, I decided to reformat. Burn it all down and start from scratch. It was probably nothing but I'm paranoid.