[HeatherBatt3]

Hi,

I recently diagnosed my PC as having the W32.Rahack worm. I followed the directions to remove the regedit entries, and my problem has changed. Whenever I try to launch a program either by shortcut from desktop, or through the C drive, I get the message: This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.

EXE isn't listed as a folder option, so I tried to add it and clicked advanced which populated it as an Application. That didn't work. When I go back into Folder Options, EXE isn't there anymore.

I was unable to run Adaware, Spybot, AVG, or turn on my ZoneAlarm firewall since I can't open any programs. (the worm also wouldn't let me open any programs). I can't get into My Computer properties either. I did run the Panda and Trend Micro virus scans. No virus according to Trend, Panda fixed some and let others (in the spyware folders--adaware/spyboth) not disinfected. Did an online trojan horse scan, not infected.

I'm going nuts and am calling on the best--Geeks to Go!

Thanks,
Heather

[Advertisements]

Which version of windows?

Ron

[RKinner]

Which version of windows?

Ron

[HeatherBatt3]

XP. Sorry, put it in subject but not body. Windows XP home.

[RKinner]

Sorry I should have seen it.

Start, Run, then type
cmd
in the box and hit OK. This should bring up a new DOS type window. Type

sfc /scannow

and see if that helps.

Ron

[HeatherBatt3]

I can't get CMD to open because it doesn't have a file extension named with it. I'll re-boot and try in safe mode. Awaiting your reply.

[HeatherBatt3]

Command prompt doesn't work in normal windows, doesn't work in safe mode. Same error each time, need to set the program that created it. What a drag. Tried safe mode with command prompt and got: Could not initiate a scan of protected system files specific error code is 0x000006ba [The RPC Server is unavailable.].

Also forgot to mention that I've had an error at startup since the whole W32.Rahack thing started. Happened before and after I fixed it. Error is that it can't find the ....startup/system.vbs file, line 1, char 1. ActiveX can't create object: 'Comdll.1'

Please help, but realize I can't open any programs.

Thanks,
Heather

[RKinner]

I guess regedit is out. I don't suppose System Restore is an option either? OR Last Known Good?

Don't suppose you have an XP CD around do you?

The system.vbs error is also a sign of rahack. That it is still being called for indicates that you did not fully remove it. Did you by chance make a backup of the registry?

Since you said you ran some online scans does that mean you can still use Internet Explorer?

Can you open My Computer? Then Tools, Options, File Types?

Can you right click on My Computer and select Manage?

Right click on the clock and select Task Manager. Does it come up or ask you the same stupid question?

Can you open Control Panel, Display(Properties), Web and uncheck Show Web Content on my Active Desktop.

Can you boot into Safe Mode Command Prompt and use the edit program?

Ron

[HeatherBatt3]

I guess regedit is out. I don't suppose System Restore is an option either? OR Last Known Good?--No, system restore is bad idea, I normally don't leave it on

Don't suppose you have an XP CD around do you?---Just got an XP cd today!

The system.vbs error is also a sign of rahack. That it is still being called for indicates that you did not fully remove it. Did you by chance make a backup of the registry?--Yah, that would be the smart thing to do which means I don't have a backup. I was able to edit registry by changing name to regedit.com

Since you said you ran some online scans does that mean you can still use Internet Explorer?--Yup, can run IE, that's how I've been able to post at night.

Can you open My Computer? Then Tools, Options, File Types?--Not at my home pc right now, will check this. Do know that I can open my computer, but can't right click my computer and get into properties.

Can you right click on My Computer and select Manage?--not sure, will have to check when get to home pc.

Right click on the clock and select Task Manager. Does it come up or ask you the same stupid question? I can get task Manager up no problem.

Can you open Control Panel, Display(Properties), Web and uncheck Show Web Content on my Active Desktop.--Not sure will have to check.

Can you boot into Safe Mode Command Prompt and use the edit program?---I gave this answer already, was able to get in safe mode command prompt (just couldn't use cmd in normal safe mode) but got an error when typed the scannow command. See previous post.

Thanks,
Heather

[RKinner]

IF you boot off the XP CD it should offer you a Repair option.

http://www.michaelst...pairinstall.htm

You can also probably run the sfc /scannow from Task Manager, File, New Task(Run).

If you can get into the registry then we can probably fix the problem that way. Especially if you can tell me where you got the instructions. Then I can check an XP machine and tell you what needs to go back.

Ron

[HeatherBatt3]

I got the w32.rahack fix at:

http://www.sarc.com/...w32.rahack.html

haha, tried to run XP cd at home and of course power in house went out. Unreal. Will try again this evening.

I can get into registry because I changed name to regedit.com. Once you look at the instructions to remove worm in link above, please note what I did:

In the reverse changes to registry section, I was able to do the following:
step d. did not apply to me, value was not present
Step f applied and I deleted
step g-h didn't apply to me, didn't have [random CLSID]
step i has 4 parts. all applied in either regular windows or safe mode.

I've since tried to search the root in each area that I noted didn't apply to me since value wasn't present and still couldn't find step d., Step g-h, I searched the root of CLSID for sysser and deleted that value, but couldn't find the next path to executable value. Kept searching for sysser and deleted a couple more (am sure I'll regret) but didn't find the path to executable.

Thanks,
Heather

[RKinner]

I'm not sure I agree with Norton on this. They had you

Navigate to the key:

HKEY_CLASSES_ROOT\exefile\shell\open\command


In the right pane, delete the value:

"(Default)"= "syshid.exe "%1" %*""


but on my Win2K box it still says:

(Default) = "%1" %*

You might try changing yours back to the above and see if that helps.

Ron

[HeatherBatt3]

Are you sure that your windows2000 registry match my windows xp?

[RKinner]

I am now. I have an XP Pro that I can access remotely and I just checked it.

HKEY_CLASSES_ROOT\exefile\shell\open\command has (default) with
value "%1" %*

Ron

[HeatherBatt3]

Excellent. Will try that in an hour or so, hope it works!!! Thanks Ron!
Heather

[HeatherBatt3]

Ron, that worked!!! I'm a little concerned that I might not have cleaned the worm up all the way, but so far so good. Got the firewall back up and running and am cleaning with Ad-Aware and spybot. Do you recommend a hijack log as well? Or should I do anything else?

Thanks so much,
Heather