[Guse]

You've done great so far, don't quit on me yet.

That file is supposed to be a text file. You need to save it to a location, right-click it and choose Install. (It does not display any notice or boxes when you run it.).

Also, please run me another Ewido scan and post that log.

We've made incredible progress... you've gone from 1,000+ infections to less than 7. Just stick with me and we'll figure this out together. It just may take a while longer.

Edited by Guse, 13 July 2005 - 08:49 PM.

[Advertisements]

Also do something for me. Open My Computer. Click Tools | Folder Options | View. Then, make sure that the radio button for Show Hidden Files and Folders is checked and clear the boxes for Hide Protected Operating System Files (Recommended) and Hide Extensions for Known File Types.

Then, using Windows Explorer (not Search, browse there) and check for these files and let me know if they're there (they may not be):

D:\Windows\System32\cmd.com
D:\Windows\System32\regedit.com

Be really careful that you match up the extension (*.com, *.exe). There SHOULD be a file called "cmd.exe"... "cmd.com" is bad. Don't do anything yet... just give it a look-see.

In your next post, let me know if you find those.

[Guse]

Also do something for me. Open My Computer. Click Tools | Folder Options | View. Then, make sure that the radio button for Show Hidden Files and Folders is checked and clear the boxes for Hide Protected Operating System Files (Recommended) and Hide Extensions for Known File Types.

Then, using Windows Explorer (not Search, browse there) and check for these files and let me know if they're there (they may not be):

D:\Windows\System32\cmd.com
D:\Windows\System32\regedit.com

Be really careful that you match up the extension (*.com, *.exe). There SHOULD be a file called "cmd.exe"... "cmd.com" is bad. Don't do anything yet... just give it a look-see.

In your next post, let me know if you find those.

[mattiscool]

Hey Heres my Scan Log


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:11:23 PM, 7/14/2005
+ Report-Checksum: DC5AA96E

+ Scan result:

HKLM\SOFTWARE\ISTbar -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historyfiles -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historystring -> Spyware.ISTBar : Error during cleaning
C:\Documents and Settings\Lou\.jpi_cache\jar\1.0\ar3.jar-586bddde-3e22c5fc.zip/Gummy.class -> Trojan.Java.Femad : Cleaned with backup


::Report End





and YEs, I see "Regedit.com" and "cmd.com"

[Guse]

Okay, let's try something.

Rename both "regedit.com" and "cmd.com" to "regedit.old" and "cmd.old". Then try to run regedit and cmd again and tell me how that works.

Don't delete the files, rename the extensions.

Let me know.

[mattiscool]

1 Down, 1 to go.

CMD works! it open CMD.exe!

But..

Regedit, now opened "Regedit.pif"

[Guse]

Download : The Killbox
Unzip it to the desktop but do NOT run it yet.

First rename "regedit.pif" to regedit.bak. Now try regedit again.

If that works and functionality is back, follow these steps:

Run The Killbox

• Select "Delete on Reboot".
• Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
  
  C:\WINDOWS\system32\CMD.OLD
  C:\WINDOWS\system32\netstat.com
  C:\WINDOWS\system32\ping.com
  C:\WINDOWS\system32\regedit.old
  C:\WINDOWS\system32\regedit.bak
  C:\WINDOWS\system32\tasklist.com
  C:\WINDOWS\system32\taskkill.com
  C:\WINDOWS\system32\tracert.com
  
• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
• Click the red-and-white "Delete File" button. You'll have to do this one file at a time, which means click No until you reach the last file in the list. Then click "Yes" at the LAST Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Post back and let me know.

[mattiscool]

i havent read all that yet, but! its still called "regedit.old" in the System32 folder, but when i type in "regedit" in Run, on the..whats it called..the overhead bar... it says "regedit.pif" ...i renamed it Regedit.bak, but its still "regedit.pif"

[Guse]

Does regedt32 work?

That is Start | Run , then type regedt32

Edited by Guse, 14 July 2005 - 03:03 PM.

[mattiscool]

yeah that works!..but shouldnt i get rid of the virus files, like Regedit.bak, ping.com, and cmd.old?

[Guse]

Absolutely. I just wanted to make sure. Run the instructions from post 36 (Killbox).

If you're interested, I'd like to get regedit to work. But, if you feel you've got what we need, we can quit.

Is there a regedit.exe in the System32 folder?

[mattiscool]

i have

Regedit - Shortcut to MS DOS program
Regedit.bak - BAK File
Regedit32.exe - Application

[Guse]

If you haven't deleted it already, rename regedit.bak to regedit.exe and then try to run it.

[Guse]

If you have deleted it, there's a copy of regedit.exe in C:\Windows\ServicePackFiles\i386 that you can copy over to your C:\Windows\System32 folder.

Come to think of it, if renaming "bak" to "exe" doesn't work, we can delete that file and copy the one from ServicePackFiles over to System32 anyways.

Edited by Guse, 14 July 2005 - 03:17 PM.

[mattiscool]

oh wow, i did a search. i have Regedit.exe in C:Windows..and it works.


I renamed the other .bak file, to .exe, still didnt work, it still says "regedit.pif"

Edited by mattiscool, 14 July 2005 - 03:18 PM.

[Guse]

Copy that to C:\Windows\System32 and try to run regedit through Start | Run.