|
Posted by marko on May 31, 2005, 3:25 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Firstly I apologize if this issue has already been resolved in earlier
posts, I scoured through them but I couldn't find them.
Recently I found two worms on my machine, one was W32/Acra-A and the other
W32/Rbot-ACZ. I removed them with Sophos but now my run dialogue box doesn't
work right. Some thing will run correctly (for instance explorer.exe) but if
I type in "regedit" I get a DOS screen with a message
"One or more CON code pages invalid for given keyboard code".
After that a prompt message appears with the following message:
"16 bit MS-DOS Subsystem
C:\WINDOWS\system32\regedit.com
The NTVDM CPU has encountered an illegal instruction.
CS:0704 IP:4303 OP:ff ff 53 26 8b
CLOSE IGNORE"
How can I fix this back?
Thanks for any advice. Cheers!
|
|
Posted by David H. Lipman on May 31, 2005, 1:49 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| Firstly I apologize if this issue has already been resolved in earlier
| posts, I scoured through them but I couldn't find them.
|
| Recently I found two worms on my machine, one was W32/Acra-A and the other
| W32/Rbot-ACZ. I removed them with Sophos but now my run dialogue box doesn't
| work right. Some thing will run correctly (for instance explorer.exe) but if
| I type in "regedit" I get a DOS screen with a message
|
| "One or more CON code pages invalid for given keyboard code".
|
| After that a prompt message appears with the following message:
| "16 bit MS-DOS Subsystem
| C:\WINDOWS\system32\regedit.com
| The NTVDM CPU has encountered an illegal instruction.
| CS:0704 IP:4303 OP:ff ff 53 26 8b
| CLOSE IGNORE"
|
| How can I fix this back?
|
| Thanks for any advice. Cheers!
|
The problem is you haven't supplied the OS version. I will assume you either
have Win9x/ME
or WinXP and and will provide the supply the more likey answer for winXP.
Delete; C:\WINDOWS\system32\regedit.com
{ assuming the WinXP CDROM disk is in drive "D:" }
In the Command Prompt enter...
expand D:\i386\regedit.ex_ %windir%\system32\regedit.exe
I am not sure how to get Explorer to show the "Start --> Run" capability.
You will have to post in a Microsoft News Group specific to your OS.
In addition, have you tried other scanners to be absolutely sure you are not
still infected
?
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by marko on June 1, 2005, 9:44 am
If you were Registered and logged in, you could reply and use other advanced thread options
The problem is not in regedit.exe, but in the run dialogue itself. If I run
regedit from explorer it works fine, I just can't run it from the "Run...".
Also if I try cmd in run dialogue, same result.
I'll try to do system restore with install cd, but I hoped there is a
simpler solution.
Thanks for helping. Cheers!
> The problem is you haven't supplied the OS version. I will assume you
> either have Win9x/ME
> or WinXP and and will provide the supply the more likey answer for winXP.
>
> Delete; C:\WINDOWS\system32\regedit.com
>
> { assuming the WinXP CDROM disk is in drive "D:" }
> In the Command Prompt enter...
> expand D:\i386\regedit.ex_ %windir%\system32\regedit.exe
>
> I am not sure how to get Explorer to show the "Start --> Run" capability.
>
> You will have to post in a Microsoft News Group specific to your OS.
> In addition, have you tried other scanners to be absolutely sure you are
> not still infected
> ?
>
> --
|
|
Posted by Zvi Netiv on June 1, 2005, 1:49 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Yes, it-s WinXP SP1 actually, sorry about that.
>
> The problem is not in regedit.exe, but in the run dialogue itself. If I run
> regedit from explorer it works fine, I just can't run it from the "Run...".
> Also if I try cmd in run dialogue, same result.
If you weren't a top poster then the solution would be obvious to you
immediately.
> I'll try to do system restore with install cd, but I hoped there is a
> simpler solution.
You'll be wasting your time as you'll be in exactly in the same position after
reinstalling Windows. And yes, there is a simpler solution. Embarrassingly
simple! ;-)
> > The problem is you haven't supplied the OS version. I will assume you
> > either have Win9x/ME
> > or WinXP and and will provide the supply the more likey answer for winXP.
> >
> > Delete; C:\WINDOWS\system32\regedit.com
David gave you a good hint here, although he may have missed the big picture.
> > { assuming the WinXP CDROM disk is in drive "D:" }
> > In the Command Prompt enter...
> > expand D:\i386\regedit.ex_ %windir%\system32\regedit.exe
No need to re-expand Regedit, it's there, intact.
> > I am not sure how to get Explorer to show the "Start --> Run" capability.
> >
> > You will have to post in a Microsoft News Group specific to your OS.
> > In addition, have you tried other scanners to be absolutely sure you are
> > not still infected
Whatever struck you created dummy companion files to a number of utilities and
programs, in order to deny you their use. A "companion" is an executable that
uses the same name as the EXE object, with a COM extension. When invoking
REGEDIT, or CMD, plain, without specifying the EXE extension, then the operating
system will first load the COM file with that name, if one exists in the path.
If you tried REGEDIT.EXE from the 'run' menu, instead of REGEDIT plain, then you
could run the utility from the desktop. The reason it runs OK from Explorer is
because in the latter the full pathname of the target object is associated to
the desktop file-object. The same applies to CMD.EXE (the companion is
Cmd.com).
Now, if you paid attention to details, then you would know that
C:\WINDOWS\system32\regedit.com in your first post must be fake, for two
reasons:
First, since Regedit is represented by an icon in Explorer then it must contain
an icon resource, and only EXE files have it (COM files are represented by a
plain rectangle as they contain no icon resource). Therefore, regedit.com
couldn't be the real thing. Secondly, the path is a giveaway! Most Win
utilities are stored in the Windows default installation directory, i.e.
C:\Windows, not in ..\system32. I bet that the other companions will also be
found in the ..\system32 directory.
Apparently, Sophos didn't do a complete job in cleaning your PC. To resume
normal operation, delete Regedit.com and Cmd.com from the ..\system32 directory.
Then search for all *.COM files in the system32 directory (only!) and see for
each COM if it has an EXE twin. If there is a twin, then delete the COM file.
My guess is that all the companion dummies also have the same file size, which
should help you in spotting them. Note that certain applications could consist
of a legit pair, though, like Edit.com and Edit.exe! Don't kill them!
Regards, Zvi
--
NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
|
|
Posted by David H. Lipman on June 1, 2005, 1:53 pm
If you were Registered and logged in, you could reply and use other advanced thread options
|
>> Yes, it-s WinXP SP1 actually, sorry about that.
>>
>> The problem is not in regedit.exe, but in the run dialogue itself. If I run
>> regedit from explorer it works fine, I just can't run it from the "Run...".
>> Also if I try cmd in run dialogue, same result.
|
| If you weren't a top poster then the solution would be obvious to you
| immediately.
|
>> I'll try to do system restore with install cd, but I hoped there is a
>> simpler solution.
|
| You'll be wasting your time as you'll be in exactly in the same position after
| reinstalling Windows. And yes, there is a simpler solution. Embarrassingly
| simple! ;-)
|
>>> The problem is you haven't supplied the OS version. I will assume you
>>> either have Win9x/ME
>>> or WinXP and and will provide the supply the more likey answer for winXP.
>>>
>>> Delete; C:\WINDOWS\system32\regedit.com
|
| David gave you a good hint here, although he may have missed the big picture.
|
>>> { assuming the WinXP CDROM disk is in drive "D:" }
>>> In the Command Prompt enter...
>>> expand D:\i386\regedit.ex_ %windir%\system32\regedit.exe
|
| No need to re-expand Regedit, it's there, intact.
|
>>> I am not sure how to get Explorer to show the "Start --> Run" capability.
>>>
>>> You will have to post in a Microsoft News Group specific to your OS.
>>> In addition, have you tried other scanners to be absolutely sure you are
>>> not still infected
|
| Whatever struck you created dummy companion files to a number of utilities and
| programs, in order to deny you their use. A "companion" is an executable that
| uses the same name as the EXE object, with a COM extension. When invoking
| REGEDIT, or CMD, plain, without specifying the EXE extension, then the
operating
| system will first load the COM file with that name, if one exists in the path.
|
| If you tried REGEDIT.EXE from the 'run' menu, instead of REGEDIT plain, then
you
| could run the utility from the desktop. The reason it runs OK from Explorer is
| because in the latter the full pathname of the target object is associated to
| the desktop file-object. The same applies to CMD.EXE (the companion is
| Cmd.com).
|
| Now, if you paid attention to details, then you would know that
| C:\WINDOWS\system32\regedit.com in your first post must be fake, for two
| reasons:
|
| First, since Regedit is represented by an icon in Explorer then it must contain
| an icon resource, and only EXE files have it (COM files are represented by a
| plain rectangle as they contain no icon resource). Therefore, regedit.com
| couldn't be the real thing. Secondly, the path is a giveaway! Most Win
| utilities are stored in the Windows default installation directory, i.e.
| C:\Windows, not in ..\system32. I bet that the other companions will also be
| found in the ..\system32 directory.
|
| Apparently, Sophos didn't do a complete job in cleaning your PC. To resume
| normal operation, delete Regedit.com and Cmd.com from the ..\system32
directory.
| Then search for all *.COM files in the system32 directory (only!) and see for
| each COM if it has an EXE twin. If there is a twin, then delete the COM file.
| My guess is that all the companion dummies also have the same file size, which
| should help you in spotting them. Note that certain applications could consist
| of a legit pair, though, like Edit.com and Edit.exe! Don't kill them!
|
| Regards, Zvi
| --
| NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
| InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
Live & Learn !
I should have picked up that he may have parallel REGEDIT.COM and REGEDIT.EXE
files. He may
also have the same situation with CMD.EXE and CMD.COM.
Could it also mean he's still infected ?
The email worm Kipis does this but does not affect CMD.EXE.
W32/Kipis.b@MM -- http://vil.nai.com/vil/content/v_130668.htm
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
| Similar Threads | Posted | | HALF HOUR WORK PAYED ME MORE THAN HALF A YEAR AT WORK! I'm still amused by confirmed pessimists!!! лллллллллллллллллллллллллллллллл | April 21, 2006, 12:11 pm |
| Attention new worm ! W32/Rizalof.B.worm | March 4, 2006, 4:30 pm |
| How does "immunization" work? | February 20, 2006, 3:47 am |
| AVP/KAV does not work on SVL volumes | April 25, 2006, 6:46 pm |
| Re: See Dustin at work | May 31, 2007, 9:04 pm |
| Re: See Dustin at work | August 8, 2007, 5:51 pm |
| KAV7 will not work with ZoneAlarm why? | March 21, 2008, 7:36 am |
| Do antivirus programs work with all browsers | October 14, 2006, 7:37 am |
| Does Google desktop search work with NOD32 now? | December 9, 2005, 4:43 pm |
| win32/i-worm/stration - E-mail-worm.win32.warezov or? | October 13, 2007, 10:41 am |
|
XML site map