Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Virus Aftermath

Feb 11, 2004 2:12AM PST

Recently , i removed a virus from my system ,this virus coused ms "config" , "regedit" and "task manager" to close immediately after they are excuted ,i thought that by removing the virus this proplem would disappear , but it existed while i am writting these lines .What can i do to undo changes made by the worm/virus?

Discussion is locked

- Collapse -
(NT)Was is the name of the virus\worm??
Feb 11, 2004 2:16AM PST

.

- Collapse -
Re:Virus Aftermath
Feb 11, 2004 2:18AM PST
first please let us kow how you 'removed' the virus.

second please let us know what your operating system is because of the 'system restore' feature that is in the later versions of Windows.

david williams
- Collapse -
Re:Re:Virus Aftermath
Feb 11, 2004 2:23AM PST

I am running windows xp sp1 , i removed the virus by using "stinger" tool found on mcafee's website , but actually i cant remember the name of the worm/virus , all i can remember is that it was downloaded through mirc.pleaze help

- Collapse -
(NT) I have sent Grif an e-mail - he is our McAfee Expert :)
Feb 11, 2004 2:55AM PST

.

- Collapse -
Dina, Please Try This...
Feb 11, 2004 3:59AM PST

Some viruses mess up the registry for .exe files. Therefore, they don't run correctly. Please click on the link to start the download, then save and direct it to your desktop:

Undo.reg File for Cleaning Up Trojans
http://download.nai.com/products/MCAFEE-AVERT/stand_alone/undo.reg

Once the "Undo.reg" file is on your desktop, shut down all background programs, especially your antivirus, then double click on it, and say "Yes" to any prompts. Restart the computer.
_____________

Try the above method first, but if it does not help, then use the instructions below to download the Tweak program. It allows you to Open the registry and correct the problems which stop you from running regedit and task manager, etc.:

Just for information.

Click on Start-Run, type ?Regedit? (without the quotes). When that loads, follow this registry path, clicking on the + sign in front of each one of these folders: ?HKEY Current User\Software\Microsoft\Windows\Current Version\Policies?
Scroll down and click once on the ?System? folder to display any registry entries on the right side. If you find a ?DisableTskMgr? entry on the right side, (?DisableRegistryTools? for Regedit), RIGHT click on the name of the entry, choose ?Delete?. (Do not delete the ?Default? value.) Restart the computer.

The default DWORD value is Enabled=0, while Disabled=1. Deleting the entire string enables the process again.

Since you can?t access Regedit, then the program below should unlock it.
( http://www.winguides.com/registry/display.php/190/ )

Winguides Tweak Manager(Download the free trial.)
http://www.winguides.com/tweak/

- Collapse -
Re:Dina, The two methods failed
Feb 11, 2004 11:43PM PST

The two methods fail to undo my registry setting , "undo.reg" made no changes after the system restarted , so i used the other method,downloaded free trial tweak manager , changed my setting and restarted ,nothing happend , "regedit" disappeared like a ghost after i excuted it and the task manager is alike . Any Suggestions?

- Collapse -
Dinasr, Next Thing To Try...
Feb 12, 2004 3:27AM PST

For some reason, the executables still won't open, but it's strange that Msconfig, Tskmgr, and Regedit are the only ones. Are you also having issues with all other .exe files? Apparently, most of them must still run correctly because you've been able to run the Tweak Manager. Have you tried running "regedt32.exe" from the "Run" line, which also starts the registry editor on WinXP? Have you tried renaming the regedit.exe file to regedit.com, then double clicking on it?

I'm going to make sure that you correctly used the Tweak Manager program. In the "Tweak Manager", after opening, looking on the left, click on the + sign next to "Security", then click once on the "Disable Registry Editing Tools" that's just below the "Start Menu" listing. Now look on the right side of the screen and UNCHECK the boxes listed there. Then click on "Apply changes".
________

You haven't mentioned this so far in this thread, but have you also tried to use System Restore back to a time before the infection occurred? Here's how:

Use System Restore to Undo Changes if Problems Occur
http://www.microsoft.com/windowsxp/pro/using/howto/gethelp/systemrestore.asp

Hope this helps.

Grif

- Collapse -
Dinasr, Another Possibility...
Feb 12, 2004 4:00AM PST

Make sure to do a free online scan at the link below:

Panda Antivirus Online Scanner

If you're not having problems with the other .exe files on the computer, it's possible that those files are currently corrupted, and a replacement of the file will allow them to run correctly. (It's too bad you can't tell us the exact virus name as some will corrupt .exe files.) If you have another WinXP from which you can make copies of the files, you might try transporting them by floppy to your computer, renaming the current ones to something like "msconfig.old/regedit.old, and "Taskmgr.old", then replacing them with the copied files. (If you have a C:\I386 folder or a C:\Windows\Service Pack Files\I386 folder on your computer, you should be able to copy from there also, but there's no guarantee that they aren't also corrupted.)

Hope this helps.

Grif

- Collapse -
Re:Dinasr, Another Possibility...
Feb 12, 2004 11:56PM PST

About the tweak programm , i have followed every instruction , believe it or not the fields are already UNCHEKED .
I Then cheked it to disable it , restarted , then uncheked it , restarted , no change.

I replaced all the files with the ones in I386 folder
no change ,renamed to .com and excuted, no change.
"Luckly" i have my system restore already disabled Sad
So i cant go back .

This issue appeared also with ".reg" files ,REMEMBER the "undo.reg" file from mcafee? the confirmation messeage didn't appear asking me if i am sure or not , i had to press "entre" several times until i was able to catch the "yes" botton befor it disappeared like a ghost .

I have made dozens of virus scans from all the websites i knew ,and i am quite sure that I HAVE NO VIRUS , TROJAN , WORM or even PARASITE and aw-ware infecting my system ,pleaze try to help .

Thanx for your patience ,i know i have been talking too much these days , sorry for insolence.

- Collapse -
Dinasr, Here's What Has Happened...
Feb 13, 2004 2:13AM PST

...at least, it appears so. It's very probable that you no longer have the virus on the computer, but the previous virus has already done it's damage. There are a number of registry entries that have been altered and because you can't access the registry to fix them, the various changes can't be made. (Some viruses will disable all the important file types such as .reg, .com, .exe, The Tweak Manager usually allows me to access the registry and make the fixes. Because your computer's symptoms are very similar to the Swen virus, please click on the link below and download the "FixSwen.exe" file to your desktop. Once it's there, please rename it to "FixSwen.cmd", then double click on the file to run it. It should fix the registry problem.

http://www.symantec.com/avcenter/FixSwen.exe.

Here is a link to a discussion in the McAfee forums about the various registry changes that are frequently made and how we've fixed the problem before.:

http://forums.mcafeehelp.com/viewtopic.php?p=113819#113819

Hope this helps.

Grif

- Collapse -
Dinasr, After Double-Clicking the 'FixSwen.cmd' Tool
Feb 13, 2004 2:19AM PST

...to open it....

Click Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.
If you are running Windows Me/XP, then re-enable System Restore.

Hope this helps.

Grif

- Collapse -
Re:Dinasr, reanimating my pc
Feb 13, 2004 3:46AM PST

i did the last scan using mcafee virusscan , it detected a virus called "w32/spybot.worm.gen" ,this is weird because the dozens of scans i made didn't detect anything , it was removed safely .
I can now run my applications safely ,and I've reanimated my pc Happy .

for more infomation about the virus u can see :

http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

thanx to every one for thier efforts in the forum.

- Collapse -
Dinasr, Congratulations...That Explains It...
Feb 13, 2004 4:05AM PST

The computer was still infected and cleaning up with McAfee corrected the problems.

It might be a good idea to "tighten up" the security you're using on your mIRC. As you suspected, that's how a variety of viruses gain access.

Keep up the safe computing.

Grif

- Collapse -
Re: System Restore.....
Feb 11, 2004 4:06AM PST

Hi David,

Are you sugesting that perhaps dinasr could 'go back' with System Restore to a period before he got the virus?

Sorry, I haven't read a lot of the past posts in this forum, and asking for lack of my knowledge.

JR

- Collapse -
: System Restore...... Precisely, John.
Feb 11, 2004 6:21AM PST

most infections also infect the system restore folder and it is neccessary to disable the system restore and re-scan to completely eliminate the infection.

Grif has some excellent suggestoins as the resident Mc.Affee expert and I believe the poster should do exactly what is being prescribed in addition to disabling the system restore BEFORE the scan is commenced.
david williams