run dialogue doesn't work after worm attack

[marko]

Firstly I apologize if this issue has already been resolved in earlier
posts, I scoured through them but I couldn't find them.

Recently I found two worms on my machine, one was W32/Acra-A and the other
W32/Rbot-ACZ. I removed them with Sophos but now my run dialogue box doesn't
work right. Some thing will run correctly (for instance explorer.exe) but if
I type in "regedit" I get a DOS screen with a message

"One or more CON code pages invalid for given keyboard code".

After that a prompt message appears with the following message:
"16 bit MS-DOS Subsystem
C:\WINDOWS\system32\regedit.com
The NTVDM CPU has encountered an illegal instruction.
CS:0704 IP:4303 OP:ff ff 53 26 8b
CLOSE IGNORE"

How can I fix this back?

Thanks for any advice. Cheers!

 

[David H. Lipman]

From: "marko" <[email protected]>

| Firstly I apologize if this issue has already been resolved in earlier
| posts, I scoured through them but I couldn't find them.
|
| Recently I found two worms on my machine, one was W32/Acra-A and the other
| W32/Rbot-ACZ. I removed them with Sophos but now my run dialogue box doesn't
| work right. Some thing will run correctly (for instance explorer.exe) but if
| I type in "regedit" I get a DOS screen with a message
|
| "One or more CON code pages invalid for given keyboard code".
|
| After that a prompt message appears with the following message:
| "16 bit MS-DOS Subsystem
| C:\WINDOWS\system32\regedit.com
| The NTVDM CPU has encountered an illegal instruction.
| CS:0704 IP:4303 OP:ff ff 53 26 8b
| CLOSE IGNORE"
|
| How can I fix this back?
|
| Thanks for any advice. Cheers!
|

The problem is you haven't supplied the OS version. I will assume you either have Win9x/ME
or WinXP and and will provide the supply the more likey answer for winXP.

Delete; C:\WINDOWS\system32\regedit.com

{ assuming the WinXP CDROM disk is in drive "D:" }
In the Command Prompt enter...
expand D:\i386\regedit.ex_ %windir%\system32\regedit.exe

I am not sure how to get Explorer to show the "Start --> Run" capability.

You will have to post in a Microsoft News Group specific to your OS.
In addition, have you tried other scanners to be absolutely sure you are not still infected
?

 

[Duane Arnold]

Firstly I apologize if this issue has already been resolved in earlier
posts, I scoured through them but I couldn't find them.

Recently I found two worms on my machine, one was W32/Acra-A and the
other W32/Rbot-ACZ. I removed them with Sophos but now my run dialogue
box doesn't work right. Some thing will run correctly (for instance
explorer.exe) but if I type in "regedit" I get a DOS screen with a
message

"One or more CON code pages invalid for given keyboard code".

After that a prompt message appears with the following message:
"16 bit MS-DOS Subsystem
C:\WINDOWS\system32\regedit.com
The NTVDM CPU has encountered an illegal instruction.
CS:0704 IP:4303 OP:ff ff 53 26 8b
CLOSE IGNORE"

How can I fix this back?

Thanks for any advice. Cheers!

You can do a Repair Install from CD if that is an NT based O/S like XP and
lay the O/S back down on the machine leaving all applications, programs and
settings intact. If you do that, you will need to reinstall any SP and
updates you have applied to the O/S.

Duane

 

[marko]

Yes, it-s WinXP SP1 actually, sorry about that.

The problem is not in regedit.exe, but in the run dialogue itself. If I run
regedit from explorer it works fine, I just can't run it from the "Run...".
Also if I try cmd in run dialogue, same result.

I'll try to do system restore with install cd, but I hoped there is a
simpler solution.

Thanks for helping. Cheers!

 

[Zvi Netiv]

Yes, it-s WinXP SP1 actually, sorry about that.

The problem is not in regedit.exe, but in the run dialogue itself. If I run
regedit from explorer it works fine, I just can't run it from the "Run...".
Also if I try cmd in run dialogue, same result.

If you weren't a top poster then the solution would be obvious to you
immediately.

I'll try to do system restore with install cd, but I hoped there is a
simpler solution.

You'll be wasting your time as you'll be in exactly in the same position after
reinstalling Windows. And yes, there is a simpler solution. Embarrassingly
simple! ;-)

David gave you a good hint here, although he may have missed the big picture.

No need to re-expand Regedit, it's there, intact.

Whatever struck you created dummy companion files to a number of utilities and
programs, in order to deny you their use. A "companion" is an executable that
uses the same name as the EXE object, with a COM extension. When invoking
REGEDIT, or CMD, plain, without specifying the EXE extension, then the operating
system will first load the COM file with that name, if one exists in the path.

If you tried REGEDIT.EXE from the 'run' menu, instead of REGEDIT plain, then you
could run the utility from the desktop. The reason it runs OK from Explorer is
because in the latter the full pathname of the target object is associated to
the desktop file-object. The same applies to CMD.EXE (the companion is
Cmd.com).

Now, if you paid attention to details, then you would know that
C:\WINDOWS\system32\regedit.com in your first post must be fake, for two
reasons:

First, since Regedit is represented by an icon in Explorer then it must contain
an icon resource, and only EXE files have it (COM files are represented by a
plain rectangle as they contain no icon resource). Therefore, regedit.com
couldn't be the real thing. Secondly, the path is a giveaway! Most Win
utilities are stored in the Windows default installation directory, i.e.
C:\Windows, not in ..\system32. I bet that the other companions will also be
found in the ..\system32 directory.

Apparently, Sophos didn't do a complete job in cleaning your PC. To resume
normal operation, delete Regedit.com and Cmd.com from the ..\system32 directory.
Then search for all *.COM files in the system32 directory (only!) and see for
each COM if it has an EXE twin. If there is a twin, then delete the COM file.
My guess is that all the companion dummies also have the same file size, which
should help you in spotting them. Note that certain applications could consist
of a legit pair, though, like Edit.com and Edit.exe! Don't kill them!

Regards, Zvi

 

[David H. Lipman]

From: "Zvi Netiv" <support@replace_with_domain.com>

|
| If you weren't a top poster then the solution would be obvious to you
| immediately.
||
| You'll be wasting your time as you'll be in exactly in the same position after
| reinstalling Windows. And yes, there is a simpler solution. Embarrassingly
| simple! ;-)
||
| David gave you a good hint here, although he may have missed the big picture.
||
| No need to re-expand Regedit, it's there, intact.
||
| Whatever struck you created dummy companion files to a number of utilities and
| programs, in order to deny you their use. A "companion" is an executable that
| uses the same name as the EXE object, with a COM extension. When invoking
| REGEDIT, or CMD, plain, without specifying the EXE extension, then the operating
| system will first load the COM file with that name, if one exists in the path.
|
| If you tried REGEDIT.EXE from the 'run' menu, instead of REGEDIT plain, then you
| could run the utility from the desktop. The reason it runs OK from Explorer is
| because in the latter the full pathname of the target object is associated to
| the desktop file-object. The same applies to CMD.EXE (the companion is
| Cmd.com).
|
| Now, if you paid attention to details, then you would know that
| C:\WINDOWS\system32\regedit.com in your first post must be fake, for two
| reasons:
|
| First, since Regedit is represented by an icon in Explorer then it must contain
| an icon resource, and only EXE files have it (COM files are represented by a
| plain rectangle as they contain no icon resource). Therefore, regedit.com
| couldn't be the real thing. Secondly, the path is a giveaway! Most Win
| utilities are stored in the Windows default installation directory, i.e.
| C:\Windows, not in ..\system32. I bet that the other companions will also be
| found in the ..\system32 directory.
|
| Apparently, Sophos didn't do a complete job in cleaning your PC. To resume
| normal operation, delete Regedit.com and Cmd.com from the ..\system32 directory.
| Then search for all *.COM files in the system32 directory (only!) and see for
| each COM if it has an EXE twin. If there is a twin, then delete the COM file.
| My guess is that all the companion dummies also have the same file size, which
| should help you in spotting them. Note that certain applications could consist
| of a legit pair, though, like Edit.com and Edit.exe! Don't kill them!
|
| Regards, Zvi
| --
| NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
| InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities


Live & Learn !

I should have picked up that he may have parallel REGEDIT.COM and REGEDIT.EXE files. He may
also have the same situation with CMD.EXE and CMD.COM.

Could it also mean he's still infected ?

The email worm Kipis does this but does not affect CMD.EXE.
W32/Kipis.b@MM -- http://vil.nai.com/vil/content/v_130668.htm

 

[marko]

Apparently, Sophos didn't do a complete job in cleaning your PC. To

resume
normal operation, delete Regedit.com and Cmd.com from the ..\system32
directory.
Then search for all *.COM files in the system32 directory (only!) and see
for
each COM if it has an EXE twin. If there is a twin, then delete the COM
file.
My guess is that all the companion dummies also have the same file size,
which
should help you in spotting them. Note that certain applications could
consist
of a legit pair, though, like Edit.com and Edit.exe! Don't kill them!

Regards, Zvi
--

Gee, thanks for all that. You were right on the spot - when I run cmd.exe
from "Run.." it works perfectly.

However I couldn't follow the rest of your solution because the dummy .COM
files simply aren't there. Or anywhere, to be exact. My system execs btw are
not in C:\WINDOWS but in C:\i386\system32 directory, and they work all right
when clicked and so on, but I can't seem to find those dummy files anywhere.
I turned on showing hidden folders and files, I searched the entire disk
for .com's, nada.

 

[Zvi Netiv]

From: "Zvi Netiv" <support@replace_with_domain.com>

|
| If you weren't a top poster then the solution would be obvious to you
| immediately.
|
|
| You'll be wasting your time as you'll be in exactly in the same position after
| reinstalling Windows. And yes, there is a simpler solution. Embarrassingly
| simple! ;-)
|
|
| David gave you a good hint here, although he may have missed the big picture.
|
|
| No need to re-expand Regedit, it's there, intact.
|
|
| Whatever struck you created dummy companion files to a number of utilities and
| programs, in order to deny you their use. A "companion" is an executable that
| uses the same name as the EXE object, with a COM extension. When invoking
| REGEDIT, or CMD, plain, without specifying the EXE extension, then the operating
| system will first load the COM file with that name, if one exists in the path.
|
| If you tried REGEDIT.EXE from the 'run' menu, instead of REGEDIT plain, then you
| could run the utility from the desktop. The reason it runs OK from Explorer is
| because in the latter the full pathname of the target object is associated to
| the desktop file-object. The same applies to CMD.EXE (the companion is
| Cmd.com).
|
| Now, if you paid attention to details, then you would know that
| C:\WINDOWS\system32\regedit.com in your first post must be fake, for two
| reasons:
|
| First, since Regedit is represented by an icon in Explorer then it must contain
| an icon resource, and only EXE files have it (COM files are represented by a
| plain rectangle as they contain no icon resource). Therefore, regedit.com
| couldn't be the real thing. Secondly, the path is a giveaway! Most Win
| utilities are stored in the Windows default installation directory, i.e.
| C:\Windows, not in ..\system32. I bet that the other companions will also be
| found in the ..\system32 directory.
|
| Apparently, Sophos didn't do a complete job in cleaning your PC. To resume
| normal operation, delete Regedit.com and Cmd.com from the ..\system32 directory.
| Then search for all *.COM files in the system32 directory (only!) and see for
| each COM if it has an EXE twin. If there is a twin, then delete the COM file.
| My guess is that all the companion dummies also have the same file size, which
| should help you in spotting them. Note that certain applications could consist
| of a legit pair, though, like Edit.com and Edit.exe! Don't kill them!

Live & Learn !

I should have picked up that he may have parallel REGEDIT.COM and REGEDIT.EXE files. He may
also have the same situation with CMD.EXE and CMD.COM.

I mention explicitly that Cmd.exe most probably has a companion Cmd.com, in
third paragraph up from this one.

Could it also mean he's still infected ?

It depends on whether the companion files are just dummies (to prevent the
application from running), or they contain code that regenerates the infection,
like Nimda ( see http://tinyurl.com/bgwn6 ). The OP will soon know, if the
infection returns after having done as I suggested.

The email worm Kipis does this but does not affect CMD.EXE.
W32/Kipis.b@MM -- http://vil.nai.com/vil/content/v_130668.htm

If you thought generics instead of virus-specific AV, then you may have
discovered that W32/Wurmark is a better match, and if you ask me, then it's
neither, but a new worm based on code from previous ones. That would explain
why Sophos failed cleaning it properly.

Regards, Zvi

 

[marko]

However I couldn't follow the rest of your solution because the dummy .COM
files simply aren't there. Or anywhere, to be exact. My system execs btw
are not in C:\WINDOWS but in C:\i386\system32 directory, and they work all
right when clicked and so on, but I can't seem to find those dummy files
anywhere. I turned on showing hidden folders and files, I searched the
entire disk for .com's, nada.

OK, problem solved (I think).

The thing was I cannot reach the windows\system32 folder through Interned
Explorer (why?). But I have found it through cmd.exe, and then found those
dummy files but first I had to play with "attrib" because they were hidden
and got the system flag on. After "attrib -s -h" and some deleting
everything looks peachy.

Gee, that DOS experience sure comes in handy sometimes.

P.S. Damn that Sophos. Can anybody suggest a better AV?

 

[Zvi Netiv]

Please correct the right margin of your newsreader (OE 6) to not break lines of
quoted text. Thanks.

Gee, thanks for all that. You were right on the spot - when I run cmd.exe
from "Run.." it works perfectly.

It was just too obvious that a companion was involved.

However I couldn't follow the rest of your solution because the dummy .COM
files simply aren't there. Or anywhere, to be exact. My system execs btw are
not in C:\WINDOWS but in C:\i386\system32 directory, and they work all right
when clicked and so on, but I can't seem to find those dummy files anywhere.
I turned on showing hidden folders and files, I searched the entire disk
for .com's, nada.

In your original post you mention the message returned when attempting to run
REGEDIT from the run menu:

"16 bit MS-DOS Subsystem
C:\WINDOWS\system32\regedit.com

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Note that the Windows baseline directory in your OP is C:\Windows. Usually, the
default XP directory is \WINNT and \Windows is a common option too. But not
\i386. The discrepancy between this post an the original one may suggest
something, but before I go on, please do the following:

Open the CMD shell (run Cmd.exe), type the command SET, press Enter, and report
here the directory name returned for the variable "Windir" or "SystemRoot" (they
should be the same).

Next, do a search for CMD plain, including hidden and system files, and report
here the list of objects found (include only those named CMD, exclude those that
contain the cmd string as *part* of their name), with their full path.

Please pay attention to not break lines of quoted text in your follow-up (I
won't be the only one to read your post) and avoid top posting.

Regards, Zvi

 

[Zvi Netiv]

OK, problem solved (I think).

Glad to hear that it worked for you.

The thing was I cannot reach the windows\system32 folder through Interned
Explorer (why?).

The default Windows shell is Explorer.exe, not Iexplore!

But I have found it through cmd.exe, and then found those
dummy files but first I had to play with "attrib" because they were hidden
and got the system flag on. After "attrib -s -h" and some deleting
everything looks peachy.

You could have done the same with Explorer and 'properties'. Apparently you
failed setting explorer's options to show hidden / system files.

Gee, that DOS experience sure comes in handy sometimes.
Indeed.

P.S. Damn that Sophos. Can anybody suggest a better AV?

Sophos is one of the better AV. Yet your problem with is unrealistic
expectations and a lack of understanding what are the objective limitations of
AV. For better protection you need a totally different approach, but this is an
entirely different opera.

Regards, Zvi

 

[marko]

You could have done the same with Explorer and 'properties'. Apparently
you
failed setting explorer's options to show hidden / system files.

Umm..nope. I have that setting on, that's what threw me off when I couldn't
find my exec files. It still confuses me somewhat why that folder doesn't
show up. WinXP security reasons perhaps? Another virus?

 

[Zvi Netiv]

Umm..nope. I have that setting on, that's what threw me off when I couldn't
find my exec files. It still confuses me somewhat why that folder doesn't
show up. WinXP security reasons perhaps? Another virus?

Don't blame everything on virus doing. ;-) For a primer on the subject, read
www.invircible.com/item/53

Note that there are a few settings under explorer's Tools / Folder Options /
View, that relate to the way files and directories are shown.

Regards, Zvi