• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

System Admin: 0 vs. Viruses: 9 - Windows ME Restore Question

T

Transition

Banned
Okay, so i convinced our system admin here to finally run a virus scanner on his machine - and low and behold a total of 9 viruses and 250 infected files showed up, wonderful. I did the usual with Norton and it removed or quarantined everything, except VBS.Stages.A i believe. Now, i can't run any applications - trying to do some gives me a message along these lines.... "You have typed a name incorrectly in the run dialog or another program cannot find the system file." Which is odd, because i'm just trying to execute programs via shortcuts, not Run commands.

So, i figured lets just goto Add/Remove Programs in the control panel and i thought i remembered a "System Restore" option.. Although, i can get into the control panel but whenever i try to open something like "Add/Remove Programs" or "Users" i get an error telling me i don't have administrative privelages. There was only 1 account setup on that computer before which was set as Admin.. hrm..

Basically what i need is a way to restore ME's system files without deleting all HDD data. The admin has about 250megs worth of files he needs and is too stubborn to get them off the HDD via CD/R or FTP (arggg)... Anyways, i've done an emergency DOS virus scan, booted in safe mode and done a virus scan, and that's about all i can do at this time. I even tried getting some of the manual virus removal tools from Symantec - but i can't execute them even if i copy them from a floppy straight to the HDD - it still gives me the "You have typed a name incorrectly...." error.. I can't even view regedit or msconfig to see what's going on..

Suggestions are appreciated!

Thanks

-RJ
 
I would look at the win.ini file. If you see a strange run= or other path then that is the problem.. I think that something (one of the virui) may have flumoxed the path to command. Look at the win.ini and then search the Symantec's page for virus that modify the win.ini/command paths.

I will try to look but I am tight on time...

Quick find on the Symantec site

Linkified

This is how you can get the system up and running after Norton deletes something.... Good read
 
it should actually in the in registry. there are a couple of viruses that will attach a junk file to the run command, so when you try to open a program it will look for the junk file and say it can't find it. if you have a list of the 9 viruses go to www.sarc.com and look up each one until you find the one that did this.

the navidad virus is one that did this, it added winsvrc.exe to the open key in the registry.

~erik
 
How can i get to the registry to edit it - the virus won't let me.. arg

There's nothing suspicious in the win.ini file, i already checked there..
 
oh sorry. you have to rename it to regedit.com.

the key in the case of the navidad virus is hkey_classes_root\exefile\shell\open

it changes the entry (Default)

~erik
 


<< oh sorry. you have to rename it to regedit.com.

the key in the case of the navidad virus is hkey_classes_root\exefile\shell\open

it changes the entry (Default)

~erik >>



Thanks Erik for the suggestion! The virus was actually not Navidad, but it appears to be a variant of SirCam.. I renamed the regedit as you mentioned to a COM file and looked in the "hkey_classes_root\exefile\shell\open" value you had mentioned, when i saw a value that look like "%1 SirCam". I deleted the value out of the registry, renamed the regedit to REGEDIT.exe and restarted. Voila! The system is back to normal once again!

I sincerely appreciate the help 🙂
 
Now that the situation is fixed, Id like to say that your Sys Admin sounds more like a user then an Admin.
Admin's are supposed to actually care about stuff like that. Good thing he has you to kick him in the a$$
 


<< Now that the situation is fixed, Id like to say that your Sys Admin sounds more like a user then an Admin. Admin's are supposed to actually care about stuff like that. Good thing he has you to kick him in the a$$ >>



Most decent companies have a phrase for admins like that. "You're fired!" L users get away with it more often because they are supposed to be morons. 😉
 
The box really should be reloaded, it's the only way to be 100% sure you're clean and it would be a good kick in the balls to that idiot.
 
> The box really should be reloaded, it's the only way to be 100% sure you're clean and it would be a good kick in the balls to that idiot.

I agree, while you should be 'clean' now, you have no way of knowing what file damage those 9 different viri caused. I hope you got your 'admin' to leave NAV on the machine (and autoprotect running).

Bill
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top