Windows kicked the bucket. HELP!!!

[dkmech]

Yesterday I was mainly...

Watching my Windows die in a spectacular fashion.

I was doing a couple things at once, like updating my firewall (Zonealarm) and doing some other things. ZA completed the update and needed a reboot, but i was a bit busy and only rebooted in 10 minutes time after i have sorted some of the things i was doing. During that time the firewall was off. After reboot i started a virus scan (norton), which promptly found a backdoor irc bot and a Proto worm (or something like that), which was actually in MSUpdate.exe. As ever it failed to cure it (do AV programs ever cure anything these days? ) so i had to settle for a quarantine.

Then i noticed that none of my shortcuts work. An error message comes up saying that it can't find the file i am asking it to run. Then i noticed that its not just the shortcuts - nothing does. No fall back to a resotre point, nothing at all apart from windows explorer.

So i copy most of the files i need off the c: drive onto others, knowing that i have an image of windows somewhere if it comes to worst. And thats about the only thing that works.

I tried rebooting with f8 and booting to last known good configuration, but that didn't work either. First it crashed, second time it booted but it still had the weird nothing found problem.

I tried inserting a windows cd (XP Pro) and finding some sort of repair function, but while it browsed the cd interface it refused to take me to the install windows option where i was hoping to find some repair tools. I was able to boot into recovery console from cd, but i haven't got a clue how to use it. I will search online, but if anyone has any info on commands to use I'll be greatful.

I have a ghost image of the system from 11 months ago (11 months on same windows install is kind of a record for me) but i would rather have it repaired if at all possible. Oh, and the ghost floppy was not booting, so i am gonna have to find me a new one today, but that shouldn't be a problem.

So, the superheroes of HEXUS! Your challenge, if you choose to accept it, is to tell me how to repair it, or its reinstalling time for me. You have until 5pm.

[scottyman]

ouch...

Code:

Virus Profile 
 
Virus Information 
Name: W32/Protoride.worm 
Risk Assessment   
  - Home Users: Low 
  - Corporate Users: Low 
Date Discovered: 10/7/2003 
Date Added: 2/24/2004 
Origin: Unknown 
Length: 14,3360 bytes (varies) 
Type: Virus 
SubType: mIRC Worm 
DAT Required: 4297 
 
  Quick Links 
Virus Characteristics 
Indications of Infection 
Method of Infection 
Removal Instructions 
Aliases 
 
 
Buy or Update 
 New Users Get Protected Now:
Buy VirusScan 
 
 Update VirusScan 
 
 
 
Virus Characteristics  
 
This detection is for a worm written in Microsoft Visual C++. 

This worm connects to the following IRC servers on port 6667. It will then await commands from the hacker at specific channels.

RiDe.nightrun.com.ar 
RiDe.beztia.com.ar 
RiDe.damaged.com.ar 
RiDe.digitalsword.com.ar 
The worm also contains IP scanning capabilities to connect itself to a remote IP. From here the following functions may be performed:

Download and upload of files 
Execute files 
Carry out Denial of Service attacks 
Obtain system information 
The following registry key is modified to run the worm before any executable on the system:

HKEY_CLASSES_ROOT\exefile\shell\open
\command "(Default)" = wd2.exe "%1 %*" 
On certain localized Windows versions the worm copies itself as MsUpdate.exe to the following directories:

\Documents and Settings\All Users\Men· Inicio\Programas\Inicio\ 
\Documents and Settings\All Users\Start Menu\Programs\Startup\ 
\Windows\Men· Inicio\Programas\Inicio\ 
\Windows\Start Menu\Programs\Startup\  
\Windows.000\Men· Inicio\Programas\Inicio\ 
\Windows.000\Start Menu\Programs\Startup\ 
\Win98\Men· Inicio\Programas\Inicio\ 
\Win98\Start Menu\Programs\Startup\ 
\WinME\Men· Inicio\Programas\Inicio\ 
\WinME\Start Menu\Programs\Startup\

That'll be your problem
first of all rename regedit.exe to regedit.com
(or if that doens't work, use regedt32.exe to regedt32.com)
nav to HKEY_CLASSES_ROOT\exefile\shell\open\command
modify "(Default)" = wd2.exe "%1" %*"
to read "(Default)" = "%1" %*

Which should fix the problem and prevent more spawning of the worm.
...edit - ALSO TURN OFF SYSTEM RESTORE! - else it will cause more problems than it solves.

[dkmech]

Lol, i just found that myself, after talking to our sysadmin here and searching symantec webby. But you beat me to it by 15 mins. Well done and thanks!.

Have a cookie.

There may be hope for my pc yet.

[scottyman]

*grin* hope so - good luck!

[dkmech]

Phew! Sorted!

Single registry entry can screw up the pc so completely! Beware...

Virus scanning the crap out of it now.

Also had to revert the stupid fade in menus which got changed to when asking for last good config. Does it need more than xp2500 1gb ddr 3200 and radeon 9700pro to have a right click menu fade in within a minute? Mad. Back to normal though, it seems.