Topic: Missing File - Help!

[Simon]

I suffered a virus infection last night.  It was from a file I had downloaded fron Kazaa, but unfortunately, it infected my machine before Norton had updated it's virus definitions, and alerted me to it.  The virus was W32.Kwbot.C.Worm, and it is transmitted in Kazaa and iMesh file transfers.  Click Here for more details.

This is a particularly nasty little b^£^%$&d, and it took me about 2 hours to free my machine of all infection.  It creates registry entries, and corrupts what seems to be a system file, which Norton failed to be able to deal with.  Apart from feeling seriously let down by Norton (I had downloaded the file at least two days before they got round to putting out an auto update), I am now left with a problem, which is this:

The file Norton had trouble handling was C:\Windows\System32\cmd32.exe.  I'm not sure if this file was there before the virus and was infected, or was actually placed there by the virus.  It did try to access the web, but fortunately my firewall stopped it (at least that worked, Norton!).  In the end, as the file would not delete, and kept running on boot up, I renamed it, and managed to move it to the Recycle Bin, where Norton also managed to disinfect it, but in doing so, deleted it.

I am now left with the problem that each time Windows starts, I get an error message that the file could not be found.  I have looked everywhere to try to stop Windows (XP) trying to run the file at startup, but without success.  Windows seems to be running fine without the cmd32.exe, so my questions are as follows:

1. Do I actually need this file?

2. Was it there before the virus infection?

3. How do I replace the file, or stop the startup error message?  

4. How does SFC (System File Checker) work in XP?  It's not the usual command.

Thanks for any help!

[Clive]

I don't appear to have that file on my XP which may answer two of your questions.

To find out about system file checker on XP take a look at

http://www.anzwers.org/free/xpdsl/sfc.htm

[bat69]

this is where DOS comes in very useful, to enable deletion of these spurious files.

Do you have Norton Utilities Simon? You can use the system check there to delete any dead registry links, as I think that is what this is

[Simon]

Just popped in for a minute - will try both of thoise ideas later - thanks guys!

Any further suggestions welcome!  

[Lona]

One suggestion, Simon. Sue Norton and ask for your money back

[Simon]

No success so far!  Scanned registry, and there were no matching entries.  Ran Norton Utils, and found some fixes but still getting error at start up.  

[Simon]

One suggestion, Simon. Sue Norton and ask for your money back

Who is Sue Norton, and what's she doing with my money?  

[Lona]

It just goes to show you Simon, never trust anyone called Norton

[Adept]

I think you'll find that the cmd32.exe is part of the virus infection Simon.

Windows is trying to start it because there is a command in the Registry Run key.

Have you followed the removal instructions given in the Symantec Security Response you provided the link to? This will tell you how to remove the offending command.

[Simon]

I have, but I'll go through it again, because this will drive me nuts until I get it sorted!   >

[Simon]

Well I went through the registry and deleted anything connected to Kazaa, and found a couple more cmd32 values, so deleted them as well.

Fired up and could get on internet, but no web pages, and no messenger or e-mails.

Powered off in despair, then powered on again, and all seems OK!!

Phew!  That was close!  

[Clive]

Heart keep beating!!    Glad it's sorted Simon.

[bat69]

Great news, but I'll still be using KaZaA ... I'll just be careful what I download ... I try to quarantine any exe files and scan them before running them, I usually have them quarantined for a few days ... mainly cos I'm too slow to run them  

[Simon]

I automatically scan everything I download, from anywhere, but in this case Norton was a bit behind with the virus definition updates, so even scanning didn't show up the virus until 2 days later when the auto update came through.