locked
Virus !!!!!!!!! Drive Openwith after cleaning trojen !!!! RRS feed

  • Question

  • Hi,

    I can' open my drive C and D by double clicking it. It is poping up the window for Openwith and it is annoying for me access drive like this. Please update me if anyone knows the solution for this.

    Thanks,
    Anas

    Anas
    Sunday, August 17, 2008 9:23 AM

Answers

  • Hi robert,

    I found temprory solution for these issue. But waiting from microsoft for the patch, because I am working as a network admin in a enterprice office and it is very difficult to do manual in all pcs like this.

    Please try to find one tool Flash_disinfector.exe from http://www.esnips.com/doc/29a0d024-a50a-47c5-ad89-3bb31ec5853e/Flash_Disinfector

    Or

    Do manual cleaning ini files as follows.

    Run Task Manager (Ctrl-Alt-Del or right click on Taskbar)
    Stop wscript.exe process if available by highlighting the process name and clicking End Process.
    Then terminate explorer.exe process.
    In Task Manager, click on File -> New Task (Runâ?¦).
    Type â??cmdâ?? (without quotes) into the Open text box and click OK.
    Type the following command one by one followed by hitting Enter key:
    del c:\autorun.* /f /s /q /a
    del d:\autorun.* /f /s /q /a
    del e:\autorun.* /f /s /q /a

    c, d, e each represents drive letters on Windows system. If there are more drives or partitions available, continue to command by altering to other drive letter. Note that you must also clean the autorun files from USB flash drive or portable hard disk as the external drive may also be infected.

    In Task Manager, click on File -> New Task (Runâ?¦).
    Type â??regeditâ?? (without quotes) into the Open text box and click OK.
    Navigate to the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Check if the value name and value data for the key is correct (the value data of userint.exe include the path which may be different than C drive, which is also valid, note also the comma which is also needed):
    â??Userinitâ??=â??C:\WINDOWS\system32\userinit.exe,â??

    If the value is incorrent, modify it to the valid value data.


    Anas
    • Marked as answer by AnasV Thursday, August 21, 2008 12:58 PM
    Thursday, August 21, 2008 12:57 PM

All replies

  •  Hi

    I am guessing that Forefront has not picked up anything after being updated and running a full scan.  also the scan should have been run in safe mode with system restore turned off.

    If so, can you open your C: and D: drives using explorer or the run command?  I have seen this behavior and have to open my drives by right clicking them and choosing explore.  From there look for an autorun.bat or autorun.inf file.  Open it and see if it has anything in it like copy.exe or similar.  If so try remove both the copy.exe file and the autorun.inf file.

    Before deleting these post back here and let me know what you found.

    Thursday, August 21, 2008 8:06 AM
  • Hi robert,

    I found temprory solution for these issue. But waiting from microsoft for the patch, because I am working as a network admin in a enterprice office and it is very difficult to do manual in all pcs like this.

    Please try to find one tool Flash_disinfector.exe from http://www.esnips.com/doc/29a0d024-a50a-47c5-ad89-3bb31ec5853e/Flash_Disinfector

    Or

    Do manual cleaning ini files as follows.

    Run Task Manager (Ctrl-Alt-Del or right click on Taskbar)
    Stop wscript.exe process if available by highlighting the process name and clicking End Process.
    Then terminate explorer.exe process.
    In Task Manager, click on File -> New Task (Runâ?¦).
    Type â??cmdâ?? (without quotes) into the Open text box and click OK.
    Type the following command one by one followed by hitting Enter key:
    del c:\autorun.* /f /s /q /a
    del d:\autorun.* /f /s /q /a
    del e:\autorun.* /f /s /q /a

    c, d, e each represents drive letters on Windows system. If there are more drives or partitions available, continue to command by altering to other drive letter. Note that you must also clean the autorun files from USB flash drive or portable hard disk as the external drive may also be infected.

    In Task Manager, click on File -> New Task (Runâ?¦).
    Type â??regeditâ?? (without quotes) into the Open text box and click OK.
    Navigate to the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Check if the value name and value data for the key is correct (the value data of userint.exe include the path which may be different than C drive, which is also valid, note also the comma which is also needed):
    â??Userinitâ??=â??C:\WINDOWS\system32\userinit.exe,â??

    If the value is incorrent, modify it to the valid value data.


    Anas
    • Marked as answer by AnasV Thursday, August 21, 2008 12:58 PM
    Thursday, August 21, 2008 12:57 PM
  • Hi I am not able to run this, other links it was not downloading, like bleepingcomputer site maybe, here i could download, but i get the following msg, though it exists in desktop:
    <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} -->
    i.e. Cannot open and the path, and close button displays, and can't proceed lateron, I m opening in the Admin login only, coz anyways other login not able to open this, please help on this.
    Saturday, May 30, 2009 10:05 AM
  • Manual method  i wanted to try but it looks like this in my machine:

    In Task Manager, click on File -> New Task (Runâ?¦).
    Type â??cmdâ?? (without quotes) into the Open text box and click OK.

    See these two lines
    â??cmdâ??
    Runâ?¦
    is the cause of worry, So please help me on this. I would be grateful to you.
    ////////////////////////////////////////////////////////////////////////////////////////////////////from here : your quotes

    Hi robert,

    I found temprory solution for these issue. But waiting from microsoft for the patch, because I am working as a network admin in a enterprice office and it is very difficult to do manual in all pcs like this.

    Please try to find one tool Flash_disinfector.exe from http://www.esnips.com/doc/29a0d024-a50a-47c5-ad89-3bb31ec5853e/Flash_Disinfector

    Or

    Do manual cleaning ini files as follows.

    Run Task Manager (Ctrl-Alt-Del or right click on Taskbar)
    Stop wscript.exe process if available by highlighting the process name and clicking End Process.
    Then terminate explorer.exe process.
    In Task Manager, click on File -> New Task (Runâ?¦).
    Type â??cmdâ?? (without quotes) into the Open text box and click OK.
    Type the following command one by one followed by hitting Enter key:
    del c:\autorun.* /f /s /q /a
    del d:\autorun.* /f /s /q /a
    del e:\autorun.* /f /s /q /a

    c, d, e each represents drive letters on Windows system. If there are more drives or partitions available, continue to command by altering to other drive letter. Note that you must also clean the autorun files from USB flash drive or portable hard disk as the external drive may also be infected.

    In Task Manager, click on File -> New Task (Runâ?¦).
    Type â??regeditâ?? (without quotes) into the Open text box and click OK.
    Navigate to the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Check if the value name and value data for the key is correct (the value data of userint.exe include the path which may be different than C drive, which is also valid, note also the comma which is also needed):
    â??Userinitâ??=â??C:\WINDOWS\system32\userinit.exe,â??

    If the value is incorrent, modify it to the valid value data.

    ////////////////////////////////////////////////////////////////////////////////////////////////////till here : your quotes
    Saturday, May 30, 2009 10:10 AM