Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


cannot remove virus!! cannot open regedit, cmd, etc

  • Please log in to reply
3 replies to this topic

#1 vafmar4


  • Members
  • 14 posts
  • Local time:04:50 AM

Posted 28 April 2009 - 12:00 PM

Please help me out! I have been browsing and working on this for about a week and nothing fixed!
(initially I had more problems like browsing the web, spitting out http errors and specified method is not supported, or just saying no-output, outlook was not retrieving email kept asking me for my username and password and although they were correct nothing happened --- I have fixed those.) NOW --->

It seems that I cannot open regedit, cmd, regedt32, and other exes from the Start/Run.
When I type it in it seems like soft-rebooting my system or opening the My Documents folder.
I have run any antivirus program I could find. I have Norton Antivirus 360 installed. Nothing. Malwarebytes Anti-malware, Spybot, Ad-aware from Lavasoft, Dr. Web, escan... nothing! I also run the Kaspersky Online Scanner (twice) nothing. Also the NOD32 online scanner... nothing.
I did all these from Safe mode while have system restore unchecked.
Hijackthis does not show anything suspicious (as fas as I can tell).
I have also run the Symantec's removal tool for Erkez.b but nothing found to fix.
To be precise, Malwarebytes does not update. I updated to the latest rules.ref from another PC and put it in mine.

Also, I cannot access Mcafee's websites. Still getting error HTTP 505 or 400.

However, when I run every 1-2 hours (while still working on the problem) the Norton antivirus it keeps finding a tracking cookie saying that the risk is low and when I look up the details it always says:
Cookie: user@tribalfusion.com
cookie: user@quantserve.com
couple of other cookies to some other boggus (to me) sites
and last
cookie: Orpan cleanup.
WINPATROL from time to time asks me if I will allow a change for file type .scr from "%1" to "%1 /s", or
to allow for file type .exe from "%1 1*" to "%1 %". (don't know what this is all about!!!)
I have a Hijackthis and Combofix (run from safe mode) log available.

Please let me know what further info I can provide to get some advice on this.
I have a Win XP SP3 system.
Your help is much appreciated!

************************************* -------------------------------------***********************************

I have actually finally resolved this!
The problem was CATCHME.sys. After running all kind of legit antivirus I could find (which none found the problem) I was finally able to resolve this while running COMBOFIX in safe mode. That was the one that found it and resolved it.
Now, regedit, cmd, and other exes will run from Start/Run normally. I am also able to update Malwarebytes.
Run RegistryBooster successfully. And can now browse Mcafee pages with no errors whatsoever!

My question now is this: ComboFix has the catchme.log in the quarantine folder and the catchme.sys in folder named "C".
Should I manually delete those?? I have manually deleted from the registry the key LEGACY_CATCHME.
Should I post the log from Combofix to get a more expert advice on what to do after?

And another thing I would like some help or info: I am still running Winpatrol and it is still popping from time to time a window asking me if I will allow a change for file type .scr from "%1" to "%1 /s", or allow for file type .exe from "%1 1*" to "%1 %". Is this normal? Should I allow or not?

Thanks a lot in advance for all the help you can give me!

P.S. I run Norton 360, should I report this to them?

Edited by vafmar4, 28 April 2009 - 01:45 PM.

BC AdBot (Login to Remove)


#2 garmanma


    Computer Masochist

  • Members
  • 27,809 posts
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:50 PM

Posted 29 April 2009 - 08:59 PM

If I remember correctly Combofix's quarantine folder is named Qbox

allow a change for file type .scr from "%1" to "%1 /s", or allow for file type .exe from "%1 1*" to "%1 %". Is this normal? Should I allow or not?

Not real sure on this one. Have you uninstalled Combofix yet?

Go to start > run and copy and paste or type next command in the field then hit enter:

ComboFix /u

Note: There's a space between Combofix and /
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 vafmar4

  • Topic Starter

  • Members
  • 14 posts
  • Local time:04:50 AM

Posted 05 May 2009 - 05:07 AM

Thanks garmama for the reply!
One question though, why should I remove/uninstall now Combofix?
Didn't know that I should.
Anyways, about the issue with winpatrol's popping windows it's fixed. I run over and over some anitvirus programs and I guess it was taken care (don't know what it was, perhaps some left overs from my original issue).

thanks again!

#4 DaChew


    Visiting Alien

  • Members
  • 10,317 posts
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:50 PM

Posted 05 May 2009 - 06:42 AM

A little knowledge is a dangerous thing, ignoring instructions and advice make it even more so.

You were lucky this time, if you removed all the infection? Winpatrol can interfer with a malware cleaning, like registry changes. 360 can interfer with scanning and fixing infections.

Your question about leaving Combofix indicates your need to self educate about this specialized tool, like reading the text in blue at the top of this page.

Edited by DaChew, 05 May 2009 - 06:42 AM.


No. Try not. Do... or do not. There is no try.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users