Yet Another Place to Look for Virus Infestation
There is yet another place to look for evidence of a prior virus infestation. Just as some virii will set themselves up as a wrapper on the browser and intercept all traffic, other virii will install themselves as a wrapper on all applications at the OS level. Try to run an executable or control panel and see if you get an error message like below.
If you are getting error messages like this, open the registry. Press “Start“–>”Run“–>”command“. When the DOS window opens, type regedit. Remember, you cannot type cmd because .exe’s and .cpl’s are not running. Cmd.exe will not run but command.com will. In Registry Editor, go to HKEY_Classes_Root\.exe\shell\open\command. Your entry for “default” should be ‘ “%1″ %* ‘. In this example, note how all executables are funneled through a virus program called “kmd.exe”. The program “kmd.exe” got swept up and deleted quite some time ago in an antivirus sweep. However, this line in the registry remained as is, and no other programs have been able to run since then. To fix this, delete the “C:\..\..\kmd.exe -a ” portion and you should be able to run executables and control panels after this.
Perform the same step in HKey_Classes_Root\exefile\shell\open\command on the key for default.
In this instance, a further search in the registry on “kmd” also found two more infected keys. The first is in HKEY_Local_Machine\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command. To fix this, delete the “C:\..\..\kmd.exe -a ” portion to be able the run the executable, in this case firefox.exe.
The other infected key is in HKEY_Local_Machine\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command. To fix this, delete the “C:\..\..\kmd.exe -a ” portion to be able the run the executable, in this case iexplore.exe.
Your system should return to normal after this.