Question

Locked

.msc files saying "Access is denied"

By abhinav2104 ·
I am using Windows XP SP2 with Norton Antivirus 2006. Recently when i used a USB pen-drive, the antivirus said it could not resolve the following viruses

1. w32.sillyfdc
2. w32.ircbrute

These viruses make certain registery changes.

Now after that all the .msc files have stopped working and give the message "Access is denied". Also i received an update from windows media palyer, to which i said no.

After looking up on google, it seemed that this was a recent problem and that other people have also reported the same in the months of november and december 2008.

The windows update thing is a ploy by w32.sillyfdc to download ceratin files.

After running a full system scan, the antivirus reports no virus/trojan.I believe the viruses have been removed and now registry has to be changed back so that .msc files run again.

How do i do that?. How does one make changes to .msc files entries, ie what binary values need to be set now?How does one make a copy of the registry?

Thanks in advance

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

I can't find a surefire removal but this is what I would try

by Jacky Howe In reply to .msc files saying "Access ...

Well first off you have to remove them and also from your USB drive. Start with your PC first and use the instructions below to Turn off Autoplay before attacking the USB drive. It can always be re-enabled by reversing the instructions. Turn off System Restore at the first oportunity.
<br><br>
Boot into Safe Mode and logon if it is required. Wait until it has finished loading. Press Ctrl+Alt+Del at the same time and hopefully you will have the Task manager.
<br>
If you have access click on the Applications Tab. Down the bottom right you will see New Task, click on it.
<br>
In the box Open: type msconfig and click OK.
<br>
Now if you have the Configuration Utility open. <br>
Configure selective startup options<br>
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.<br>
Click to clear the Process SYSTEM.INI File check box.<br>
Click to clear the Process WIN.INI File check box.<br>
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.<br>
Click the Services tab.<br>
Click to select the Hide All Microsoft Services check box.<br>
Click Disable All, and then click OK.<br>
When you are prompted, save the settings and restart the PC.
<br><br>
Download Malwarebytes Anti-Malware.
<br>
http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe
<br><br>
Malwarebytes Forums
<br>
http://www.bleepingcomputer.com/forums/lofiversion/index.php/f79.html
<br><br>

* Double-click mbam-setup.exe and follow the prompts to install the program.<br>
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.<br>
* If an update is found, it will download and install the latest version.<br>
* Once the program has loaded, select Perform Quick Scan, then click Scan.<br>
* When the scan is complete, click OK, then Show Results to view the results.<br>
* Be sure that everything is checked, and click Remove Selected.<br>
<br>
I would keep scanning with it until it is clean by closing out and rebooting and running it again.
<br><br>
Just to be on the safe side when you finish do an online scan with Bitdefender or Google for an online scanner.
<br>
http://www.bitdefender.com/scan8/ie.html
<br><br>
After you complete your troubleshooting and fix your configuration, return to a normal startup. To do this, follow these steps:<br>
Click Start, Run type msconfig and then press ENTER. <br>
<br>
On the General tab, click Normal startup, and then click OK.<br>
Click Restart.
<br><br>
How To Disable Autorun XP Pro
<br><br>
Go to Start Menu > Run and type gpedit.msc
<br>
Select Administrative Templates > System
<br>
Select ?Turn off Autoplay? from right.
<br>
Set the radio button to Enabled, and change the ?Turn off Autoplay on? to All Drives.
<br><br>
XP Home users will need to make the changes by editing the registry directly. To begin, click Start and then click Run
<br>
Type regedit and click OK. The Registry Editor window will open. Backup the Key before proceeding as it can be used to reverse the proceedure.
<br>
In the left pane, navigate to:
<br>
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
<br>
With Explorer highlighted, in the right-pane right click the value NoDriveTypeAutoRun and select Modify from the drop down menu. The base value will be set to Hexadecimal. If not, select Hexadecimal.
<br>
Type 95 and click OK.
<br><br>
After running the above processes you can either use the instructions below or try scannibg the USB with MalwareBytes.
<br>
Open the Command Prompt by typing ?cmd? in the run box. In the command prompt type the drive letter of the USB drive and press enter . Now type dir /w/a and press enter.
<br>
This will display a list of the files in the pen drive. Check whether the following files are there or not
<br><br>
Autorun.inf <br>
Ravmon.exe <br>
New Folder.exe <br>
svchost.exe <br>
Heap41a
<br><br>
or any other exe file which may be suspicious.
<br><br>
If any of the above files are there, then probably the USB drive is infected. In command prompt type attrib -r -a -s -h *.* and press enter. This will remove the Read Only, Archive, System and hidden file attribute from all the files. Now just delete the files using the command del filename. example del Ravmon.exe. Delete all the files that are suspicious. To be on a safer side, just scan the USB drive with an anti virus program to check whether it is free of virus or not. Now remove the drive and plug it again. In most of the cases, the real culprit turns out to be the ?Autorun.inf? file which mostly gets executed when someone clicks Ok in the dialog window which appears above. Thus the infections can spread
<br><br>

w32.sillyfdc
<br>
http://www.symantec.com/security_response/writeup.jsp?docid=2006-071111-0646-99&tabid=2
<br><br>
w32.ircbrute
<br>
http://www.symantec.com/security_response/writeup.jsp?docid=2008-062014-2448-99&tabid=2

<br><br>
<i>Keep us informed as to your progress if you require further assistance.
</i>

Collapse -

@Current Situation

by abhinav2104 In reply to I can't find a surefire r ...

Norton says no virus on the computer, so i am presuming that the virus has been removed but it has made some registry changes because of which my .msc files are not working. Can u suggest the changes that need to be made to the registry so that .msc files start working again...

Collapse -

Solution at last!!( i hope it is correct and not a quick fix only!!)

by abhinav2104 In reply to .msc files saying "Access ...

Well after goin through google again, i found the solution. It seems that the virus broke the file association between .msc files and mmc.exe as all of them were set to open with "unknown application". I made them open through the mmc.exe file in system32 folder and they are working now!!!

Collapse -

Thats great <nt>

by Jacky Howe In reply to Solution at last!!( i hop ...
Collapse -

ini files and .bat files

by snoop168 In reply to Solution at last!!( i hop ...

Guys this virus breaks the .ini and .bat files as well. If you try to right click on an ini file and click open it will give an error... Same with the .bat file when you click edit.

1) To fix them go to Start-> Run

2) Type regedit and press enter.

3) Navigate to the following one at a time:

HKEY_CLASSES_ROOT -> inifile -> shell -> open -> command

or

HKEY_CLASSES_ROOT -> batfile -> shell -> edit -> command

4) Open the (Default) key on the right pane and look at the path that is in the "Value Data" box. You will probably have:

%SystemRoot%\System32\NOTEPAD.EXE %1"
(yes that is a double quote at the end)

You should remove the double quote to only have

%SystemRoot%\System32\NOTEPAD.EXE %1

5) Press ok. Done. (repeat for inifile or batfile the opposite of what you just did.) Then you can close regedit


Guys the point here is this virus breaks the .msc extension which I still havent fixed, it also breaks the INI and BAT.... WHAT ELSE DOES IT BREAK?

Back to Malware Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums