Asked by:
i need urgent help!

General discussion
-
My computer has been infected with a virus i cannot run any execs only if i run as administrator i cant put run msconfig or regedit in the run section.
could i get possible help to resolve this issue?- Changed type JimR1Moderator Saturday, February 27, 2010 1:34 PM
- Moved by JimR1Moderator Saturday, February 27, 2010 1:34 PM Off topic. Not an MSE question. (From:Microsoft Security Essentials: Scanning, Detecting, and Removing Threats)
Saturday, February 27, 2010 4:46 AM
All replies
-
Hi,
I am guessing you have one of the current malware versions using AV.exe and even if you
don't use these methods to detect and remove the malware.
Try Safe Mode with networking - repeatedly tap F8 as you boot up.
The top two methods allow the scanners to run and/or get AV.exe out of the way or removal.
1.
CTRL SHIFT ESC - Task Manager OR Right Click the TaskBar - Task Manager
Processes tab - End Process on AV.EXE and then proceed with the Uninstall Guide.
Then if needed use Start - Computer OR Windows Explorer to navigate to
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or where ever it is installed at - if
needed Right Click the Malwarebytes - Properties - Shortcut tab - target line to see where it
is installed.
Right Click on it and Rename it to ZZMbam.COM (or anything different than it is now) and
then double click on it and run it that way. You can rename it back later. Do similar with
other programs as needed. Use this method for others as needed - DO NOT ASSUME any
one program removes it all or that there is not other malware involved.
---------------------------------------------------
2.
Another method is to use these :
Use Process Explorer to "Suspend" not Stop the Processes
Then use AutoRuns to remove the malware startup items.
Now use UnLocker to delete the files in the malware.
You may have to do this one file at a time.
Process Explorer - Free
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
AutoRuns - Free
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
UnLocker - Free (do not install the Ebay adaware)
http://www.softpedia.com/get/System/System-Miscellaneous/Unlocker.shtml
AV.exe
==============================================
There are many names for this malware :
XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 are rogue antivirus,
scams to force you to pay for them while they have no benefits at all.
How to remove all versions :
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010
RENAME these as needed to allow them to run : (renaming .exe to .com can help as well)
These can be done in Safe Mode - repeatedly tap F8 as you boot however you should also run them
in regular Windows when you can.
Download malwarebytes and scan with it, run MRT, and add Prevx to be sure it is gone. (If Rootkits
run UnHackMe)
Download - SAVE - go to where you put it - Right Click on it - RUN AS ADMIN
Malwarebytes - free
http://www.malwarebytes.org/
Run the Microsoft Malicious Removal Tool
Start - type in Search box -> MRT find at top of list - Right Click on it - RUN AS ADMIN.
You should be getting this tool and its updates via Windows Updates - if needed you can download it
here.
Download - SAVE - go to where you put it - Right Click on it - RUN AS ADMIN
(Then run MRT as above.)
Microsoft Malicious Removal Tool - 32 bit
http://www.microsoft.com/downloads/details.aspx?FamilyID=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
Microsoft Malicious Removal Tool - 64 bit
http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
also install Prevx to be sure it is all gone.
Download - SAVE - go to where you put it - Right Click on it - RUN AS ADMIN
Prevx - Home - Free - small, fast, exceptional CLOUD protection, works with other security programs.
This is a scanner only, VERY EFFECTIVE, if it finds something come back here or use Google to see
how to remove.
http://www.prevx.com/ <-- information
http://info.prevx.com/downloadcsi.asp <-- download
PCmag - Prevx - Editor's Choice
http://www.pcmag.com/article2/0,2817,2346862,00.asp
Try the trial version of Hitman Pro :
Hitman Pro is a second opinion scanner, designed to rescue your computer from malware (viruses,
trojans, rootkits, etc.) that have infected your computer despite all the security measures you have
taken (such as anti virus software, firewalls, etc.).
http://www.surfright.nl/en/hitmanpro
--------------------------------------------------------
If needed here are some online free scanners to help
http://www.eset.com/onlinescan/
http://onecare.live.com/site/en-us/default.htm
http://www.kaspersky.com/virusscanner
Other Free online scans
http://www.google.com/search?hl=en&source=hp&q=antivirus+free+online+scan&aq=f&oq=&aqi=g1
--------------------------------------------------------
Also do these to cleanup general corruption and repair/replace damaged/missing system files.
Run DiskCleanup - Start - All Programs - Accessories - System Tools - Disk Cleanup
Start - type this in Search Box -> COMMAND find at top and RIGHT CLICK - RUN AS ADMIN
Enter this at the prompt - sfc /scannow
How to analyze the log file entries that the Microsoft Windows Resource Checker (SFC.exe) program
generates in Windows Vista cbs.log
http://support.microsoft.com/kb/928228
Run checkdisk - schedule it to run at next start and then Apply OK your way out then restart.
How to Run Check Disk at Startup in Vista
http://www.vistax64.com/tutorials/67612-check-disk-chkdsk.html
-----------------------------------------------------------------------
If any Rootkits are found use this thread and other suggestions. (Run UnHackMe)
http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/a8f665f0-c793-441a-a5b9-54b7e1e7a5a4/
Hope this helps.
Rob - Bicycle - Mark Twain said it right.Saturday, February 27, 2010 4:58 AM -
Hi,
Use above message to do an intense and thorough check for malware.
To restore the ability to run .exe programs.
1. Make a Restore Point so you can revert back if needed though not likely required.
How to Create a System Restore Point in Vista
http://www.vistax64.com/tutorials/76332-system-restore-point-create.html
How to Do a System Restore in Vista
http://www.vistax64.com/tutorials/76905-system-restore-how.html
2 . Copy BETWEEN these lines and paste into Notepad - Save as exefileFix.reg - then Right
Click on it and MERGE - REBOOT
DO NOT COPY LINES
-----------------------------------------------------------------
Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\.EXE]
@="exefile"
"Content Type"="application/x-msdownload"[HKEY_CLASSES_ROOT\.EXE\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice]
--------------------------------------------------------------
DO NOT COPY LINES
If needed :
Check the EXE file fix here
http://www.winhelponline.com/articles/105/1/File-association-fixes-for-Windows-Vista.html
Also check this one if it applies
http://www.winhelponline.com/articles/165/1/Restore-the-exe-file-association-in-Windows-Vista-after-incorrectly-associating-it-with-another-application.html
How to Set Default Associations For a Program in Vista
http://www.vistax64.com/tutorials/83196-default-programs-program-default-associations.html
Hope this helps.
Rob - Bicycle - Mark Twain said it right.Saturday, February 27, 2010 4:59 AM -
yeah it is the AV.exe i have closed the process, is there any way i can get to talk to you? or maybe even on teamviewer so you can help even more?
and the things its doing is i cant run task manager from taskbar but i can if i ctrl alt delete i have also located where regedit has been put.<input id="gwProxy" type="hidden"></input> <input id="jsProxy" onclick="jsCall();" type="hidden" />Saturday, February 27, 2010 5:08 AM -
Hi,
Sorry this is not live. Run those detection methods in an intense manner (meaning use them all) and
rename any that will not run using a different name and extension. Be sure to name them back to
what they where later.
mbam.exe rename to ZZmbam.com
mrt.exe rename to ZZmrt.com
and so on - the name to the left of the .com is totally optional but has to be different than it was
originally.
Rob - Bicycle - Mark Twain said it right.Saturday, February 27, 2010 5:15 AM -
http://www.winhelponline.com/articles/105/1/File-association-fixes-for-Windows-Vista.html
i fixed the exes with this and i got rid of the AV.exe and founds it file where it was uploaded and deleted i used AVG and it threw it into vault. now i am useing malwarebyte
i do not know how to use the Regedit<input id="gwProxy" type="hidden"></input> <input id="jsProxy" onclick="jsCall();" type="hidden" />Saturday, February 27, 2010 5:21 AM