locked
i need urgent help! RRS feed

  • General discussion

  • My computer has been infected with a virus i cannot run any execs only if i run as administrator i cant put run msconfig or regedit in the run section.

    could i get possible help to resolve this issue?
    • Changed type JimR1Moderator Saturday, February 27, 2010 1:34 PM
    • Moved by JimR1Moderator Saturday, February 27, 2010 1:34 PM Off topic. Not an MSE question. (From:Microsoft Security Essentials: Scanning, Detecting, and Removing Threats)
    Saturday, February 27, 2010 4:46 AM

All replies

  • Hi,

    I am guessing you have one of the current malware versions using AV.exe and even if you
    don't use these methods to detect and remove the malware.

    Try Safe Mode with networking - repeatedly tap F8 as you boot up.

    The top two methods allow the scanners to run and/or get AV.exe out of the way or removal.

    1.
    CTRL SHIFT ESC  - Task Manager  OR Right Click the TaskBar - Task Manager

    Processes tab - End Process on AV.EXE and then proceed with the Uninstall Guide.

    Then if needed use Start - Computer  OR  Windows Explorer  to navigate to

    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe  or where ever it is installed at - if
    needed Right Click the Malwarebytes - Properties - Shortcut tab - target line to see where it
    is installed.

    Right Click on it and Rename it to ZZMbam.COM (or anything different than it is now) and
    then double click on it and run it that way. You can rename it back later. Do similar with
    other programs as needed. Use this method for others as needed - DO NOT ASSUME any
    one program removes it all or that there is not other malware involved.

    ---------------------------------------------------

    2.
    Another method is to use these :

    Use Process Explorer to "Suspend" not Stop the Processes

    Then use AutoRuns to remove the malware startup items.

    Now use UnLocker to delete the files in the malware.

    You may have to do this one file at a time.

    Process Explorer - Free
    http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

    AutoRuns - Free
    http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

    UnLocker - Free (do not install the Ebay adaware)
    http://www.softpedia.com/get/System/System-Miscellaneous/Unlocker.shtml

    AV.exe

    ==============================================

    There are many names for this malware :

    XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 are rogue antivirus, 
    scams to force you to pay for them while they have no benefits at all.

    How to remove all versions :
    http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

    RENAME these as needed to allow them to run : (renaming .exe to .com can help as well)

    These can be done in Safe Mode - repeatedly tap F8 as you boot however you should also run them
    in regular Windows when you can.

    Download malwarebytes and scan with it, run MRT, and add Prevx to be sure it is gone. (If Rootkits
    run UnHackMe)

    Download - SAVE - go to where you put it - Right Click on it - RUN AS ADMIN

    Malwarebytes - free
    http://www.malwarebytes.org/

    Run the Microsoft Malicious Removal Tool

    Start - type in Search box -> MRT  find at top of list - Right Click on it - RUN AS ADMIN.

    You should be getting this tool and its updates via Windows Updates - if needed you can download it
    here.

    Download - SAVE - go to where you put it - Right Click on it - RUN AS ADMIN
    (Then run MRT as above.)

    Microsoft Malicious Removal Tool - 32 bit
    http://www.microsoft.com/downloads/details.aspx?FamilyID=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

    Microsoft Malicious Removal Tool - 64 bit
    http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

    also install Prevx to be sure it is all gone.

    Download - SAVE - go to where you put it - Right Click on it - RUN AS ADMIN

    Prevx - Home - Free - small, fast, exceptional CLOUD protection, works with other security programs.
    This is a scanner only, VERY EFFECTIVE, if it finds something come back here or use Google to see
    how to remove. 
    http://www.prevx.com/   <-- information
    http://info.prevx.com/downloadcsi.asp  <-- download

    PCmag - Prevx - Editor's Choice
    http://www.pcmag.com/article2/0,2817,2346862,00.asp

    Try the trial version of Hitman Pro :

    Hitman Pro is a second opinion scanner, designed to rescue your computer from malware (viruses,
    trojans, rootkits, etc.) that have infected your computer despite all the security measures you have
    taken (such as anti virus software, firewalls, etc.).
    http://www.surfright.nl/en/hitmanpro

    --------------------------------------------------------

    If needed here are some online free scanners to help

    http://www.eset.com/onlinescan/

    http://onecare.live.com/site/en-us/default.htm

    http://www.kaspersky.com/virusscanner

    Other Free online scans
    http://www.google.com/search?hl=en&source=hp&q=antivirus+free+online+scan&aq=f&oq=&aqi=g1

    --------------------------------------------------------

    Also do these to cleanup general corruption and repair/replace damaged/missing system files.

    Run DiskCleanup - Start - All Programs - Accessories - System Tools - Disk Cleanup

    Start - type this in Search Box ->  COMMAND   find at top and RIGHT CLICK  -  RUN AS ADMIN

    Enter this at the prompt - sfc /scannow

    How to analyze the log file entries that the Microsoft Windows Resource Checker (SFC.exe) program
    generates in Windows Vista cbs.log
    http://support.microsoft.com/kb/928228


    Run checkdisk - schedule it to run at next start and then Apply OK your way out then restart.

    How to Run Check Disk at Startup in Vista
    http://www.vistax64.com/tutorials/67612-check-disk-chkdsk.html

    -----------------------------------------------------------------------

    If any Rootkits are found use this thread and other suggestions. (Run UnHackMe)

    http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/a8f665f0-c793-441a-a5b9-54b7e1e7a5a4/

    Hope this helps.


    Rob - Bicycle - Mark Twain said it right.
    Saturday, February 27, 2010 4:58 AM
  • Hi,

    Use above message to do an intense and thorough check for malware.

    To restore the ability to run .exe programs.

    1. Make a Restore Point so you can revert back if needed though not likely required.

    How to Create a System Restore Point in Vista
    http://www.vistax64.com/tutorials/76332-system-restore-point-create.html

    How to Do a System Restore in Vista
    http://www.vistax64.com/tutorials/76905-system-restore-how.html

    2 . Copy BETWEEN these lines and paste into Notepad - Save as exefileFix.reg  -  then Right
    Click on it and MERGE - REBOOT

    DO NOT COPY LINES
    -----------------------------------------------------------------


    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\.EXE]
    @="exefile"
    "Content Type"="application/x-msdownload"

    [HKEY_CLASSES_ROOT\.EXE\PersistentHandler]
    @="{098f2470-bae0-11cd-b579-08002b30bfeb}"

    [HKEY_CLASSES_ROOT\exefile]
    @="Application"
    "EditFlags"=hex:38,07,00,00
    "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
      00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
      32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
      00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00

    [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
    @="%1"

    [HKEY_CLASSES_ROOT\exefile\shell]

    [HKEY_CLASSES_ROOT\exefile\shell\open]
    "EditFlags"=hex:00,00,00,00

    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"
    "IsolatedCommand"="\"%1\" %*"

    [HKEY_CLASSES_ROOT\exefile\shell\runas]

    [HKEY_CLASSES_ROOT\exefile\shell\runas\command]
    @="\"%1\" %*"
    "IsolatedCommand"="\"%1\" %*"

    [HKEY_CLASSES_ROOT\exefile\shellex]

    [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice]

    --------------------------------------------------------------
    DO NOT COPY LINES

    If needed :

    Check the EXE file fix here
    http://www.winhelponline.com/articles/105/1/File-association-fixes-for-Windows-Vista.html

    Also check this one if it applies
    http://www.winhelponline.com/articles/165/1/Restore-the-exe-file-association-in-Windows-Vista-after-incorrectly-associating-it-with-another-application.html

    How to Set Default Associations For a Program in Vista
    http://www.vistax64.com/tutorials/83196-default-programs-program-default-associations.html

    Hope this helps.


    Rob - Bicycle - Mark Twain said it right.
    Saturday, February 27, 2010 4:59 AM
  • yeah it is the AV.exe i have closed the process, is there any way i can get to talk to you? or maybe even on teamviewer so you can help even more?

    and the things its doing is i cant run task manager from taskbar but i can if i ctrl alt delete i have also located where regedit has been put.<input id="gwProxy" type="hidden"></input> <input id="jsProxy" onclick="jsCall();" type="hidden" />
    Saturday, February 27, 2010 5:08 AM
  • Hi,

    Sorry this is not live. Run those detection methods in an intense manner (meaning use them all) and
    rename any that will not run using a different name and extension. Be sure to name them back to
    what they where later.

    mbam.exe     rename to   ZZmbam.com

    mrt.exe         rename to   ZZmrt.com

    and so on - the name to the left of the .com is totally optional but has to be different than it was
    originally.




    Rob - Bicycle - Mark Twain said it right.
    Saturday, February 27, 2010 5:15 AM
  • http://www.winhelponline.com/articles/105/1/File-association-fixes-for-Windows-Vista.html



    i fixed the exes with this and i got rid of the AV.exe and founds it file where it was uploaded and deleted i used AVG and it threw it into vault. now i am useing malwarebyte


    i do not know how to use the Regedit<input id="gwProxy" type="hidden"></input> <input id="jsProxy" onclick="jsCall();" type="hidden" />
    Saturday, February 27, 2010 5:21 AM