Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, Unable To Open Programs


  • This topic is locked This topic is locked
7 replies to this topic

#1 sara08

sara08

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 12 June 2008 - 08:15 PM

I was infected with a pile of trojans, and viruses, adware and who knows what else. I was trying to do some work from home, so I moved my security down and I think this is when I got the dump. Dumb I know. SuperAntiSpyware found almost 200 in files and registry. I also used SmitfraudFix to remove SmitF. I downloaded Hijack this, but I can't access it because every time I try to open a program it asks what I want to use to open the program, and one of the programs listed is called weryu456y 34fg erhr etfyg r. This is a program that always opens when I turn on my computer usually with an error message, so I never worried about it. Now its getting on my nerves. I also am unable to access anything in my control panel, I get the message windows/system32/rundll32exe "application not found". Can someone please help me with this, I just want to run a hijack this log so that I can get rid of this stuff.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:03 AM

Posted 12 June 2008 - 10:12 PM

Some malware infections target .exe files and without repairing that file association your .exe files will lose functionality.

The first thing to try is to check your file association for .exe files. Open the "File Types" dialog box in Windows Explorer or My Computer. Go to Tools > Folder Options > File Types tab. Scroll down to where .EXE would be in the alphabetical order and make certain .EXE is not there. If it is, then edit it there by changing the association to Application. Select the New button, type in EXE for the extension and select the Advanced button. From the list pick "Application."

If that does not resolve the problem, try downloading EXE File Association Fix and save to your Desktop. Extract (unzip) xp_exe_fix.zip and double-click on xp_exe.fix.reg and choose "Yes" to merge it into the registry when prompted. Once you get a successful message delete the file and reboot.

Also see:
"Unable to Start a Program with an .exe File Extension"
"Fix or Restore Broken .EXE .LNK .COM Association Caused by Virus"

Note: Some of these steps involve making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own. Improper changes to the registry could adversely affect your computer and render it inoperable.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sara08

sara08
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 13 June 2008 - 10:42 PM

quietman,
Thank you for your reply to my post. I checked my file association for exe files and .EXE was not in the file types. I downloaded the EXE file association fix program you suggested, then unzipped the file, but when I clicked on the icon to run the program, I got the message "xp_exe.fix.reg is not a valid Win32 application". Any other ways I can get around this. I've been to the websites you recommended, but I'm not sure I know what I'm doing.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:03 AM

Posted 14 June 2008 - 06:55 AM

Some malware infections also target and place restrictions on files such as regedit.exe, cmd.exe and taskmgr.exe. Lets try this.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #275 and click "Lift Restrictions - TM, Regedit and CMD" in the left column. Go to File, choose "Save page as" All Files and save regtmcmdrestore.vbs to your desktop. Double-click on that file to allow the script to run and reboot when done. Since the script modifies certain registry settings your anti-virus package may warn you about it. Ignore the warning and allow it to run.

Or you can download and use regtools.vbs fix by Doug Knox and follow the instructions provided on that page.

When done, try running xp_exe.fix.reg again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 sara08

sara08
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 14 June 2008 - 01:12 PM

quietman,
Thank you for all of your suggestions. I tried downloading both of the programs you recommended, but did not have any luck. So, I went back to one of the sites you recommended and followed the steps. I accessed regedit through taskmanager by choosing run and hitting ctrl. Then I typed, "assoc.exe=exefile". Now I can run programs on my desktop and have access to control panel. Then I ran Malwarebytes and this is what I found:

Malwarebytes' Anti-Malware 1.07
Database version: 470

Scan type: Full Scan (C:\|)
Objects scanned: 31571
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\sysovtu.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllgh8jkd1q8.exe (Heuristic.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\explorer.ex_ (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

I'm still getting that annoying runtime 5 error with a gibberish name and have some processess running that I found have been associated with viruses such as IEXPLORE and the gibberish one I mentioned. Would you recommend I post a hijack this log?

#6 sara08

sara08
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 14 June 2008 - 02:14 PM

Sorry for the double post, I just ran a scan with Superantispyware and quarantined 71 harmful items. I rebooted and scanned again, this time I got 6 trojans.unknown origin. Isolated and rebooted but they keep showing up on scans. This is the log:

Application Version : 4.0.1154

Core Rules Database Version : 3482
Trace Rules Database Version: 1473

Scan type : Quick Scan
Total Scan Time : 00:03:10

Memory items scanned : 272
Memory threats detected : 0
Registry items scanned : 260
Registry threats detected : 6
File items scanned : 2830
File threats detected : 0

Trojan.Unknown Origin
HKLM\SYSTEM\CurrentControlSet\Services\asc3550p
HKLM\SYSTEM\CurrentControlSet\Services\asc3550p#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\asc3550p#Start
HKLM\SYSTEM\CurrentControlSet\Services\asc3550p#Group
HKLM\SYSTEM\CurrentControlSet\Services\asc3550p#Tag
HKLM\SYSTEM\CurrentControlSet\Services\asc3550p#Type

I noticed that these look like the rootkit that was found with the Malwarebytes scan. I can't seem to get rid of them.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:03 AM

Posted 14 June 2008 - 03:04 PM

This issue will require further investigation and probably the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log" and complete all the steps. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,853 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:03 AM

Posted 14 June 2008 - 09:42 PM

Hello sara08,

Now that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/152246/trojanunknown-origin/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users