Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antispyware Vista 2010


  • Please log in to reply
3 replies to this topic

#1 adam_mizer

adam_mizer

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 18 February 2010 - 02:06 PM

Vista Home Premium with SP 2

Now don't know I picked this up, maybe trying to play a online energy video at a certain site.
Picked up the ROGUE, AV.EXE the one that wants you to purchase some antispyware software and windows pop up with the phony details.
What happens is this rogue will not allow plenty of software to run without opening its window.

A little work around allowed me to get further by opening the programs running as an ADMINISTRATOR.
So I tried some of the fixes like Malawarebytes, but it crashes at near the finished stages.
Also it did not find the rogue at all.
Tried Norton360 a few times it did not find the rogue.
System Mechanic didn't find it.
Windows Defender didn't work.

Downloaded new Malwarebytes and same as my other install. Nothing.

Found this page on the internet:

http://www.bleepingcomputer.com/virus-remo...vista-2010#keys

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"

Since the information above is probably for different instances of software at least 4 of the lines above were found in my registry.
I deleted those instances.
Also before I quit I ran a search on AV.EXE and deleted one more instance.
Hoping this would fix all.
Well its not that easy, maybe AV.EXE is gone but now most programs and icons within most programs respond with:
Create an association in the Set Associations control panel.

Well went to this part of control panel and tried setting defaults for programs.
That did not help any at all.
The executables are not responding on my system and as I stated in admistrator mode I can run but then some icons embedded in these programs do not run.

It almost seems like a simple fix for associations but my searches have not come up with how to actually make this association or rewrite the values back into the registry.

Also I made many efforts of loading last known good configurations.
Opening programs like Norton and System Mechanic and registry restores searching for previous back-ups but the registry values would not restore the executables associations.

tried fix_exe.reg and it didn't work.

Hope you can help!

Edited by adam_mizer, 18 February 2010 - 03:31 PM.


BC AdBot (Login to Remove)

 


#2 adam_mizer

adam_mizer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 18 February 2010 - 08:03 PM

Well I'm kinda surprised this post went unoticed.
AV.EXE apparently been here for a long time.

It was the effects of this program and removing that hurt the system.

In my case some regisrty data was changed but the worst enemy (me myself).

Although I'm sure many have run into the same problems when an executable cannot run because it does not have a association.

Here's what i found that helped me so I would not have to reload my whole OS again.
1. Type command in the RUN dialog box to open Command Prompt

2. When Command Prompt is up, type cd \windows

3. Type regedit to open up the Registries.

4. Expand HKEY_CLASSES_ROOT and find the folder of .exe

5. Without expanding it, on the main .exe folder, Right-click (Default) and Modify. Change the Value Data to exefile

6. Now in the same HKEY_CLASSES_ROOT find the folder of exefile and Right-click (Default) and Modify. Change the Value Data to "%1" %*

7. Lastly expand exefile, expand shell, expand open, click on the command folder, Right-click (Default) and Modify. Change the Value Data to "%1" %*

8. Close Regedit and Restart the computer. When restarted, EXE files should not prompt you to choose a program to run it now and load correctly.

This got me back on my feet, except Norton360 and Malawarebytes need reloading after I tried fixing it several times.
If this is done (the 8 steps above) after the initial clean out of the AV.EXE file bet I may have saved my security softwares.

Good luck hope this helps others.

#3 Shevon

Shevon

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 19 February 2010 - 01:26 AM

Well I'm kinda surprised this post went unoticed.
AV.EXE apparently been here for a long time.

It was the effects of this program and removing that hurt the system.

In my case some regisrty data was changed but the worst enemy (me myself).

Although I'm sure many have run into the same problems when an executable cannot run because it does not have a association.

Here's what i found that helped me so I would not have to reload my whole OS again.
1. Type command in the RUN dialog box to open Command Prompt

2. When Command Prompt is up, type cd \windows

3. Type regedit to open up the Registries.

4. Expand HKEY_CLASSES_ROOT and find the folder of .exe

5. Without expanding it, on the main .exe folder, Right-click (Default) and Modify. Change the Value Data to exefile

6. Now in the same HKEY_CLASSES_ROOT find the folder of exefile and Right-click (Default) and Modify. Change the Value Data to "%1" %*

7. Lastly expand exefile, expand shell, expand open, click on the command folder, Right-click (Default) and Modify. Change the Value Data to "%1" %*

8. Close Regedit and Restart the computer. When restarted, EXE files should not prompt you to choose a program to run it now and load correctly.

This got me back on my feet, except Norton360 and Malawarebytes need reloading after I tried fixing it several times.
If this is done (the 8 steps above) after the initial clean out of the AV.EXE file bet I may have saved my security softwares.

Good luck hope this helps others.




OK, I'm having the same problem, and it is driving me nuts!! But, following your directions, when I typed in cd/windows and pressed enter, I was told it was invalid. Same thing happened when I typed in regedit. Help?? :thumbsup:

#4 adam_mizer

adam_mizer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 21 February 2010 - 02:00 PM

Are you running as administrator like right click the icon and choose run as administrator.

Also I did not mention that I ran the regedit right out of the Vista GUI start/run entry.
So I did not do steps 1 and 2 sorry for that as I found and copied the info above.
If it did not work with steps 1 and 2 then the path is incorrect or your path statement does not function.

There also appears from reading this forum topic many entries on this rogue.
Seems has developed several different type varieties of what it does or different stages of developement maybe.

I still have very minor problems and did cause them myself when I jumped on this I believe.
What not to do!
After I removed some entries in the registry I ran my System Mechanic and it also removed or cleared registry data that most likely was associated with the data removed above in a earlier post.

I suggest not to run a registry cleaner until you are certain that you have put back the information you removed from the registry properly.
Its still beyond me but I'm trying to retrace my steps.

Still one minor problem exists and maybe a few more I don't know.
The problem is my Windows features do not show up in the program and features window.
I'm my worst enemy because of all the steps I did.
Care must be taken or you'll sit behind the keyboard searching for those what I think are minor fix's.
All other programs I have run are doing just fine with no problems.

To summarize do not run a registry clean or fix program until you have reinstalled your file associations.
Don't know if that will help but that is what I think the step was i should have taken.
There may be a order to this madness.

Now looking to activate the association to the window feature list somehow.

Edited by adam_mizer, 21 February 2010 - 02:29 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users