Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Anitivrus Pro 2010 and Trojan.Win32.FraudPack.aoal attack!!


  • This topic is locked This topic is locked
31 replies to this topic

#1 emort520

emort520

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 12 March 2010 - 05:54 PM

A few days ago my computer was infected with XP Anitivrus Pro 2010 and kept popping up and redirecting my internet browser. I ran malwarebytes which detected and removed some files. That problem was sloved. I then rebooted my computer and Kaspersky gave me a warning of Trojan.Win32.FraudPack.aoal, and did what it needed to remove that. My computer rebooted, then I found that when I go to open a program the "open with" window comes up and I have to locate the .exe. Also When I go to access the control panel such as sounds and security I get a "rundll32. exe application not found" box. Below is the dds.txt and attached the ark.txt and attach.txt. Thank you so much for any help you maybe able to provide!


ps, this was my orginal post, I was informed to post here! http://www.bleepingcomputer.com/forums/t/301063/rundll32-exe-application-not-found/
---------------------------------------------------------------------------------------------------------------------------------------------

DDS.TXT



DDS (Ver_09-12-01.01) - NTFSx86
Run by Monica & Erina at 10:24:46.71 on Fri 03/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.598 [GMT -7:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Monica & Erina\Desktop\virus\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uWindow Title = Windows Internet Explorer provided by Comcast
uDefault_Page_URL = hxxp://www.msn.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [cdloader] "c:\documents and settings\monica & erina\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SBCSTray] c:\program files\sunbelt software\counterspy\consumer\SBCSTray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: []
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\monica~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://support.cox.com/sdccommon/download/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} - hxxp://www3.authentium.com/cssrelease/bin/wizmain.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148185764714
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://166.89.65.155/activex/AxisCamControl.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://filelodge.bolt.com/ImageUploader3.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4907/mcfscan.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: ?????SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [2007-3-24 15544]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-8-1 226832]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 208616]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys --> c:\windows\system32\drivers\tclondrv.sys [?]
S2 gupdate1c9bb3fb9bcebf6;Google Update Service (gupdate1c9bb3fb9bcebf6);c:\program files\google\update\GoogleUpdate.exe [2009-4-12 133104]
S3 SBAPIFS;SBAPIFS;\??\c:\windows\system32\drivers\sbapifs.sys --> c:\windows\system32\drivers\sbapifs.sys [?]

=============== Created Last 30 ================

2010-03-12 16:48:45 0 ----a-w- c:\documents and settings\monica & erina\defogger_reenable
2010-03-10 06:29:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 23:12:05 0 d-----w- C:\rundll32
2010-03-07 23:01:52 6241 ----a-w- C:\rundll32.zip

==================== Find3M ====================

2010-03-08 00:05:35 4552 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-03-08 00:05:35 1015840 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-03-07 22:41:40 4325920 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-07 22:41:40 34876 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-07 19:06:55 86442912 ----a-w- C:\Lady Gaga - The Fame Monster _Deluxe Edition_ CD2.zip
2010-02-07 17:59:49 52964128 ----a-w- C:\Lady Gaga - The Fame Monster _Deluxe Edition_ CD1.zip
2010-02-05 03:54:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2007-09-08 19:39:53 88 --sh--r- c:\windows\system32\1F772543BC.sys
2009-07-24 03:25:42 104 --sh--r- c:\windows\system32\BC4325771F.sys
2009-07-24 03:25:46 7520 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-04-02 03:39:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040120090402\index.dat
2009-05-04 06:52:43 32768 --sha-w- c:\windows\temp\cookies\index.dat
2009-05-04 06:52:43 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-05-04 06:52:43 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 10:25:57.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 PM

Posted 14 March 2010 - 06:33 AM

Hi emort520,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved yet please update me on the current condition of your computer.

#3 emort520

emort520
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 15 March 2010 - 03:34 AM

Thank you for responding. The condition is still the same and have only been using internet explorer/ itunes. All programs still show open with window. There hasn't been any other threats by Kaspersky. I agree to not make any changes to my system! Thank you again for your help!

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 PM

Posted 15 March 2010 - 06:43 AM

Hi again,

We need to restore a broken file association:
  • Press CTRL+SHIFT+ESC to bring up Task Manager.
  • While holding the CTRL button click under File menu at the New Task (Runů)
  • The command prompt will open.
  • Copy and paste or type assoc.exe=exefile and hit Enter (it should return .exe=exefile).
  • Copy and paste or type ftype exefile="%1" %* (there are spaces between ftype and exefile. Also there is space between "%1" and %* and hit Enter. It should return exefile="%1" %*)
  • Close the command prompt and see if the problem is resolved.
  • In case the problem is not resolved bring up command prompt again and copy and paste the following in the command window and press Enter:
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe /f
    (You get either notified that operation successfully executed or that the registry key was not found).
  • Close the command prompt try to see if the problem is resolved and give me feedback.




#5 emort520

emort520
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 17 March 2010 - 11:45 PM

Thank you very much for your response! I followed your comands and found that all of the options in the control panel work except for the security center. Again I got the rundll32. exe application not found box. Also the programs still show either a open with box or application not found.

When I pasted reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe /f into the command prompt, it did respond "operation successfully executed."

It seemed as tho this helped part of the problem. Any other suggestions? Thanks again for your help!!!!

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 PM

Posted 18 March 2010 - 06:08 AM

We will go on until until all the issues are taken care.

QUOTE
Also the programs still show either a open with box or application not found.

As I understand you can't still run exe files.
  1. I see you have run DeFogger. How did you do that? Are you able to run any .exe file in any way?

  2. Go to Start => Run and type cmd and tell me if a command prompt opens.

  3. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:

    CODE
    @ECHO OFF
    assoc .exe >log.txt
    ftype >>log.txt
    reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts >>log.txt
    START log.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens (log.txt). Please attach the log to your reply.

  4. Using Windows Explorer (right-click start > Explorer) navigate to the following folder:C"\Program Files\Malwarebyte' Anti-Malware
    • Locate the file mbam.exe and rename it to clear.com then double-click to run it.
    • Wait until it opens up.
    • Update it first.
    • Run a quick scan. Let it remove what it finds by checking all the find items, let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open after reboot you can obtain the latest log from there.


#7 emort520

emort520
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 21 March 2010 - 01:38 PM

The only way I get the .exe file to run for my programs is to manually locate the .exe by going thru c:/programfiles. Or when I use a shortcut or go thru the start button, a open with window comes up. Then again I have to browse for the .exe, sometimes the program i want to use is listed on the open with window. I attached a picture of what it looks like. I tried updating malwarebytes, when it said it was going to install the updates, the open with window came up and i didnt know what to use crazy.gif . So i could only scan with the ver 1.36, hopefully it scanned well. Anyways here are the logs....

--------------------------------------------------------------------------------------------------------------------------------------------

When typed cmd into the run window the open with window poped up! mad.gif


---------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 3

3/21/2010 11:16:57 AM
mbam-log-2010-03-21 (11-16-57).txt

Scan type: Quick Scan
Objects scanned: 94435
Time elapsed: 11 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files


Edited by farbar, 21 March 2010 - 03:04 PM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 PM

Posted 21 March 2010 - 01:52 PM

You didn't follow the instruction on post 4 carefully.

Please bring up the command prompt as instructed in post 4 then copy and paste (don't type) the whole following and press Enter.

ftype exefile="%1" %*

Then update MBAM normally as it will run this time.





#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 PM

Posted 21 March 2010 - 02:58 PM

After doing the previous post please do the following:
    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    dir /a/s C:\rundll32 >log.txt
    set >>log.txt
    dir /a/s c:\rundll32.exe >>log.txt
    START log.txt
    del %0
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  1. Please visit URL=http://www.billsway.com/vbspage/.
    • Scroll down the page to "Registry Search Tool".
    • Download RegSrch.zip and extract it to your desktop.
    • Doubleclick RegSrch.vbs to run the program.
    • Copy/paste in the search window: exefile
    • After the search is done a WordPad opens with a report.
    • Copy and paste the content of the report to your reply.

Edited by farbar, 21 March 2010 - 03:12 PM.


#10 emort520

emort520
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 21 March 2010 - 03:53 PM

Ok I repeated the steps in post 4 and copied and pasted ftype exefile="%1" %*, as I did before. I then closed the command prompt. I then opened malwarebytes and clicked update. It connected and a message popped up, "The latest version of Malwarebytes Anti-Malware has been downloaded. Malwarebytes Anti-Malware will now close and install the latest version." I click ok, then a "open with" window comes up. It says "choose the program you want to use to open this file: mbam-setup.exe." So then i select Malwarebytes- I then get a message Malwarebytes is already running. Im assuing that I need to get to a install wizard, i just dont know where to find it.

I also tried start/run/cmd and again a "open with" window popped up. I thought you would want to know, because you asked in post 6.



copied and pasted ftype exefile="%1" %*

Attached Files



#11 emort520

emort520
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 21 March 2010 - 03:54 PM

i tried posting a screenshot of the "open with" window that came up when I was trying to install the lastest version of malwarebytes.

Edited by emort520, 21 March 2010 - 04:04 PM.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 PM

Posted 21 March 2010 - 04:08 PM

Thanks for the screenshot but no need for that. I see it on the log. The previous attempt was missing just * , unless you did it correctly but some other script change it again.

Just to let you know, you can run any .exe file including the installers by changing the extension to .com



#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 PM

Posted 21 March 2010 - 04:14 PM

Please leave running updating or MBAM for now and proceed with the steps of the subsequent post.

#14 emort520

emort520
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 21 March 2010 - 04:22 PM

ok thats helpful information, but when these "open with" windows come up there is nowhere to change the extension. Im assuming i am just going always have to manually locate the .exe files for anything that i want to open? Would you have any idea which program i use to install the updated malwarebytes and were i could possibly find it?


nevermind, i just read your last post. ill wait for your next instructions.

Edited by emort520, 21 March 2010 - 04:23 PM.


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:25 PM

Posted 21 March 2010 - 04:25 PM

We are not done yet. When we are done the issue is solved. Please do the steps in this post. smile.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users