Here is the situation: A couple of days ago I visited a site... FYI, it was to download new freeware voices for my Garmin GPS. The site tried to run a script, which I immediately stopped. Then a pop-up came up... some nonsense, I took no note, and only immediately used task manager to close Firefox, rather than close the pop up. I never like to close them, I fear that will approve a download.
At any rate, I was too late. A fake spyware scanner had already installed itself. This has happened before, with varying results... I know how to close processes, start in safe mode, run Malwarebytes, HijackThis, Spybot, and so on. But I could not even get started, as all exe's were disabled already. Explorer still worked, so I immediately did a search for exe's on the C: drive, and found the culprit: an exe I did not recognize, which had downloaded by itself the minute before, when I was at the site. I deleted it, and it's associated files. But now nothing would run on my computer.
I then merged a new exe reg fix, the one from the Microsoft site, to get my exe's working again. It merged, but did not fix the problem. So then I downloaded the proper default.exe reg fix for Windows 7, and installed that... still no dice, nothing worked. I then looked in the reg, and the exe line value is proper: "%1" %* So of course this led me to the realization that the malware is still activily closing exe's before they can open. I never heard of that before, and I can't say my guess it right.
Also stopped are .com, .scr, and all the other extensions which are often used as a workaround, to fool a virus into allowing a program to open. I also renamed my various spyware programs to nonsensical names, and also, to "explorer.exe", since it would allow that. No go. I also tried resetting back to an earlier point, that did not work. And I also saw somewhere here, that a similar, recent problem was solved by making a startup disc, the "Avira Anti-Vir Rescue System Boot Disk". I set my computer's bios to look to the CD drive on boot... but it would not boot to this disk. I did notice that Avira used a Linux OS on this disk, and wondered if my bios will not recognize that? I suppose they did this to have no associating the virus would know about, but I was not sure. I know nothing about Linux. I also went to msconfig, and stopped all startups and services except the Microsoft ones, and essentials... then fixed the reg again... no go. And of course I have tried running all these things from a USB drive, and from a disk. Nope... they seem like they will open, even asking for "administrator permission" in the case of Malwarebytes, then after a short pause, nothing happens. I also opened command, and tried navigating and running programs from there, which did not work... and also, starting in safe mode with command prompt, and starting them from there. Nope.
An interesting thing is that this virus will allow CCleaner to run, and notepad, and explorer, and for some wacky reason, Adobe Photoshop. I thought there would be a clue in this last one, such as the possibility that the virus was disguising itself as some Adobe program, and needed to allow Adobe exe's to work in reg. Dunno though. Another clue might be that I get the error message when double clicking on some programs, like the links that I get on my widget's news feed, when opening the browser to the news site: "There was a problem sending the command to the program."
My next step would be to find a Win 7 startup disk which I can boot from, to avoid my system and registry, which will (hopefully) then allow me run Malwarebytes (and all the others) from. But I can't find one, other than the Avira disk, which did not work for me. Does anyone know of another one? After that, I will buy one of those USB drive boxes, remove the hard drive, hook it to my wife's laptop (where I am typing from, and where I can download anything I need), and running the anti-spyware programs on it, from her machine. I thought that might be risky, though, if this virus can somehow migrate through my drive to her machine... I did not know if that was a founded fear or not, and wanted to ask.
And lastly, I stupidly did not remember the name of the malware. It started with "Zem...", or "Zen...", or "Zon...", or like that. I did not save it or make a note of it, because although each year I might get one or two viruses, I never had much of a problem defeating them. I know the types, and how to deal with them, so I was cocky and did not bother saving this culprit's name. But I did note that it started several folders in temp, each with an exe file in them. I only found them a few hours into this, so I jotted them down: julyxx, vnjhdc, kjenmn, tkgwcq. Of course they must be those randomly generated names, meant to keep anti-virus programmers on thier toes... but I mention it anyway.
Sorry for the long post... I wanted to post everything I tried, to save you all time in asking me. Thanks in advance for any help. Proto.
Edited by hamluis, 14 September 2011 - 07:18 AM.
Moved from Win 7 to Am I Infected.