Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to run exe, com, scr files, and more


  • Please log in to reply
8 replies to this topic

#1 proto57

proto57

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 13 September 2011 - 07:04 PM

The users and staff of Bleepingcomputer have been very helpful in the past, so much so that I have often found ways to deal with difficult malware just by reading other's problems and solutions. I've never actually had to post here.

Here is the situation: A couple of days ago I visited a site... FYI, it was to download new freeware voices for my Garmin GPS. The site tried to run a script, which I immediately stopped. Then a pop-up came up... some nonsense, I took no note, and only immediately used task manager to close Firefox, rather than close the pop up. I never like to close them, I fear that will approve a download.

At any rate, I was too late. A fake spyware scanner had already installed itself. This has happened before, with varying results... I know how to close processes, start in safe mode, run Malwarebytes, HijackThis, Spybot, and so on. But I could not even get started, as all exe's were disabled already. Explorer still worked, so I immediately did a search for exe's on the C: drive, and found the culprit: an exe I did not recognize, which had downloaded by itself the minute before, when I was at the site. I deleted it, and it's associated files. But now nothing would run on my computer.

I then merged a new exe reg fix, the one from the Microsoft site, to get my exe's working again. It merged, but did not fix the problem. So then I downloaded the proper default.exe reg fix for Windows 7, and installed that... still no dice, nothing worked. I then looked in the reg, and the exe line value is proper: "%1" %* So of course this led me to the realization that the malware is still activily closing exe's before they can open. I never heard of that before, and I can't say my guess it right.

Also stopped are .com, .scr, and all the other extensions which are often used as a workaround, to fool a virus into allowing a program to open. I also renamed my various spyware programs to nonsensical names, and also, to "explorer.exe", since it would allow that. No go. I also tried resetting back to an earlier point, that did not work. And I also saw somewhere here, that a similar, recent problem was solved by making a startup disc, the "Avira Anti-Vir Rescue System Boot Disk". I set my computer's bios to look to the CD drive on boot... but it would not boot to this disk. I did notice that Avira used a Linux OS on this disk, and wondered if my bios will not recognize that? I suppose they did this to have no associating the virus would know about, but I was not sure. I know nothing about Linux. I also went to msconfig, and stopped all startups and services except the Microsoft ones, and essentials... then fixed the reg again... no go. And of course I have tried running all these things from a USB drive, and from a disk. Nope... they seem like they will open, even asking for "administrator permission" in the case of Malwarebytes, then after a short pause, nothing happens. I also opened command, and tried navigating and running programs from there, which did not work... and also, starting in safe mode with command prompt, and starting them from there. Nope.

An interesting thing is that this virus will allow CCleaner to run, and notepad, and explorer, and for some wacky reason, Adobe Photoshop. I thought there would be a clue in this last one, such as the possibility that the virus was disguising itself as some Adobe program, and needed to allow Adobe exe's to work in reg. Dunno though. Another clue might be that I get the error message when double clicking on some programs, like the links that I get on my widget's news feed, when opening the browser to the news site: "There was a problem sending the command to the program."

My next step would be to find a Win 7 startup disk which I can boot from, to avoid my system and registry, which will (hopefully) then allow me run Malwarebytes (and all the others) from. But I can't find one, other than the Avira disk, which did not work for me. Does anyone know of another one? After that, I will buy one of those USB drive boxes, remove the hard drive, hook it to my wife's laptop (where I am typing from, and where I can download anything I need), and running the anti-spyware programs on it, from her machine. I thought that might be risky, though, if this virus can somehow migrate through my drive to her machine... I did not know if that was a founded fear or not, and wanted to ask.

And lastly, I stupidly did not remember the name of the malware. It started with "Zem...", or "Zen...", or "Zon...", or like that. I did not save it or make a note of it, because although each year I might get one or two viruses, I never had much of a problem defeating them. I know the types, and how to deal with them, so I was cocky and did not bother saving this culprit's name. But I did note that it started several folders in temp, each with an exe file in them. I only found them a few hours into this, so I jotted them down: julyxx, vnjhdc, kjenmn, tkgwcq. Of course they must be those randomly generated names, meant to keep anti-virus programmers on thier toes... but I mention it anyway.

Sorry for the long post... I wanted to post everything I tried, to save you all time in asking me. Thanks in advance for any help. Proto.

Edited by hamluis, 14 September 2011 - 07:18 AM.
Moved from Win 7 to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:02:58 AM

Posted 14 September 2011 - 06:55 AM

Here is something that might help you.
http://www.bleepingcomputer.com/download/anti-virus/rkill

#3 proto57

proto57
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 14 September 2011 - 08:44 AM

Here is something that might help you.
http://www.bleepingcomputer.com/download/anti-virus/rkill


Thank you, Bear. I had tried rkill in my attempts, but after your post I re-downloaded all versions to a memory stick, and tried them all on my infected comp... none would open.

I then tried putting one rkill exe into the Adobe Photoshop folder, and renaming it Photoshop.exe... since that will run. But somehow, at some point in the opening process of the executible, the virus flags it, and stops the process from loading.

Do you have any idea where I may find a Windows 7 startup disk, so I can do a clean boot from the CD/DVD drive? I'd like to try that, if there is one available. The boot disk I burned for my computer will not work, as it will only boot into that recovery mode, which allows the same options I get from the recovery console on the hard drive.

Unless someone knows a way to boot from this disk, but switch to a command prompt? Hey... maybe f8 while booting from the disk? I'll try it later. But meanwhile, if anyone knows of Windows 7 boot disk I can download for this purpose, I'd appreciate the link. Thanks... Rich.

#4 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:02:58 AM

Posted 14 September 2011 - 11:59 PM

A fake spyware scanner had already installed itself. This has happened before,
This is worry some. If it happen before and has just happen again their is a good chance you are not following basic good internet practices. No security program or a combination of programs can protect your computer if the user doesn't keep their brain updated. If you are using P2P and or torrents you will keep,stay, and or will be always infected. Windows 7 disc can be bought or you can get one from a friend with the exact operating system. As long as you have a legal product key if needed.

#5 proto57

proto57
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 15 September 2011 - 06:37 AM

No security program or a combination of programs can protect your computer if the user doesn't keep their brain updated.


You have to insult me? Why don't you keep your "manners updated", and don't use a lame suggestion of a friend's boot disk as an excuse to mouth off about my intelligence?

And it is not very helpful to others to make assumptions about what I do or do not do on the internet, and what precautions I do or do not take. My firewall was up, and I was not voluntarily downloading anything... I was merely visiting a site, and the download happened automatically, past the firewall. Do you visit sites?

Have you noticed that firewalls do not stop all malware? Have you noticed that the writers of malicious software keep updating it, so that they can get by most precautions as they come out? The only thing worse and more counterproductive than this are trolls who chime in on forums with cheap shots, and really have nothing valuable to offer. Thanks for wasting my time.

#6 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:02:58 AM

Posted 15 September 2011 - 08:18 AM

No insult was intended. It was just my way of saying a person must think before clicking. A wrong choice of words maybe but no insult intended. I'm sorry you took it that way.

#7 proto57

proto57
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 15 September 2011 - 07:03 PM

I nailed the bugger! For anyone's interest, here is what worked... since you can read everything that did not work, in my first post.

As I had hoped, booting from a the DVD drive allowed me to run from a command prompt, without the malware starting. I had a disk from my wife's laptop, a Norton disk, which at first I thought would not help, as I cannot run any executables anyway. But I noted that this disk said, "It may be used as a recovery disk to remove malicious software", so I figured it could boot. The disk is called "Norton AntiVirus with Antispyware".

It booted my comp fine, but the software tools on it kept freezing up. I did not have much hope for them, anyway, as I suspected this was a rootkit virus, and I am not so sure these tools would help. So I stopped it, and rebooted the comp from it, and did not run it's software. Instead I clicked on the "advanced" tab, and it had a command prompt option! So I was in business... and ran Rkill, then TDSSKiller, which found a rootkit.w32.tdss, or like that, with a suffix like 7D14. I scrawled it down too sloppily, sorry... I was afraid to wait more than a few seconds and was in a hurry to get rid of it.

Then I finally could run Malwarebytes, which only found one of my renamed copies of RKill on my thumbdrive, and one of the executables of the malware which was still in my Recycle bin.

So if anyone comes across this, my recommendation would be to keep a bootable disk, and thumb drive, on hand, along with the latest programs recommended by the guys here to get rid of this crap. Learn how to boot into your bios (on my Gateway NV52, I hold down the "f2" key at the first Gateway splash screen), so that you can reset the bios to boot from your CD/DVD drive. Learn enough about DOS commands so that you can navigate to the tools, when you are able to boot to a command prompt (C:/, or in Norton's case, "X:/).

If this did not work, I was going to remove my hard drive from the comp, and put it in a USB case. Then I was going plug it in, and scan it with another computer, plugged in as an accessory drive. You can find these drives on eBay for only about $6. I have one on the way... I'll save it just in case.

#8 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:02:58 AM

Posted 15 September 2011 - 08:46 PM

Great job thanks for the details.

#9 proto57

proto57
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 16 September 2011 - 08:11 AM

Thanks, Bear.

I wanted to add a couple of things I forgot:

1) When you do look for, or make, a boot disk, be certain it will allow you to boot to a the command prompt. The recovery disks I made for my Gateway only allowed me the two recovery choices of a complete reinstall of my OS, or just the OS and saving my data. But the latter warned me that it would not have eliminated "persistent malware". And I could not find any way to "fool" the disk into allowing me to go to a DOS prompt (c:\). So the recovery disks I made were useless against this malware. As I pointed out, I was lucky that the Norton disk gave this option.

2) If you chose to make a memory stick (thumb drive) to boot from, a few things might get in the way. First of all, you must make certain that your bios will allow booting to USB. Maybe all BIOS's do now, I don't know. Secondly, when booting from a thumb drive, my bios would only look at the first drive on that thumb drive's memory. Unfortunately, that was the drive's factory operating system, which I do not even use. It was designated e:\. Then after that, I had this stupid program on my computer which made virtual drives on all my real drives... so it added a "f:\". THEN came my data portion, "g:\". So what this did was thwart my ability to use my thumb drive to boot from, as BIOS would only look to e:\!

I am going to prepare a special, recovery, thumb drive, which only has one real drive on it, so BIOS will find it. It will have all the latest basic tools that this site recommends, too. And when I do backups of my computer, I will also update those tools. And it will have a boot program on it, so I can always run stuff.

Hope this is of use... it would have been, to me. Rich.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users