Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

programs won't open after Win7 Antivirus 2012 infection


  • Please log in to reply
17 replies to this topic

#1 Oscar5

Oscar5

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 16 January 2012 - 11:38 PM

Hello,

I would like to enlist your help because I've tried everything on my own and I'm stuck. My computer was infected with the Win7 Antivirus 2012 rogueware. I followed the removal instructions from this site and thought my problem was fixed. Everything seems normal on my "administrator" account and I wasn't aware that anything was amiss until I logged into another account and noticed I couldn't open any programs. I get pop up that says the file has no programs associated with it and to go into Control Panel Default Programs and set it up. I went in and I'm still not really sure how to do this. I tried to uninstall and reinstall programs but that has not worked. I thought deleting those accounts and creating new ones would solve the problem but the issue still persists. I don't know if the virus damaged my files or if my computer is still infected. I don't know what else to do but ask for help from the experts.

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:35 PM

Posted 17 January 2012 - 12:16 AM

Download

http://www.winhelponline.com/fileasso/exe_fix_w7.zip

Extract and launch the registry file

Click YES when you get a UAC prompt

You should be able to launch applications now.

Run malwarebytes once to make sure that PC is clean

Good luck

Edited by narenxp, 17 January 2012 - 12:16 AM.


#3 Oscar5

Oscar5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 17 January 2012 - 07:02 PM

thanks for you reply. Unfortunately running the registry fix didn't work.

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:35 PM

Posted 17 January 2012 - 07:17 PM

No problem.I'm sure you have malwarebytes

Boot into infected account.Right click on malwarebytes icon-Select-Run as administrator

Run a scan,remove infections and then run the registry fix

good luck

#5 Oscar5

Oscar5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 17 January 2012 - 10:22 PM

I just ran the scan. It found no infections. After that I tried to run the registry fix. I get the following messge:

Cannot import. Not all data was successfully written to the registry. Some keys are open by the system or other processes.

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:35 PM

Posted 17 January 2012 - 10:25 PM

Its a common error,did you try launching the programs?

#7 Oscar5

Oscar5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 17 January 2012 - 10:56 PM

yes but i'm still getting the same error message.

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:35 PM

Posted 17 January 2012 - 11:06 PM

Please download exeHelper to your desktop.

http://www.raktor.net/exeHelper/exeHelper.com

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Please download GMER from here

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.

#9 Oscar5

Oscar5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 19 January 2012 - 06:47 PM

Hi Narenxp,

sorry for the delay. I've run both exehelper and gmer. Please see below for the logs.

exeHelper by Raktor
Build 20100414
Run at 00:50:21 on 01/18/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 18:46:12 on 01/19/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-19 07:36:37
Windows 6.1.7600
Running: l3zv1i84.exe


---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Oscar\Desktop\Adobe Photoshop Elements 9.0.3\Adobe Photoshop Elements 9 p\xac\xbf\xac\Adobe Photoshop Elements 9\Setup.exe 1

---- EOF - GMER 1.0.15 ----

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:35 PM

Posted 19 January 2012 - 10:36 PM

Hope you have malwarebytes with you.Run it on the account which had file association issues.Make sure to get a clean log

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Edited by narenxp, 19 January 2012 - 10:38 PM.


#11 Oscar5

Oscar5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 20 January 2012 - 09:33 PM

Hello,

today I noticed I was able to run Malwarebytes without choosing to run as administrator. I tried to open other programs and miraculously they all open now. I even created new accounts to see whether this is unique to individual accounts (like before) but it doesn't seem so. Everything is now working fine. I ran the scans anyway just in case there's still something wrong with my files.

Malwarebytes found no infections and below is the log for aswMBR.

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-20 20:30:30
-----------------------------
20:30:30.903 OS Version: Windows x64 6.1.7600
20:30:30.903 Number of processors: 4 586 0x2502
20:30:30.903 ComputerName: OSCAR-PC UserName: Oscar
20:30:32.775 Initialze error C000010E - driver not loaded
20:30:32.869 AVAST engine defs: 12012001
20:31:48.763 Service scanning
20:31:50.027 Modules scanning
20:31:50.027 Disk 0 trace - called modules:
20:31:50.027
20:31:51.727 AVAST engine scan C:\Windows
20:31:55.658 AVAST engine scan C:\Windows\system32
20:32:57.169 AVAST engine scan C:\Windows\system32\drivers
20:33:06.124 AVAST engine scan C:\Users\Oscar
21:18:39.296 AVAST engine scan C:\ProgramData
21:20:57.981 Scan finished successfully
21:25:15.334 The log file has been saved successfully to "C:\Users\Oscar\Desktop\aswMBR.txt"

Edited by Oscar5, 20 January 2012 - 09:34 PM.


#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:35 PM

Posted 20 January 2012 - 11:17 PM

Please re run the aswMBR again and post the logs here

Download

FSS

Checkmark

Internet Services
Windows Firewall
System Restore
Security Center
Windows Update

Click on "Scan".
Please copy and paste the log to your reply.

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#13 Oscar5

Oscar5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 21 January 2012 - 02:37 PM

here are the scan logs in the following order: 1. aswMBR, FSS, ESET

1. aswMBR


aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-21 00:44:25
-----------------------------
00:44:25.968 OS Version: Windows x64 6.1.7600
00:44:25.968 Number of processors: 4 586 0x2502
00:44:25.968 ComputerName: OSCAR-PC UserName: Oscar
00:44:31.132 Initialize success
00:44:31.553 AVAST engine defs: 12012001
00:44:36.920 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
00:44:36.920 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
00:44:37.013 Disk 0 MBR read successfully
00:44:37.013 Disk 0 MBR scan
00:44:37.013 Disk 0 Windows VISTA default MBR code
00:44:37.122 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13000 MB offset 2048
00:44:37.169 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 26626048
00:44:37.263 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 463838 MB offset 26830848
00:44:37.263 Service scanning
00:44:53.300 Modules scanning
00:44:53.300 Disk 0 trace - called modules:
00:44:53.331 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
00:44:53.346 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004be4060]
00:44:53.846 3 CLASSPNP.SYS[fffff88001ab243f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004928050]
00:44:58.323 AVAST engine scan C:\
06:33:10.944 Scan finished successfully
11:42:39.183 Disk 0 MBR has been saved successfully to "C:\Users\Oscar\Desktop\MBR.dat"
11:42:39.190 The log file has been saved successfully to "C:\Users\Oscar\Desktop\aswMBR scan.txt"




2. FSS

Farbar Service Scanner Version: 18-01-2012 01
Ran by Oscar (administrator) on 21-01-2012 at 11:45:48
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll
[2009-07-13 19:09] - [2009-07-13 20:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll
[2009-07-13 19:09] - [2009-07-13 20:40] - 0703488 ____A (Microsoft Corporation) 4992C609A6315671463E30F6512BC022

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 18:36] - [2009-07-13 20:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe
[2009-07-13 18:39] - [2009-07-13 20:39] - 1598976 ____A (Microsoft Corporation) 787898BF9FB6D7BD87A36E2D95C899BA

C:\Windows\System32\wscsvc.dll
[2011-02-08 18:12] - [2010-12-21 01:16] - 0097280 ____A (Microsoft Corporation) 8F9F3969933C02DA96EB0F84576DB43E

C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll
[2009-07-13 19:36] - [2009-07-13 20:41] - 2418176 ____A (Microsoft Corporation) 38340204A2D0228F1E87740FC5E554A7

C:\Windows\System32\qmgr.dll
[2009-07-13 18:46] - [2009-07-13 20:41] - 0848384 ____A (Microsoft Corporation) 7F0C323FE3DA28AA4AA1BDA3F575707F

C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2009-07-13 18:49] - [2009-07-13 20:40] - 0175104 ____A (Microsoft Corporation) 8C57411B66282C01533CB776F98AD384

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****


3. ESET

C:\Users\Oscar\Downloads\SoftonicDownloader_for_hjsplit.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined


Edited by Oscar5, 21 January 2012 - 02:44 PM.


#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:35 PM

Posted 21 January 2012 - 09:11 PM

That looks good

Download

TFC

Launch it,it will close all running programs

click on START,it should ask for reboot

Turn off your system restore,restart the PC,turn on system restore and create a new restore point,you can follow the guide here

http://windows.microsoft.com/en-US/windows7/Turn-System-Restore-on-or-off

Uninstall your java update from add or remove programs and download latest from here

http://www.java.com/en/

Update your antivirus frequently,do not click on suspicious links

Safe surfing :)

#15 Oscar5

Oscar5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 22 January 2012 - 09:32 PM

hi Narenxp,

I did as instructed. I'm happy everything is working fine now. Thanks for your help :) I just have one more question. I ran a scan using Hijackthis and it shows that i have many files missing, eg. Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing). is this a concern?

Edited by Oscar5, 22 January 2012 - 09:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users