Starbuck Posted August 15, 2011 Posted August 15, 2011 Besides, I can't open it, so I will try opening it in Safe Mode. Reg files are not meant to be opened. Sorry if i didn't make this very clear. What you need to do is to right click on the reg file icon .... you should then see an option called Merge. Select this. Basically the malware has been stopped, but we need to change some registry settings back to their default .....which the malware has changed. Member of:UNITE
DrPerry Posted August 15, 2011 Author Posted August 15, 2011 I still can't open it. I'm just gonna do it in Safe Mode AGAIN. This time I'll merge it.
DrPerry Posted August 15, 2011 Author Posted August 15, 2011 Nope, doesn't do anything. I still can't open .EXE files, or even that registry file for that matter, only in Safe Mode can I open them. Are you sure the virus has been stopped?
Starbuck Posted August 15, 2011 Posted August 15, 2011 Hi DrPerry, P2P Warning Please note that as long as you're using any form of Peer-to-Peer networking ( Frostwire, Limewire, Bit Torrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur. Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme. Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use. When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections. You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation. If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you.   As you downloaded the .scr version of OTL it should run fine in normal mode. Try running this fix in normal mode. I'll add the contents of the reg file to the fix, so OTL should take care of it. There is also a few leftovers from AVG, which we'll clear out. When you said you had AVG and McAfee on the system, you didn't say that the version of McAfee was only a 'security scan ' version. Once we get the .exe files running we must get a new Anti Virus protector installed. Double click on OTL to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :otl [2011/07/20 16:28:23 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\AVG [2011/08/14 09:54:09 | 000,000,000 | ---D | M] -- C:\Users\Hayden\AppData\Roaming\AVG10 [2011/08/14 09:54:09 | 000,000,000 | ---D | M] -- C:\Users\Hayden\AppData\Roaming\AVG9 :Reg [HKEY_CLASSES_ROOT\.exe] ""="exefile" [HKEY_CLASSES_ROOT\.exe] "Content Type"="application/x-msdownload" [HKEY_CLASSES_ROOT\.exe\PersistentHandler] ""="{098f2470-bae0-11cd-b579-08002b30bfeb}" [HKEY_CLASSES_ROOT\exefile] ""="Application" [HKEY_CLASSES_ROOT\exefile\DefaultIcon] ""="%1" [HKEY_CLASSES_ROOT\exefile\shell\open\command] @=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe] ""="exefile" "Content Type"="application/x-msdownload" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\PersistentHandler] ""="{098f2470-bae0-11cd-b579-08002b30bfeb}" [-HKEY_CURRENT_USER\Software\Classes\.exe] [-HKEY_USERS\.DEFAULT\SOFTWARE\Classes\.exe] [-HKEY_USERS\S-1-5-18\SOFTWARE\Classes\.exe] [-HKEY_CURRENT_USER\Software\Classes\exefile] [-HKEY_CURRENT_USER\Software\Classes\secfile] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe] ""=- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe] ""=- [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe] ""=- [HKEY_LOCAL-MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe] ""=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList] ""=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids] ""=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids] "exefile"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids] "secfile"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"=- [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\�] [-HKEY_LOCAL-MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\�] [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\iexplore.exe\shell\open\command] @="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" :Files ipconfig /flushdns /c :commands [emptytemp] [purity] [RESETHOSTS] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply.  if you lose the report, there will be a copy here: C:\_OTL\MovedFiles Member of:UNITE
DrPerry Posted August 15, 2011 Author Posted August 15, 2011 (edited) I can't open OTL in normal mode, should I open it in Safe Mode instead? Edited August 15, 2011 by DrPerry
DrPerry Posted August 15, 2011 Author Posted August 15, 2011 I ran it in Safe Mode any way. It told me it needed a reboot in order to finish removing stuff. It rebooted but I couldn't get into Safe Mode because my PC is retarded. When I logged on, nothing happened and I went to check the 'moved files'folder and found the log. I'm not if I did it all correctly, so just tell me if I have done something wrong. Here is the log file:    All processes killed ========== OTL ========== C:\Windows\System32\drivers\AVG folder moved successfully. C:\Users\Hayden\AppData\Roaming\AVG10\cfgall folder moved successfully. C:\Users\Hayden\AppData\Roaming\AVG10 folder moved successfully. C:\Users\Hayden\AppData\Roaming\AVG9\cfgall folder moved successfully. C:\Users\Hayden\AppData\Roaming\AVG9 folder moved successfully. ========== REGISTRY ========== HKEY_CLASSES_ROOT\.exe\\""|"exefile" /E : value set successfully! HKEY_CLASSES_ROOT\.exe\\"Content Type"|"application/x-msdownload" /E : value set successfully! HKEY_CLASSES_ROOT\.exe\PersistentHandler\\""|"{098f2470-bae0-11cd-b579-08002b30bfeb}" /E : value set successfully! HKEY_CLASSES_ROOT\exefile\\""|"Application" /E : value set successfully! HKEY_CLASSES_ROOT\exefile\DefaultIcon\\""|"%1" /E : value set successfully! HKEY_CLASSES_ROOT\exefile\shell\open\command\\@|hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00 /E : value set successfully! HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\\""|"exefile" /E : value set successfully! HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\\"Content Type"|"application/x-msdownload" /E : value set successfully! HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\PersistentHandler\\""|"{098f2470-bae0-11cd-b579-08002b30bfeb}" /E : value set successfully! Registry key HKEY_CURRENT_USER\Software\Classes\.exe\ not found. Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\.exe\ not found. Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Classes\.exe\ not found. Registry key HKEY_CURRENT_USER\Software\Classes\exefile\ not found. Registry key HKEY_CURRENT_USER\Software\Classes\secfile\ not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\\ not found. Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\\ not found. Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\\ not found. Registry key HKEY_LOCAL-MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList\\ not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\\ not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\\exefile deleted successfully. Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\\secfile not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell not found. Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\�\ not found. Registry key HKEY_LOCAL-MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\�\ not found. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\iexplore.exe\shell\open\command\\@|"\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" /E : value set successfully! ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Users\Hayden\Desktop\cmd.bat deleted successfully. C:\Users\Hayden\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Hayden ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 1089123 bytes ->Java cache emptied: 96976 bytes ->Google Chrome cache emptied: 282589039 bytes ->Flash cache emptied: 1939 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 155648 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 0 bytes RecycleBin emptied: 62146 bytes Total Files Cleaned = 271.00 mb C:\Windows\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully [EMPTYFLASH] User: All Users User: Default User: Default User User: Hayden ->Flash cache emptied: 0 bytes User: Public Total Flash Files Cleaned = 0.00 mb  OTL by OldTimer - Version 3.2.26.4 log created on 08152011_193607
Starbuck Posted August 15, 2011 Posted August 15, 2011 Most of the fix worked. If you are still having problems opening .exe files in normal mode..... what .exe files are not opening? Is it all of them or just some of them? Let's see if this will run, it'll search out for rootkits etc: Download aswMBR and save it to your desktop. Double click the aswMBR.exe to run it. The latest version gives you the option of adding the latest Avast definitions: http://img.photobucket.com/albums/v708/starbuck50/new/03-07-201116-24-19.png It is recommended at this time to click NO. ( as there is a possibility of crashing the system) Click the Scan button to start scan. http://img.photobucket.com/albums/v708/starbuck50/new/asw1.gif On completion of the scan click Save log and save it to your desktop. http://img.photobucket.com/albums/v708/starbuck50/new/asw2.gif Please post this in your reply. NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it. Member of:UNITE
DrPerry Posted August 15, 2011 Author Posted August 15, 2011 Can't open it. I will open it is Safe Mode. I will be back shortly with the results.
DrPerry Posted August 15, 2011 Author Posted August 15, 2011 aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software Run date: 2011-08-15 20:11:00 ----------------------------- 20:11:00.455 OS Version: Windows 6.1.7600 20:11:00.455 Number of processors: 2 586 0x602 20:11:00.456 ComputerName: HAYDEN-PC UserName: Hayden 20:11:01.118 Initialze error C000003A - driver not loaded 20:11:25.597 Scan error: Incorrect function. 20:14:21.033 The log file has been saved successfully to "C:\Users\Hayden\Desktop\aswMBR.txt" I got an error, saying 'incorrect function' and nothing happened afterwards.
Starbuck Posted August 15, 2011 Posted August 15, 2011 I got an error, saying 'incorrect function' and nothing happened afterwards. Because it needs to run in normal mode. The OTL report isn't showing any reason for the .exe files not running. The file associations look ok..... this is all very odd. Let's see if an online scan will work: I'd like you to do an ESET OnlineScan Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. [*]Accept any security warnings from your browser. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png [*]Click the Start button. [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt  Note: It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% ) To prevent this happening: When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked): Enable Anti-Stealth technology http://img.photobucket.com/albums/v708/starbuck50/eset.png Member of:UNITE
DrPerry Posted August 15, 2011 Author Posted August 15, 2011 It won't work. When I click start after double-clicking on the program and checking the 'YES I accept the terms of use' nothing happens. It also has a small yellow and blue shield next to it, which up until now I have only just noticed, all the .EXE files I can't open have a shield next to it. Here's an image of the program and an image of my current desktop. (All the programs with a shield on it, won't open and I receive that stupid message.) http://i.imgur.com/XZL8B.jpg http://i.imgur.com/Z0r8V.jpg
Starbuck Posted August 15, 2011 Posted August 15, 2011 It also has a small yellow and blue shield next to it, which up until now I have only just noticed, all the .EXE files I can't open have a shield next to it. This is actually quite normal for Win7. Items with the shield need administrator privileges to run. Most of these things will give you a UAC pop-up or need to be run by right-clicking and choosing "run as administrator". Have you tried running them by right clicking and selecting 'Run as Administrator? Member of:UNITE
DrPerry Posted August 15, 2011 Author Posted August 15, 2011 Yes I have tried running it as admin. I sill get the same results. I also can't edit any system settings or user settings. That means I can't access the UAC.
Starbuck Posted August 15, 2011 Posted August 15, 2011 It sounds as though you have no admin rights. You said earlier that you only had one account on the system. But from what you are saying, it seems like an ordinary account. Maybe the privileges have been removed for some reason. Do you have the Win7 installation disc? If so: Boot with the Win7 installation DVD and select the default language, then choose "Repair your computer". Then select "Command Prompt". At the command prompt type: net user administrator /active:yes ( there is a space between r and / )then click the enter key and reboot the system. You should now see a new Admin account. Log in to this and see if there is any difference. You may need to set up the desktop etc for the new account. Member of:UNITE
DrPerry Posted August 15, 2011 Author Posted August 15, 2011 I don't have the Windows 7 installation disc. When I re-installed Windows about 2 months ago, I had lost the disc then. I had to download a pirated version, so the OS I'm using now is pirated.  Man, I download so much illegal crap, I would not be surprised if I were fined. EDIT: I do still have the Windows installation files however, so I can just install Windows with that. Or do that repair thing. I just have to boot the installation onto a USB flash drive and boot my PC from the flash drive. Would you like me to do that?
DrPerry Posted August 15, 2011 Author Posted August 15, 2011 Ignore the edit on the post above this one. I tried doing the Windows installation on my USB, but it doesn't work for a few reasons. Is there anything else I can do?
Starbuck Posted August 16, 2011 Posted August 16, 2011 . I had to download a pirated version, so the OS I'm using now is pirated. Forum rules forbid us to help anyone using pirated software.... especially when it relates to the Operating System. I can no longer provide help for you and this thread will now be closed. Member of:UNITE
Recommended Posts