Can't run exe files . Virus?

[bmschech]

I've been hit by what I assume is a virus that prevents me from running
exe files. I downloaded a registry patch that works, but the problem
recurs every time I reboot. In addition, I can't seem to run windows
internet explorer, which makes it impossible for me to run online virus
checks.

I have McAfee installed on my hard drive, updated with the latest virus
database, but it finds no infection, just a few questionable files that
I've removed. Same deal with adware.

A few other details: If I reboot the system the problem recurs. After
the first reboot a couple of my startup programs run, but I'm unable to
perform the registry fix--I import the file but it just doesn't work. I
reboot again and after the initial windows screen with it's
thermometer, a dialog box pops up with no next, only a few cryptic
characters. I close that box and windows loads my personal settings and
boots to the desktop. This time no startups load. I run the registry
patch and all is fine, except no programs but my keyboard mapper in the
system tray (though some McAfee processes are still running. I'm not
sure if this means that I have virus protection) and when I click on
windows explorer I get a brief hourglass and then nothing.

Any ideas on how I might proceed? I'm really at the limit of my rather
limited knowledge and would greatly appreciate any help at all.

Thanks!

 

[Postman delivers]

bmschech expressed precisely :

I've been hit by what I assume is a virus that prevents me from running
exe files. I downloaded a registry patch that works, but the problem
recurs every time I reboot. In addition, I can't seem to run windows
internet explorer, which makes it impossible for me to run online virus
checks.

I have McAfee installed on my hard drive, updated with the latest virus
database, but it finds no infection, just a few questionable files that
I've removed. Same deal with adware.

A few other details: If I reboot the system the problem recurs. After
the first reboot a couple of my startup programs run, but I'm unable to
perform the registry fix--I import the file but it just doesn't work. I
reboot again and after the initial windows screen with it's
thermometer, a dialog box pops up with no next, only a few cryptic
characters. I close that box and windows loads my personal settings and
boots to the desktop. This time no startups load. I run the registry
patch and all is fine, except no programs but my keyboard mapper in the
system tray (though some McAfee processes are still running. I'm not
sure if this means that I have virus protection) and when I click on
windows explorer I get a brief hourglass and then nothing.

Any ideas on how I might proceed? I'm really at the limit of my rather
limited knowledge and would greatly appreciate any help at all.

Thanks!

How about running the anti-viral and adaware in safe mode?

JR the postman

 

[bmschech]

That's a good idea. But when I boot in safe mode I still get the blank
dialog box before windows load my personal setting. Still, I'm running
the scan but so far nothing.

 

[David H. Lipman]

From: "bmschech" <[email protected]>

| I've been hit by what I assume is a virus that prevents me from running
| exe files. I downloaded a registry patch that works, but the problem
| recurs every time I reboot. In addition, I can't seem to run windows
| internet explorer, which makes it impossible for me to run online virus
| checks.
|
| I have McAfee installed on my hard drive, updated with the latest virus
| database, but it finds no infection, just a few questionable files that
| I've removed. Same deal with adware.
|
| A few other details: If I reboot the system the problem recurs. After
| the first reboot a couple of my startup programs run, but I'm unable to
| perform the registry fix--I import the file but it just doesn't work. I
| reboot again and after the initial windows screen with it's
| thermometer, a dialog box pops up with no next, only a few cryptic
| characters. I close that box and windows loads my personal settings and
| boots to the desktop. This time no startups load. I run the registry
| patch and all is fine, except no programs but my keyboard mapper in the
| system tray (though some McAfee processes are still running. I'm not
| sure if this means that I have virus protection) and when I click on
| windows explorer I get a brief hourglass and then nothing.
|
| Any ideas on how I might proceed? I'm really at the limit of my rather
| limited knowledge and would greatly appreciate any help at all.
|
| Thanks!


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[bmschech]

Hey, thanks!
As I mentioned, when I boot into the safe mode the virus still seems to
get active--the exe association is broken and I get the mystery dialog
box on bootup. Should I still rerun the scanners in safe mode? Or
should I boot from a cd and run the scanners from a dos prompt?
Also, the documentation mentions running DOSCLEAN.BAT, KAVCLEAN.BAT,
and SOFCLEAN.BAT, but it's a little vague on the when, where, how and
why.

By the way, I already ran the Panda online scanner and found nothing.

 

[Duh_OZ]

I've been hit by what I assume is a virus that prevents me from running
exe files. I downloaded a registry patch that works, but the problem
recurs every time I reboot. In addition, I can't seem to run windows
internet explorer, which makes it impossible for me to run online virus
checks.

===========
What reg patch are you running?
===========

A few other details: If I reboot the system the problem recurs. After
the first reboot a couple of my startup programs run, but I'm unable to
perform the registry fix--I import the file but it just doesn't work. I
reboot again and after the initial windows screen with it's
thermometer, a dialog box pops up with no next, only a few cryptic
characters.

========
Any chance of getting a screen capture of the dialog box? You could
save it using M$ Paint (if you could access it) and then upload it from
some free photohosting site.
===========
Did you try right clicking on the 'broken' exe file and checking the
properties to see what is is associated with?

Sorry, no other ideas. Trying to determine if it is non malware issue.

 

[bmschech]

The patch I use is called xp_exe_fix, though I've discovered that
fixswen also works if I run it right away. It's easier to use, since I
don't have to load regedit.
I can't get a screen capture of the dialog box since it pops up before
the desktop is loaded. I have to close the box before my windows
settings are loaded. It's just a big blank window. The title is three
vertical bars and the text the same.
Haven't checked to see if there are any associations for the broken exe
files before the fix. Would this show up in the registry too? If so,
then there is no association before the patch is run.
I'm running more scans right now, but so far nothing is popping out at
me. Very frustrating.

 

[Duh_OZ]

Well if you can get hold of hijackthis
(http://www.merijn.org/files/hijackthis.zip), run it and then post the
log to http://www.bleepingcomputer.com/forums/ or some other forum that
deals with hijackthis logs it may help. DO NOT post a hijackthis log
in this newsgroup!

If you care to do some self analysis with the hijackthis log, you can
run it through an on-line analyzer here:
http://www.hijackthis.de/

Should have thooght you couldn't do a screen capture as you weren't in
windoze yet. Had that situation myself once and used a digital camera
LOL.

Goo luck - again, sorry I haven't been of much help.

 

[David H. Lipman]

From: "bmschech" <[email protected]>

| Hey, thanks!
| As I mentioned, when I boot into the safe mode the virus still seems to
| get active--the exe association is broken and I get the mystery dialog
| box on bootup. Should I still rerun the scanners in safe mode? Or
| should I boot from a cd and run the scanners from a dos prompt?
| Also, the documentation mentions running DOSCLEAN.BAT, KAVCLEAN.BAT,
| and SOFCLEAN.BAT, but it's a little vague on the when, where, how and
| why.
|
| By the way, I already ran the Panda online scanner and found nothing.

You first have to download each AV module's scanner files. Then you can boot off a DOS Boot
Disk or DOS Boot Disk with NTFS4DOS and then run the above mentioned BAT files.

The reason I have four different AV scanners in one front-end is that one may catch what
another may miss so the fact that Panda failed to find something doesn't phase me.

 

[bmschech]

Okay, here's something new. I tried to use msconfig to do a clean
boot. I'm a little confused about this because I checked the spot for
Diagnostic Startup but after booting up I got a dialog that evenutally
launched msconfig and said that I was in selective startup, but the
boxes for processing the system.ini and win.ini files were not checked.

At any rate, I still get the strange dialog box, but now my exe files
load without patching. I'm sure this is a clue, but I don't know what
to do with it.

 

[David H. Lipman]

From: "bmschech" <[email protected]>

| Okay, here's something new. I tried to use msconfig to do a clean
| boot. I'm a little confused about this because I checked the spot for
| Diagnostic Startup but after booting up I got a dialog that evenutally
| launched msconfig and said that I was in selective startup, but the
| boxes for processing the system.ini and win.ini files were not checked.
|
| At any rate, I still get the strange dialog box, but now my exe files
| load without patching. I'm sure this is a clue, but I don't know what
| to do with it.

In that state run the Multi AV Scanning Tool. If you still have problems...
Download and execute HiJack This! (HJT)
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5

{ borrowed from the alt.privacy.spyware News Group }

 

[bmschech]

I just ran Kaspersky after a clean boot and this, after 6 hours, is
what it found:

cked: VBox

Current object: g:\

Sector Objects : 0 Known viruses : 0
Files : 111599 Virus bodies : 0
Folders : 1688 Disinfected : 0
Archives : 1703 Deleted : 0
Packed : 156 Warnings : 0
Suspicious : 0
Scan speed (Kb/sec) : 0 Corrupted : 0
Scan time : 01:25:36 I/O Errors : 0


Scan process completed.

Result for all objects:

Sector Objects : 0 Known viruses : 4
Files : 560247 Virus bodies : 8
Folders : 12055 Disinfected : 0
Archives : 7409 Deleted : 3
Packed : 3983 Warnings : 0
Suspicious : 0
Scan speed (Kb/sec) : 7744 Corrupted : 10
Scan time : 06:31:50 I/O Errors :

I'm a little puzzled. It says there are 4 known viruses, etc. Yet
nothing suspicious. What does this mean?

 

[Befunge Sudoku]

I'm a little puzzled. It says there are 4 known viruses, etc. Yet
nothing suspicious. What does this mean?

"suspicious" is a separate category, not an inclusive one.
It's used to describe stuff that could be malware, or used by
malware, but could also be legit. Eg, a non-standard ftp or
smtp server program, stuff like that.

 

[Art]

I just ran Kaspersky after a clean boot and this, after 6 hours, is
what it found:

Result for all objects:

Sector Objects : 0 Known viruses : 4
Files : 560247 Virus bodies : 8
Folders : 12055 Disinfected : 0
Archives : 7409 Deleted : 3
Packed : 3983 Warnings : 0
Suspicious : 0
Scan speed (Kb/sec) : 7744 Corrupted : 10
Scan time : 06:31:50 I/O Errors :

I'm a little puzzled. It says there are 4 known viruses, etc. Yet
nothing suspicious. What does this mean?

There were 4 different known malwares found in 8 different
files. 3 files were deleted. It was "sure" of all it found (had exact
ID) so it found nothing suspicious. It only counts as suspicious
heuristic detections that it can't be certain of (doesn't have a exact
ID).

Art
http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "bmschech" <[email protected]>

| I just ran Kaspersky after a clean boot and this, after 6 hours, is
| what it found:
|
| cked: VBox
|
| Current object: g:\
|
| Sector Objects : 0 Known viruses : 0
| Files : 111599 Virus bodies : 0
| Folders : 1688 Disinfected : 0
| Archives : 1703 Deleted : 0
| Packed : 156 Warnings : 0
| Suspicious : 0
| Scan speed (Kb/sec) : 0 Corrupted : 0
| Scan time : 01:25:36 I/O Errors : 0
|
| Scan process completed.
|
| Result for all objects:
|
| Sector Objects : 0 Known viruses : 4
| Files : 560247 Virus bodies : 8
| Folders : 12055 Disinfected : 0
| Archives : 7409 Deleted : 3
| Packed : 3983 Warnings : 0
| Suspicious : 0
| Scan speed (Kb/sec) : 7744 Corrupted : 10
| Scan time : 06:31:50 I/O Errors :
|
| I'm a little puzzled. It says there are 4 known viruses, etc. Yet
| nothing suspicious. What does this mean?

To add to Art's reply...

You cut out the part where something was detected in the log.
What are those 8 virus bodies ccontaining 4 different infectors ?

 

[Big Rich Soprano]

Download MULTI_AV.EXE from the URL --


Jesus Christ according to you this is the second coming... I tried it
- no whoop!

 

[David H. Lipman]

|
| Jesus Christ according to you this is the second coming... I tried it
| - no whoop!

Can you please explain your post.

 

[GALAracunala]

It seems that the program runs every time windows starts.
Check if there is a unknown shortcut in (click on) Start>All Programs>StartUp.
And check this:
Click on Start>Run and type: msconfig
On the Startup tab uncheck any suspicious program that is checked to load
at startup.
If You don't know what is any of this programs, just google it, and see what
it is.
For example "ctfmon": I didn't know what it is, and when entered it in google,
I found that it is important system process.

Hope You'll have luck with this...

Hello bmschech,

b> I've been hit by what I assume is a virus that prevents me from
b> running exe files. I downloaded a registry patch that works, but the
b> problem recurs every time I reboot. In addition, I can't seem to run
b> windows internet explorer, which makes it impossible for me to run
b> online virus checks.
b>
b> I have McAfee installed on my hard drive, updated with the latest
b> virus database, but it finds no infection, just a few questionable
b> files that I've removed. Same deal with adware.
b>
b> A few other details: If I reboot the system the problem recurs. After
b> the first reboot a couple of my startup programs run, but I'm unable
b> to perform the registry fix--I import the file but it just doesn't
b> work. I reboot again and after the initial windows screen with it's
b> thermometer, a dialog box pops up with no next, only a few cryptic
b> characters. I close that box and windows loads my personal settings
b> and boots to the desktop. This time no startups load. I run the
b> registry patch and all is fine, except no programs but my keyboard
b> mapper in the system tray (though some McAfee processes are still
b> running. I'm not sure if this means that I have virus protection) and
b> when I click on windows explorer I get a brief hourglass and then
b> nothing.
b>
b> Any ideas on how I might proceed? I'm really at the limit of my
b> rather limited knowledge and would greatly appreciate any help at
b> all.
b>
b> Thanks!
b>
GALAracunala
http://free-st.t-com.hr/GALAracunala/