urgent, cant open any .exe files

[mary]

installed beta microsoft spyware, and now cant open quick
books, etc, anything w/ an .exe extension, please help,
lossing valuable time, and my frustration level is getting
higher by the minute.
thanks,
m

 

[Monitor]

Can you say more about what happened/happens? Explain with
details.

 

[JohnF.]

Uninstall MSAS, ensure that Quickbooks is backed up and is now running
again. Reinstall MSAS and see if it works correctly after a reinstall.



--
If you are under attack and MSAS does not seem to help:

*Submit suspected spyware report in the tools menu of MSAS*

1. Download:
lspfix.exe www.cexx.org/lspfix.htm
winsockxpfix.exe www.snapfiles.com/get/winsockxpfix.html
ccleaner.exe www.ccleaner.com
killbox.exe www.bleepingcomputer.com/files/killbox.php

2. Reboot into safe mode - http://tinyurl.com/pfca

3. Clean out all temp file locations - ccleaner.exe
(be sure to configure to delete all temp files
and not just those 48 hours old or older)

4. Run MSAS at least twice in full/deep mode

5. Run a robust, updated antivirus software scan

6. Reboot into normal mode,see if problem has been corrected

7. Install and use killbox to delete stubborn files

8. If you think something is there but can't see it:
- Download:
Blacklight by F-Secure to look for rootkits
www.europe.f-secure.com/exclude/blacklight/blbeta.exe
RootKitRevealer by SysInternals
www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

Battle Notes:
- If you have trojans (files that won't go away),
you may have to disable System Restore on XP:
http://tinyurl.com/movy

- If your Internet connectivity quits:
http://support.microsoft.com/kb/892350
http://support.microsoft.com/kb/811259
LSPFix - www.cexx.org/lspfix.htm
Winsockxpfix - www.snapfiles.com/get/winsockxpfix.html

- Install SpywareBlaster to block thousands of malware apps
from installing on your machine. It does not actively
run on your machine, you run it, it makes changes that
protect you.
http://www.javacoolsoftware.com/

- This program will not detect or remove viruses
http://www.microsoft.com/athome/security/viruses/default.mspx

**For a detailed attack plan **
http://spywarewarrior.com/sww-help.htm

*** For assistance in battling infestations***
- Get HijackThis.exe from:
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
- Save it to C:\hjt (new folder)
- Open it and select "Scan and Save Log"
- Note where you saved the log
- Send it to Ron Kinner as an attachment
- Ron's email address is (e-mail address removed)
- Put Hijack in the subject so he knows it's not spam
- He will tell you what to do next


Application Notes:
Registering a VB6 dll seems to fix missing agents:
1) Open up a command prompt (start -> run -> cmd)
2) Type in the following "regsvr32 msvbvm60.dll" (without the quotes).
3) Close and re-open Windows AntiSpyware

- To report false positives:
www.microsoft.com/athome/security/spyware/software/isv/fpform.aspx

- To submit disputes or requests:
www.microsoft.com/athome/security/spyware/software/isv/cdform.aspx

- To learn more about how MS analyzes suspected spyware:
www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx

Alternative Anti-Spyware Applications:
- Spybot Search and Destroy
http://www.majorgeeks.com/download2471.html
- LavaSoft AdAware
http://www.majorgeeks.com/download506.html
- AdAware VX2 Cleaner Plugin
http://www.majorgeeks.com/download4283.html
- BHODemon
http://www.majorgeeks.com/download3550.html
- CWShredder (CoolWWWSearch)
http://www.majorgeeks.com/download3019.html
- PestPatrol
http://www.majorgeeks.com/download1187.html
- Webroot Spysweeper
http://www.majorgeeks.com/download3263.html
- Spyware Doctor
http://www.majorgeeks.com/download4241.html
- Ewido Security Suite
http://www.ewido.net/en/

Recommended Software to help protect you:
- Windows XP Service Pack 2
http://www.microsoft.com/windowsxp/sp2/default.mspx
- SpywareBlaster
http://www.javacoolsoftware.com
- Outpost Firewall Pro
http://www.agnitum.com/products/outpost

 

[Ron Kinner]

I've seen this before. There is some malware that
attaches itself to the exefile entry in the registry and
if you follow the instructions from Symantec and delete it
you wind up with no exe files, and no desktop. Perhaps
antispy fell into the same trap.

HKEY_CLASSES_ROOT\exefile\shell\open\command

needs to have a string value (default) of "%1" %*

You need to open notepad on another computer and copy the
following text into it:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"




Then File SaveAs the file to a floppy in A: and call
it "fixexe.reg" Don't forget the "'s.

Move the floppy to the sick pc and CTRL + ALT + DELETE and
select Task Manager the File, New Task(Run) and type
A:\fixexe.reg
then OK. It will ask you if you are sure you want to do
this. Tell it OK then reboot.

If that doesn't work then:

To copy Regedit.exe to Regedit.com:
Because the worm modified the registry so that you cannot
run .exe files, you must first make a copy of the Registry
Editor as a file with the .com extension, and then run
that.


Do one of the following, depending on which operating
system you are running:
Windows 95/98 users: Click Start, point to Programs, and
click MS-DOS Prompt.
Windows Me users: Click Start, point to Programs, point to
Accessories, and then click MS-DOS Prompt.
Windows NT/2000/XP users:
Click Start, and click Run.
Type the following and then press Enter:

command

A DOS window opens.

Type the following and then press Enter:

cd \winnt (win2K and XP Pro)

or

cd \Windows (XP home)

Go on to the next step.

Type the following and then press Enter:

copy regedit.exe regedit.com

Type the following and then press Enter:

start regedit.com


Then check the keys

HKEY_CLASSES_ROOT\comfile\shell\open\command

HKEY_CLASSES_ROOT\exefile\shell\open\command


HKEY_LOCAL_MACHINE\Software\classes\comfile\shell\open\comm
and


HKEY_LOCAL_MACHINE\Software\classes\exefile\shell\open\comm
and

They should all have a string value (default) of "%1" %*


Reboot.

Ron

 

[JohnF.]

Good info Ron! Didn't know that one but I do now!

 

[Ron Kinner]

Here are a few of the critters that mess with the exefile:


http://securityresponse.symantec.com/avcenter/venc/data/bac
kdoor.beasty.html

http://securityresponse.symantec.com/avcenter/venc/data/tro
jan.w32.virtualave.html

http://securityresponse.symantec.com/avcenter/venc/data/bac
kdoor.gwgirl.html

While poking around on Symantec's site I ran across the
following tool:

http://securityresponse.symantec.com/avcenter/venc/data/too
l.to.reset.shellopencommand.registry.keys.html

Not sure if it will help but it looks like it should.
Interesting technique anyway. Might come in handy some
time.

if these wrap the tinyurls are (in order mentioned above):

http://tinyurl.com/xfru
http://tinyurl.com/3wrce
http://tinyurl.com/7qa5w
http://tinyurl.com/yrotz

Ron

 

[plun]

Ron Kinner presented the following explanation :

NewsReader : Microsoft CDO for Windows 2000

Why are you using this "bastard" for news ?



Everything is wrapped/broken in all MS apps.

 

[Ron Kinner]

Plun,

I access the forum via Internet Explorer and

http://communities.microsoft.com/newsgroups/default.asp?
ICP=spyware&sLCID=us

because the company firewall blocks all other newsgroup
connections.

Ron