Jump to content
Sign in to follow this  
Tony2go

.EXE files are gone!

Recommended Posts

Can anyone offer some help on this problem. I installed the SuperAntiSpyware program and now a number of my programs will not open/run. A window opens asking for the (.exe) file to run it. I have no network connection, my antivirus program was also impacted the same way. Before I installed the Superantispyware program, I kept getting a Windows Security message that my windows security was turned off. Turns out it was a Trojan Fake Alert (don't have the exact name just right now) and it was isolated and deleted by Malwarebytes Antimalware. I still have that log. Since Super Antispyware was a more complete program I decided to give it a try to see if there was any other spyware on the system. Ran the program and then this all happened. Please provide any help you can provide or let me know what additional info you may need to resolve this issue. I am running XP Home SP3 and can get to the desktop.

Thanks, Tony

Share this post


Link to post
Share on other sites

Disregard my previous reply. I ran the program from a temporary directory and it indicated success. I can open programs but do not have the desktop icons, just a directory icon. Went into properties for the different programs and clicked on "change icon", selected the appropriate icon but that did nothing. Any ideas?

BTW, the following was noted in a log from another anti-malware/spyware program: 1 registry value was infected, 4 registry data items were infected,and 2 files were infected. The infected files were quarantined and deleted by the program. But I still keep getting an error message from the system tray that windows security is turned off. This started when the Trojan.FakeAlert got on the system and dumped some files on the system. Your thoughts on this? Please tell me what I need to post here to solve this situation.

Share this post


Link to post
Share on other sites

Thanks Seth. Actually the icons all came back after the screen did a refresh.

Now, what is left is getting back full use of Windows Internet Explorer (IE8). I can't run windows updates or even windows defender updates, but I can access the internet. BitDefender AV is working okay and updating and I re-established my network connection and all is well there. Malwarebytes AntiMalware (sorry about that :roll: ) deleted a few items and quarantined them. I have attached a text file of the problems. Can you help on this or should I go elsewhere to remove these items? I keep getting a Microsoft Security Warning in the system tray. Any help on this will be most appreciated...

Trojan FakeAlert 08-05-11.txt

Share this post


Link to post
Share on other sites

You're welcome.

Make sure your Security Center options are enabled, then download ComboFix: http://www.bleepingcomputer.com/download/anti-virus/combofix

- Boot the computer into "Safe Mode With Networking".

- Run Combofix and ignore any warnings that your antivirus program running (if you receive them).

- Update Combofix and/or the Recovery Console if Combofix requests it.

- Once the procedure starts, don't use the computer until the Combofix log appears (about 10-30 mins).

How does the system run now?

Share this post


Link to post
Share on other sites

You're welcome.

Make sure your Security Center options are enabled, then download ComboFix: http://www.bleepingcomputer.com/download/anti-virus/combofix

- Boot the computer into "Safe Mode With Networking".

- Run Combofix and ignore any warnings that your antivirus program running (if you receive them).

- Update Combofix and/or the Recovery Console if Combofix requests it.

- Once the procedure starts, don't use the computer until the Combofix log appears (about 10-30 mins).

How does the system run now?

The computer runs fine right now. No problems with speed or hang-ups or crashes.

I had run combofix back in 2009 (had some virus and malware issues resolved on the CEXX Forum which I guess no longer exists) and had installed the Recovery Console at that time. Everything got cleaned up from another Trojan I picked up at that time. (BTW, this trojan came from a visit to Yahoo's home page when I clicked on a link to some photos of a couple of actors and then a pop-up tried to get me to play at a Russian casino...wonderful.) Can't recall how I obtained the Recovery Console in order to update it, if the update is going to be required as you stated. Does combofix point me to it? I'll try to run everything tonight and get back here with the results...thanks for your help.

Share this post


Link to post
Share on other sites

You're welcome.

Make sure your Security Center options are enabled, then download ComboFix: http://www.bleepingcomputer.com/download/anti-virus/combofix

- Boot the computer into "Safe Mode With Networking".

- Run Combofix and ignore any warnings that your antivirus program running (if you receive them).

- Update Combofix and/or the Recovery Console if Combofix requests it.

- Once the procedure starts, don't use the computer until the Combofix log appears (about 10-30 mins).

How does the system run now?

Seth: You wrote "Make sure your Security Center options are enabled". I cannot enable the Security Center options. In the text file I attached, note the registry entry that disables the security center options. I believe that is why I can't enable them. Other than going into the registry, any other suggestions or should I just proceed to run combofix in safe mode with networking?

Share this post


Link to post
Share on other sites

The MalwareBytes log shows that those registry items were fixed. Disable System Restore, run MB and SAS, and make sure those items are checked off in the threats found list. If the issue still remains following that, then run ComboFix as advised.

Share this post


Link to post
Share on other sites

The MalwareBytes log shows that those registry items were fixed. Disable System Restore, run MB and SAS, and make sure those items are checked off in the threats found list. If the issue still remains following that, then run ComboFix as advised.

Seth: Thanks, but first other information. In System Restore I show a "System Checkpoint" five days before I got infected and a "Software Distribution Service 3.0" four days before the infection. Can I restore these without a problem or is that not advisable? I ran MB (detected no threats) and ran SAS which found a bunch of adware cookies (deleted) and a registry threat that said: "System.BrokenFileAssociation HKCR\.exe" However, I ran the two programs, forgetting that I had to disable System Restore. Once I turn off System Restore, all of the previous checkpoints are deleted. Let me know your thoughts on this...thanks for your patience...

Tony

Share this post


Link to post
Share on other sites

I wouldn't recommend running system restore, as many infections will infect the restore points. Go ahead and reset the restore points by disabling SR, then enabling it. Are you still not able to turn on your security settings options?

Share this post


Link to post
Share on other sites

I wouldn't recommend running system restore, as many infections will infect the restore points. Go ahead and reset the restore points by disabling SR, then enabling it. Are you still not able to turn on your security settings options?

Seth: Just so I have the sequence of events that need to occur straight, I should go into safe mode with networking, run MB and SAS, delete all malware/registry errors (such as the "System.BrokenFileAssociation HKCR\.exe") that are detected, come out of safe mode by rebooting, enable SR and see if the windows security error message in the system tray is gone. If it is still there, then reboot into safe mode with networking and run ComboFix. Right?

Share this post


Link to post
Share on other sites

1) Disable System Restore.

2) Run a quick scan with MB and SAS from Normal Mode. Remove anything each may find. However, if SAS finds System.BrokenFileAssociation HKCR\.exe, then Trust/Allow it.

3) Restart the computer and enable System Restore.

4) If you still can't enable the Security Settings options, then run CF as per the instructions I gave in a previous post.

Share this post


Link to post
Share on other sites

1) Disable System Restore.

2) Run a quick scan with MB and SAS from Normal Mode. Remove anything each may find. However, if SAS finds System.BrokenFileAssociation HKCR\.exe, then Trust/Allow it.

3) Restart the computer and enable System Restore.

4) If you still can't enable the Security Settings options, then run CF as per the instructions I gave in a previous post.

Unfortunately, earlier, after my message, I ran SAS and deleted "System.BrokenFileAssociation HKCR\.exe" Is there any way to get it back or recreate it in the registry? I won't run CF until I hear back from you on this. Thanks...

Share this post


Link to post
Share on other sites

Seth: Eureka! I got it fixed! Did not run CF but went into Safe Mode with Networking and ran MB and SAS. Nothing was detected. Checked My Computer ---> Manage ---> Applications and Services ---> Services and had no listing for Automatic Updates. So I went to Windows Update and it came up with some lame stuff about installing Windows Update but there was also a Microsoft error message number in the top right of the screen. So I did a search for it and went to the following location and followed the instructions shown below. Lo and behold, it worked!! The Windows Security message I kept getting in the system tray went away. Automatic Updates are now enabled and I was able to access Windows Update and am presently downloading a number of updates for IE, Windows, etc. Here's the info:

Web Site: My link

Went to the above forum and copied the following into "Run" and pressed enter (it fixed the problem of automatic updates and Windows Updates):

%SYSTEMROOT%\SYSTEM32\REGSVR32.EXE %SYSTEMROOT%\SYSTEM32\WUAUENG.DLL

Hopefully, that has completely resolved my problem. Still wondering about the "System.BrokenFileAssociation HKCR\.exe" deletion I performed in SAS. Do you think that will still be a problem??

Tony

Share this post


Link to post
Share on other sites

1) Disable System Restore.

2) Run a quick scan with MB and SAS from Normal Mode. Remove anything each may find. However, if SAS finds System.BrokenFileAssociation HKCR\.exe, then Trust/Allow it.

3) Restart the computer and enable System Restore.

4) If you still can't enable the Security Settings options, then run CF as per the instructions I gave in a previous post.

Seth: Don't know if you read my reply of October 6th. I wanted to find out if deleting "System.BrokenFileAssociation HKCR\.exe" will cause any problems. Please advise. Thanks...

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...