Need a hand

[Ramble1]

I had a virus come one my computer a few days ago. I think it occured over a Windows Media file. The problem is that I cannot open any .exe files. But, if I rename the .exe extension as ".com" then I can open he file. The only .exe file I can open is firefox which is why I'm pretty sure its a virus. If I try to open an .exe file, the "choose a program to open with" window appears, asking to choose a program to open my program with? Any help would be much appreciated thank you.

[unlovedwarrior]

hi

first im guessing your os is xp home.. if so is it fully updated??


go here

http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1134123580


dl
ewido

adaware

spybot

Ccleaner

windows defender

update them

use Ccleaner to empty your junk from temp files just open and run scan

ten do full scans with ewido adaware spybot windows defender and your antivirus  in safe mode (rapidly tap f8 before windows loads go to safe mode the very top one) and with system restore turned off ( right click my computer go to properties click system restore tab check box that says turn off system restore)

then reboot back into normal and report back

if you dont have a firewall already then dl zonalarm free from the site i gave



unlovedwarrior

and u use firefox thats good


unlovedwarrior

[JPH]

1. Boot into safe mode. (If you're using Windows XP or Windows ME turn System Restore off)

2. Click Start, and then click Run.
 
3. Type command.com and then click OK. (A DOS window will open)
 
4. Type the following at the DOS prompt and hit Enter after typing each one:
 
         cd\

         cd windows
 
5. Type copy regedit.exe regedit.com and then press Enter.
 
6. Type start regedit.com and then press Enter.
 
7. Navigate to and select the key:
 
    HKEY_CLASSES_ROOT\exefile\shell\open\command
 
8. In the right pane, double-click the (Default) value.
 
9. Delete the current value data, and then type:
 
     "%1" %*

10. Click OK
 
11. Close Regedit, type exit in the DOS window and hit Enter.

After completing these steps you should be able to follow the previous suggestions. (running virus & spyware scans in safe mode etc.)

[Ramble1]

I have used all of those scanning programs and housecall. None found anything, and Defender said my computer is running normally. I do have XP. System restore was off, doesn't matter because I can't access it anyway. If worse comes to worse I can clear the hardrive and start over, but I know you guys can help me. Yes, that is what my value is set to in regedit with the space.

[JPH]

If worse comes to worse I can clear the hardrive and start over

Before you do that, there are other registry entries that could cause Windows to not recognize .exe files properly. I've attached a .reg file that will fix any broken WinXP EXE associations. You can import it into the registry using regedit.com, the file contains the following:

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

You can check/edit these entries manually or you can use the .reg file.
NOTE: You'll need to rename the file extension from .zip to .reg - I couldn't attach the .reg file directly.

[Ramble1]

Imported the file into my registry, but the problem is still persisting, except for my internet. Another interesting thing I found is in Windows Defender. If I look at programs running, on is names EXLPORER.EXE, with capitalized EXE. When I end this process, my desktop dissappears for a few seconds and reappears with the regular explorer.exe running.

[JPH]

This is odd, well obviously EXE files are running or you wouldn't even have a Windows GUI so it's not just your web browser. What programs are you trying to run that don't work? Are you clicking on shortcuts or actual applications?

One last thing to try and then I'll agree with you that you're infected with something nasty that isn't being detected by the safe mode scans you've done.

Open the "File Types" dialog from any Explorer window (Tools > Folder Options > File Types). Scroll down to where EXE would be alphabetically and see if it's there. If it is you can check the details and see what it's opening with. If it isn't there then click the New button, type in EXE for the file extension and then select the Advanced button. From the Associated File Type list choose "Application" then click OK. It's a long shot and it probably won't work especially since the .reg file didn't even change anything.

BTW, did you mean EXPLORER.EXE?
I'll assume that was a typo, if not you are definitely infected with something.

Anyway, you should probably download HiJackThis and do a scan then post a logfile here if the problem still persists. You may have to rename the .exe to .com if you have problems running it.

[Ramble1]

Logfile of HijackThis v1.99.1
Scan saved at 12:24:08 PM, on 10/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\GOOGLE\GOOGLE~2\GOOGLE~1.COM
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\Rar$EX00.594\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150413452421
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: EvtEng - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Unknown owner - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation -

[Ramble1]

With the folder options method, it wouldn't let me save the new file ext. I would type in EXE and the advanced options box would put application in automatically and the apply button wouldn't appear solid. If I exited or hit OK, it wouldn't save the extension either. There's my logfile and I really appreciate the help fellas.

[unlovedwarrior]

anything that says file missing you can get rid off

[Ramble1]

HoooooRAY. I guess one of those files that had files missing was making a problem, because after I did that, the computer automatically restarted and everything was back to normal. What do you all think it was?

[unlovedwarrior]

dunno but can you install the malware scans or what you needed to install

[Ramble1]

The only problem I have now is my rundll32.exe is not working properly. When I click for system restore, it asks if I would like to turn it on, I say yes, and a prompt screen entitled rundll32.exe appears and then dissappears and nothing happens

[unlovedwarrior]

umm..

read here

http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci973393,00.html


and also look at the other sites..

http://www.google.com/search?hl=en&q=rundll32.exe+error

 wait for raptor rob patio soybean GX1_man to confirm what i suggest k

[GX1_Man]

Do you have a real Windows CD to reinstall with if needed?