Can't run EXEs after virus removal, regedit is also broken 1

[aroostook]

Hi. I'm trying to fix a friend's computer. It was/is infected with what I believe is "Antivirus 2010" (ave.exe). Well, ave.exe appears to be gone, but now executable files will not run. Instead, when I try to run an executable, the "Open With" dialog box comes up. I've found fixes for this on the 'net, but they all seem to require access to "regedit.exe," which I cannot use. ALL Windows utilities are kaput. Office still runs, however. Also cannot install new programs, either. So, I have no registry editor, nor any apparent way to install a third-party program to fix this problem.

Suggestions?

Thanks!

 

[kjv1611]

At this point, hate to say it, but the very best fix is to reinstall Windows from scratch. Just make sure you/he has the correct Windows CD to match his Windows Product ID. If it's a Comaq, you need a Compaq OEM CD.. HP, you need HP OEM, Dell, you need Dell OEM... many other OEMs, you can just just about any generic OEM disk - maybe not all, but many. I know eMachines seems to use a generic OEM Windows disk just fine, and of course custom built with OEM.

Or, if you're not sure, search for a Jelly Key finder... you can fill in the rest of the words. It's a perfectly legit program for these situations, but I suppose could be used for ill purposes. Load it up on a thumb drive if you have one, and try to run it from there - nothing to install. Then, save the output back to your thumb drive, and you'll have the Windows and Office info for a reinstall. It should tell you whether it's home, pro, etc, give you the PID in case that was lost by the original owner, same for Office.

Then make sure any data is backed up, and reinstall.

Or if you want to try a shorter solution, but one that still may not work at this point, would be to do a repair install of Windows.

That last option will basically require the same as the first, but you won't mess with the programs that are already installed - they should still be in place, and hopefully still work... or the ones that quit working will now hopefully work.

If it were me, in this scenerio, this is exactly how I'd procede:
1. Back-up any data.
2. If possible, create a backup system image in case your efforts go ary, then at least you can restore it to where it was last - which isn't all that good anyway.
3. Backup the Windows/Office stuff.
4. Backup any activiation file(s) if it was a generic OEM or a retail install, so you don't have to reactivate(hopefully).
5. Include in the data backup, if needed, and if possible, the internet favorites and/or bookmarks.
6. Make sure you have the correct CDs and product IDs for any purchased software to reinstall.
7. When all that done, wipe the drive with Active KillDisk or DBAN just to be sure there was nothing else lurking outside of Windows on the hard drive. You can run either from

http://www.ultimatebootcd.com

(this is best left running over night, or while you're going to be away from the machine for a few hours, at least. Sometimes it's quicker, but it can take a whole day at times.
8. Reinstall Windows, update, fix activation with the backup if necessary, or else reactivate, call in if you have to - just more annoying.
9. Reinstall/install security software - if didn't have a paid subscription like Norton/McAfee, there are GREAT free alternatives which I prefer over those anyway: Microsoft Security Essentials (simplest, one of best), Avira Antivir (probably best, security-wise, but not absolute easiest - not bad, but not as easy as the first one), AVG, Avast!. I'd prefer the first 2, but it's not my computer. You can get all except maybe Security Essnetials at

http://www.download.com

- Security Essentials can be found at

http://www.microsoft.com/securityessentials

10. Reinstall all other necessary apps - Office, any picture/video/audio/PDF, etc software...


Or if this system has a system restore, you can always go that route as well. And this ends up being the easiest for some systems, such as some Lenovo machines, at least. Also, on some older machines that are really tied down software to hardware, the restore is easiest, b/c it'll have the original drivers, at least, installed.

If you go the Restore route, you may also want to run

http://www.pcdecrapifier.com

to clean out a lot of stuff. Also, a lot of the freeware programs you'd use can be downloaded and installed automatically for you with

http://www.ninite.com

- great little tool, free for personal use.

While I'm suggesting so much, I'll suggest my current favorite media player - The K Media Player - it's incredible. Mainly, I like it for performance, but it also looks good, and has lots of options. Next in line (was my #1 pick for years) is VLC, but performance-wise, it can't hold a candle to KMedia Player.

With

http://www.ninite.com,

you can get pretty much all the basics installed, currently, and ever so often, they'll pop a new one on their list that they've verified as a good app, and got the installer working correctly. Also, their program will not install the extra stuff, like toolbars, and resetting your home page that some of the free apps try to do.

But whatever you do - make sure you have the system backed up before proceeding with a repair install or full reinstall, especially. Because if you don't, and you've got the wrong disk, then you won't be able to activate/validate Windows.

 

[GrimR]

Dont just format maybe it is just a small problem that can be fixed.

To get access to the registry use this in a .bat file
:BEGIN

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

pause

Go here for Fixing file associations

http://www.dougknox.com/xp/file_assoc.htm

Get Microsoft Autoruns, hijackthis, McAfee stinger, remove it, and Cure it or free to download off the web.

You can also download this

http://www.avg.com/us-en/avg-rescue-cd

and run all in safe mode

Once you sure virus is gone
sfc /scannow

MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP

 

[GrimR]

In my hast to stop you from taking kjv1611 advice to format I forgot to mention gaining access via gpedit.msc, I'm so used to just running my .bat file.

enable registry
Start -> Run -> gpedit.msc -> User Configuration -> Administrative Templates -> System -> Prevent access to registry editing tools -> Right Click Properties -> Disabled

Use msconfig to see if any new programs are starting you dont know of

Check the following keys are still OK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell make sure this is explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell make sure this is C:\Windows\system32\userinit.exe,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies check there are no policies disabling things

MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP

 

[kjv1611]

Thought it's definitely true that the problem can be fixed, most people end up using more time to repair Windows this way than just doing a clean install. Depends upon the situation, and the user, really.

However, no person, no program, is likely to know every single possible problem that could be lurking after a system has been whacked that badly. That's why I recommend that unless you have a specific reason not to, wipe clean, and start over.

In the end, you could use a backup imaging program to create a restore image of the system that could be used to restore the system pretty quickly if the same or similar occurs in the future.

Either way - it's your choice. I will tell you that many of the scanners can take a load of time, and many of them can end up removing things that shouldn't be removed, leaving you with a worse system than you started with.

In regards to registry edits, they can be useful, and they can seemingly save a system at times. However, one wrong move in the registry can also totally disable the whole system - thus wasting more time before an eventual reinstall.

Anyhow, it's your time, your friend's system, you make the choice.

 

[GrimR]

oops made a mistake the one registry key is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit make sure this is C:\Windows\system32\userinit.exe,

not
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell make sure this is C:\Windows\system32\userinit.exe,

if you changed the shell to userinit who knows what will happen, in the old days though [Win95] you could change it to progman to make it look like Win 3.11.

kjv1611 I agree but sometimes getting the system back to the way it was can also take a few days, if the inexperienced user has not backed up EVERYTHING, and there's always something that will be forgotten.

MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP

 

[aroostook]

@GrimR

I got the AVG Rescue CD (bootable). I'm checking out the registry editor that comes with it. I see that AVG's registry editor loads the registry up by hive (SAM, Security, Software, System and Default).

Which of these 5 hives holds HKEY_CLASSES_ROOT? Or is it hidden somewhere else? I want to see if I can do some of these registry fixes I've been finding using this third-party editor.

Yes, I plan on backing up the affected computer before I try this.

Thanks!

 

[kjv1611]

Yeah, that's why I specify: Backup the whole system in an image file if necessary and possible. That way, if any questions, you've got the whole thing to go back to.

But my guess is that, given the circumstances, and the question given by the asker, that this user doesn't have a whole lot of data they're concerned about. Of course, the original poster should know, or can easily ask, whether that's the case or not.

Here's another idea: After the reinstall, fix, repair, whatever, offer the suggestion of backing up files regularly (if they have anything of any concern). There are tons of available options, currently, too many to get into, and that'd be getting off topic for sure.

aroostook,

Let us know what you end up doing, and how it goes.

Also, the above self-correction from GrimR was the type thing I was talking about - it's VERY easy to make a mistake in the registry editor, and to my knowledge, there's no auto-correct or review function to make sure you don't mess it up - it either works, or it doesn't.

You can make a typo, or you can accidentally change the wrong key. There are many that seem practically the same at first glance.

 

[linney]

These are the only two Hives that may be loaded for you to work on out of the Windows environment.

HKEY_LOCAL_MACHINE
HKEY_USERS

As you can see HKEY_CLASSES_ROOT is not included.

These two articles in the RegEdit Help are a good explanation of the process.

To load a hive into the registry
To unload a hive from the registry

How to edit the registry offline using BartPE boot CD

http://windowsxp.mvps.org/peboot.htm

This article is a detailed explanation of the removal process for this malware. It also includes a .reg file to fix the .exe associations. If (big IF), Windows can load that file then your problems are halfway to being solved.

How to remove XP Security Tool 2010, XP Defender Pro, and Vista Security Tool 2010 (Uninstall Guide)

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

If Windows cannot load that file, you could try copying Regedit.exe from the System32 folder and placing it in one of your user folders and then changing the file extension of the Regedit.exe to something like .bat, or .com and see if you can launch Regedit via that?

If that fails to work, load the Hive for HKEY_LOCAL_MACHINE and navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

see if your programs, like Regedit, are blocked by being listed in there.

Using Image File Execution options as an Attack Vector on Windows

http://silverstr.ufies.org/blog/archives/000809.html

 

[kjv1611]

I've not been a big proponent of running as a "normal user", sadly, to date. I had seen so many issues for some people - probably just lack of patience, I imagine - that I said, well, if you still have problems, eventually, just change your account back to and Administrator.

So, I think I'm going to mend my ways, as it were, and try focusing on running as a limited user. It really does make sense, but threads like these, where basically the removal instructions will say (to an extent) that running as a limited user is #1 in your line of defense, it just sort of brings it home.

Well, with that in mind, I'm going to look into creating a batch script to create a new User account on a computer. And if possible, I imagine it is, I think I want to take that idea, and tweak it (or find where someone else already has tweaked it), and create a new user, as admin, and THEN change the current user to "limited" or "normal", and MAYBE, just maybe I can find a way to tell the script to change all accounts to Limited/User level accounts, other than the new admin account.

We'll see. That'd be a wonderful help in some situations, just b/c at the moment, if I had it with me, it'd save at least a few minutes.

Thanks, linney, for the registry details you mentioned, as well. At least one of the links is what got me thinking on this again - today.