Nasty malware/virus - XP Antimalware

doodah

doodah

doodah

Caporegime
Joined
18 Oct 2002
Posts
28,824
Location
London
My word, I have dealt with some annoying viruses/malware before but this one is a bugger!

Friend just rang after his XP laptop got infected with "XP Antimalware" virus. He can't open any exe file and a constant pop up always appears in Windows claiming he needs to download specific software to stop it. He recently had Nortons but it expired so I suggested MS Security Essentials. I have just found out after installing it, he noticed some times the "flag" icon in the system tray was not green (real time protection didn't automatically turn on) - not sure if this is relevant.

Anyway here is what happened; he was using IE and noticed a fake pop up stating a security scan was in process to find possible malware etc. It closed IE almost instantly and carried on scanning resulting in several "things" been found. He tried to close it but it wouldn't allow him to. Since then it is constantly in the system tray. Since the "scan" he can't open any exe files.

I told him to try safe mode. Got in fine and tried running a scan with MSE but real time protection wouldn't turn on and it wouldn't let him initiate a scan. So tried installing another AV, Avast, the exe would run and it installed but the program would not run - nothing happens. I looked it up and everything seems to be pointing at Malwarebytes' but like Avast, it would install but not run.

Anyone have any idea what to do? It won't allow him to run an exe and MSE isn't working - really stumped :(:confused:

EDIT - Firefox seems to work in safe mode
 
Last edited:
I had this two weeks ago. You have to google for 'exe wont open", you wont be able to do this because ie wont run, but running googles IP from the run command did work strangely.
Then you can find a regedit to cure the exe problem.

I fixed this for a week, then got hit by something very similar a week later.

I couldn't be arsed faffing around again and just did a re-install:mad:
 
My sister had similar on her laptop a few weeks ago. She had Vista Antimalware 2010. Oddly though, whoever wrote the thing also put their own workaround in. Although double clicking a icon resulted in the exe not running, if you right clicked there was a new option "start". Must have been the easiest fix I've ever had.
 
Seems to be a spree of these things.

Had one a few weeks ago by just opening a webpage.

Seems to disassociate exe files to stop you opening them. After fixing that you can find the stuff to root out with a few scanners and the interweb.

I use a program called "Security Task Manager" which although it's a naff name tells you what's running, where it's running from, what's set up to auto run, allows stopping of processes and has a "quarantine" feature which stops a process and stuffs it somewhere safely to be deleted or restored. Also has its own rating feature which gives a program a security rating based on what features it has and how its behaving. Things like a process recording keystrokes or that it is set up to contact a certain IP address... useful in working out what something is doing.

Also, Malwarebytes, Spybot S&D, HijackThis and AVG although gotta say AVG has been earning few cookies these days, most things that have bothered me are not picked up by it at all. Ok, nothing picked them up automatically but still, it's yet to earn its storage space.
 
There have been variations of this one for the last couple of years. It isn't too hard to remove but found if its quite heavily 'into' the system then it is better to back up their data and do a clean load of Windows.
 
It is a laptop. So should I tell him to do the following?

Download fixswen.inf and install

Download and install Malwarebytes

Uninstall MSE and reinstall/install another AVG

I will be going to his next week so can reinstall Windows so the above only needs to be a short term solution

EDIT - Assume I should do all this in safemode?

EDIT - Tried the inf file in normal and safe mode and it didn't work. It still won't let him open any exe files.

EDIT - Not looking good. Tried another reg file (imported through Regedit) and seemed to work unlike the above. Tried opening Avast and nothing but several minutes later Avast came to life.
 
Last edited:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
Click to expand...
Stick this in a .reg file, should help the exe problem.
 
bledd. said:
I can't be that long until Microsoft will only allow signed programs to install. A $50 check for each program instead of $500 for drivers would be a good way to start it..
Click to expand...

I hope that you were being facetious. :p

A user education campaign would be a better use of resources, IMO.
 
You must log in or register to reply here.
Back
Top Bottom