Free Republic
Browse · Search
Bloggers & Personal
Topics · Post Article

Skip to comments.

Help Vanity: Fixing damage from Virus (can't access Regedit)
geronl

Posted on 12/23/2011 11:13:55 AM PST by GeronL

I have kind of done this before. I have been working to delete a virus all morning on this borrowed computer. I think I have succeeded in the main.

The problem is the virus did cause some problems. Some exe files will not execute. It is probably a registry value that has been changed.

This is a BORROWED computer. I was using it when it apparently got infected. So I have a duty to fix this.

It an an EEPC netbook running Windows XP.

So the registry value at exe in the command line should be what?

SO how do I get access to the registry since Regedit an exe file?


TOPICS: Chit/Chat; Computers/Internet
KEYWORDS: computerhelp; computerproblem; regedit; techhelp; virus
Navigation: use the links below to view more comments.
first 1-5051-100101-114 next last
I am GOING to beat this thing. LOL
1 posted on 12/23/2011 11:14:00 AM PST by GeronL
[ Post Reply | Private Reply | View Replies]

To: GeronL

Internet Explorer works but if I try to open Malware Bytes or Regedit it says “Choose the program to use to open this file...”

jeesh


2 posted on 12/23/2011 11:16:06 AM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL

3 posted on 12/23/2011 11:18:00 AM PST by 1rudeboy
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL

It sounds like the virus may have messed with regedit itself.

You might be able to fool the virus by making a copy of Regedit.exe (that is where I would start).

I would think you can find regedit.exe on another computer or through a google or yahoo search.


4 posted on 12/23/2011 11:18:50 AM PST by freedumb2003 (Spoiler Alert! The secret to Terra Nova: THEY ARE ALL DEAD!!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL

You can try running it explicitly by entering: “c:\windows\regedit.exe”


5 posted on 12/23/2011 11:19:25 AM PST by fr_freak
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL

There is a registry fix file somewhere on the Internet that you can run that corrects a lot of the usual virus fudges. Don’t know where it is, but all I had to do when I used it was type the file name, something like xxxx.reg and it popped those entries in and let me rebuild from there..


6 posted on 12/23/2011 11:20:10 AM PST by FastCoyote (I am intolerant of the intolerable.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL

Maybe one of these (https://en.wikipedia.org/wiki/List_of_live_CDs#Microsoft_Windows-based) will allow you to boot a clean system with a working regedit. Haven’t used any of them, haven’t even checked the sites (not a Windows user for a long, long time).


7 posted on 12/23/2011 11:20:20 AM PST by Moose Burger
[ Post Reply | Private Reply | To 1 | View Replies]

To: freedumb2003; fr_freak

I am going to try using the command line real quick as FR FREAK suggests.


8 posted on 12/23/2011 11:22:21 AM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 4 | View Replies]

To: 1rudeboy
icecubes, using lifesaver... LOL!

9 posted on 12/23/2011 11:22:43 AM PST by skinkinthegrass (I can take tomorrow, spend it all today. Who can take your income, tax it all away. Obama Man can. :)
[ Post Reply | Private Reply | To 3 | View Replies]

To: FastCoyote; fr_freak

command line thing didn’t work.

The virus must have changed the registry values to block it.

I am going to do a Google search for something like what you said.


10 posted on 12/23/2011 11:24:09 AM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 6 | View Replies]

To: GeronL

Start in safe mode & see if it runs?

There should be a backup copy of the registry somewhere you can try to restore.


11 posted on 12/23/2011 11:24:49 AM PST by smokingfrog ( sleep with one eye open ( <o> ---)
[ Post Reply | Private Reply | To 2 | View Replies]

To: FastCoyote

Was it called “Registry Cleaner”??


12 posted on 12/23/2011 11:25:16 AM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 6 | View Replies]

To: smokingfrog; GeronL

sfrog has a good idea — also have you just tried old fashioned System Restore?


13 posted on 12/23/2011 11:27:07 AM PST by freedumb2003 (Spoiler Alert! The secret to Terra Nova: THEY ARE ALL DEAD!!!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: GeronL
Manual steps to restore the registry in Windows XP
14 posted on 12/23/2011 11:27:19 AM PST by smokingfrog ( sleep with one eye open ( <o> ---)
[ Post Reply | Private Reply | To 10 | View Replies]

To: GeronL

If you have access to the internet, google ‘bleepingcomputer.com combofix download’ and download Combofix.exe. Ignore the hype on it itself being a virus. THE best one-shot program I’ve used countless times on my own and client computers to find and slit the throat of nasty viruses. Put it on a memory stick, boot into Safe Mode (safe with networking if it works) and from the command prompt run it.

It will take about 20 minutes. Ignore the parts about antivirus installed or running in Recovery Console mode.

Has worked for me 99.8% of the time. (Can’t remember the .02% instance)


15 posted on 12/23/2011 11:28:22 AM PST by time4good
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL
How to Restore Windows XP to a Previous State

Similar for Windows 7.

This will roll your system back to before the virus struck.

16 posted on 12/23/2011 11:29:37 AM PST by E. Pluribus Unum (FOREIGN AID: A transfer of money from poor people in rich countries to rich people in poor countries)
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL

“regedit” is not an .exe file. “c:\windows\regedit.exe” is. If it finds something named “regedit” in the current path, it will try to run that. Try running it using the full path and filename.


17 posted on 12/23/2011 11:30:33 AM PST by tacticalogic ("Oh, bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: smokingfrog

http://filext.com/faq/broken_exe_association.php

This site might be the thing I need. Lets see.


18 posted on 12/23/2011 11:33:48 AM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 11 | View Replies]

To: GeronL

Here is a link to a google search for exefix and some tools for registry repair. I’ve use these tools on my XP machine an they do work well.

http://www.freerepublic.com/perl/post?id=2824371%2C1


19 posted on 12/23/2011 11:35:59 AM PST by PrairieLady2
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL

Something like this happened to my sister’s computer a few years ago (her kids liked to install stuff). The Task Manager would go down as soon as it came up. I had to rename the Task Manager exe just to get a chance to see what was going on. LOL!


20 posted on 12/23/2011 11:37:01 AM PST by cynwoody
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL

Assuming you have rebooted —

Depending on the virus, it my have destroyed part of the original .exe files.

If so, you might try a system restore from a time previous to your getting the virus.

Otherwise, you may have to re-install those programs.


21 posted on 12/23/2011 11:37:23 AM PST by TomGuy
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL

Can you open Malware Bytes in safe mode? If you can - and find someting - run it a few more times. Could be tentacles...


22 posted on 12/23/2011 11:38:30 AM PST by GOPJ (Better is a dinner of herbs where love is, Than a fatted calf with hatred - Proverbs 15)
[ Post Reply | Private Reply | To 2 | View Replies]

To: TomGuy

If you don’t hear back from me in an hour, I goofed up big time. oops. heh.


23 posted on 12/23/2011 11:47:50 AM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 21 | View Replies]

To: cynwoody; smokingfrog

I downloaded something called “regeditfix” and it seems to have fixed that particular problem. Now to run Malwarebytes!


24 posted on 12/23/2011 11:53:09 AM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 20 | View Replies]

To: GeronL

http://www.dougknox.com/xp/file_assoc.htm

Try this, or go to the root dougknox.com


25 posted on 12/23/2011 11:58:49 AM PST by FastCoyote (I am intolerant of the intolerable.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: GOPJ

There must be more parts to the virus than I thought. It was preventing Malware bytes from running and slowing everything down.

It was called ping.exe in the Task Manager.


26 posted on 12/23/2011 12:04:59 PM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 22 | View Replies]

To: FastCoyote

Drop rkill to your computer. Run it. It will stop all processes.

Download a temp version of Kaspersky.

Run kaspersky. That should get rid of it. Malwarebytes will coat some bucks.

If the puter is borrowed you are not going to want to spend money on it.


27 posted on 12/23/2011 12:08:13 PM PST by EQAndyBuzz (Control the media, you control its citizens.)
[ Post Reply | Private Reply | To 25 | View Replies]

To: GeronL

Try CCleaner:

http://www.piriform.com/ccleaner/download


28 posted on 12/23/2011 12:16:44 PM PST by Red Badger (Every child should have a meadow to play in..............)
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL

AVAST (Free) has a boot time scanner, it worked for me on a nasty little virus which, wouldn’t let me access command prompt, took all my desktop icons, etc. this was on a Win7 machine. Assuming you can download it, give it a shot.

Hope this helps.


29 posted on 12/23/2011 12:17:04 PM PST by ConservativeChris
[ Post Reply | Private Reply | To 1 | View Replies]

To: ConservativeChris

BTW regular scan DID NOT catch virus, only “boot time scan” worked.


30 posted on 12/23/2011 12:19:24 PM PST by ConservativeChris
[ Post Reply | Private Reply | To 29 | View Replies]

To: time4good; GeronL
If you have access to the internet, google ‘bleepingcomputer.com combofix download’ and download Combofix.exe. Ignore the hype on it itself being a virus. THE best one-shot program I’ve used countless times on my own and client computers to find and slit the throat of nasty viruses. Put it on a memory stick, boot into Safe Mode (safe with networking if it works) and from the command prompt run it.

It will take about 20 minutes. Ignore the parts about antivirus installed or running in Recovery Console mode.

Has worked for me 99.8% of the time. (Can’t remember the .02% instance)


time4good,
Thanks for the info.

I used instructions from bleeping computer to remove 'Antivir Solution Pro' - the only time I have been virused; saved having to wipe disk and start from scratch.

Since I was using FireFox not IE as a browser, I was able to access the internet and download the necessary tools. It was one nasty virus that infected the registry and prevented me from running registry restore.
31 posted on 12/23/2011 12:19:25 PM PST by algernonpj (He who pays the piper . . .)
[ Post Reply | Private Reply | To 15 | View Replies]

To: Red Badger; ConservativeChris; GOPJ

Seems to have worked good ‘nuff.

I wonder if there isn’t a couple of monitoring and logging files left from the virus though.

Guess I can run Malware Bytes again to make sure.


32 posted on 12/23/2011 12:25:41 PM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 28 | View Replies]

To: GeronL

You can mess with it by finding ping.exe, and replacing it with an empty file named ping.exe. Mark it read-only.


33 posted on 12/23/2011 12:26:00 PM PST by tacticalogic ("Oh, bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 26 | View Replies]

To: GeronL

When you do CCleaner’s Registry Cleaner, you need to run it TWICE.

Once to initially clean it, then again to see if it missed anything the first time. It sometimes does...............


34 posted on 12/23/2011 12:28:56 PM PST by Red Badger (Every child should have a meadow to play in..............)
[ Post Reply | Private Reply | To 32 | View Replies]

To: tacticalogic

There is also a system file named ping.exe thats been here since March 2008.

The problem one is apparently a temporary file created by ANOTHER program. dang.


35 posted on 12/23/2011 12:51:47 PM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 33 | View Replies]

To: GeronL
The problem one is apparently a temporary file created by ANOTHER program. dang.

That's why you want to leave an empty file in it's place, and make it read only.

Once you do that, whatever is launching it will still find the file where it's expecting it, but it won't run. If whatever is creating tries to create a new one, it will fail because there's already a file there by that name. Making it read-only prevents it from being overwritten by the other program. It may start throwing an error that will tell you what the name of the program that tried to create it is.

36 posted on 12/23/2011 1:12:39 PM PST by tacticalogic ("Oh, bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 35 | View Replies]

To: GeronL

Someone else already stated this - but SYSTEM RESTORE

This will change the registry keys back to where they were before you got the virus.

I got bombarded one day after posting on a blog where the virus corrupted everything. I had a terrible time getting into any system files. I was even unable to do a system restore from my desktop. I had to run it in safe mode and killed the little bugger instantly and restored everything back to an earlier time. It’s my best friend!


37 posted on 12/23/2011 1:16:01 PM PST by jcsjcm (This country was built on exceptionalism and individualism. In God we Trust - Laus Deo)
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL
Someone needs to post that “Macs don't get viruses”; just to keep the thread interesting.
38 posted on 12/23/2011 1:18:06 PM PST by HereInTheHeartland (I love how the FR spellchecker doesn't recognize the word "Obama")
[ Post Reply | Private Reply | To 1 | View Replies]

To: tacticalogic; jcsjcm

Thanks guys


39 posted on 12/23/2011 1:27:07 PM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 36 | View Replies]

To: tacticalogic

The actual name of the file is PING.EXE-31216D26.pf and it is located in the Wondows “Prefetch” folder. I am not sure what file is creating it, but I guess we should see.


40 posted on 12/23/2011 2:22:28 PM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 36 | View Replies]

To: Red Badger; tacticalogic; TomGuy

The blank ping file is now 63 kb.

Apparently whatever is writing into it doesn’t care if I delete and replace it.


41 posted on 12/23/2011 2:45:33 PM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 34 | View Replies]

To: freedumb2003; fr_freak

While it appears I got the main virus and fixed the exe association I still have associated files on the computer.

One of them comes up on task manager as ping.exe and is hogging the processor but is just a ruse apparently. I replaced it with a blank notebook file and it is now around 85kb, so it doesn’t do anything.

There’s another program that writes to this file. I have to figure out how to identify the culprit.


42 posted on 12/23/2011 2:48:58 PM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 4 | View Replies]

To: smokingfrog

Now I have a different problem


43 posted on 12/23/2011 2:49:55 PM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 14 | View Replies]

To: GeronL

Did you mark the replacement as Read Only?


44 posted on 12/23/2011 2:50:30 PM PST by tacticalogic ("Oh, bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 41 | View Replies]

To: tacticalogic

The second time. It wouldn’t let me after it was being written to by whatever other program. lol.

I need to track down that troll!


45 posted on 12/23/2011 2:56:09 PM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 44 | View Replies]

To: tacticalogic

ping.exe is running again according to Task Manager and its taking 55-80% of the CPU


46 posted on 12/23/2011 2:59:09 PM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 44 | View Replies]

To: tacticalogic

There are several suspicious files running on TaskManager...

PSIMREAL.exe??


47 posted on 12/23/2011 3:04:24 PM PST by GeronL (The Right to Life came before the Right to Pursue Happiness)
[ Post Reply | Private Reply | To 44 | View Replies]

To: GeronL
Well, we know what executable name it's using now. I'd search the registry for any reference to ping.exe.

See if you can find where it's getting loaded.

48 posted on 12/23/2011 3:06:52 PM PST by tacticalogic ("Oh, bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 45 | View Replies]

To: GeronL

https://www.google.com/search?pq=newt&hl=en&ds=i&cp=9&gs_id=17&xhr=t&q=black%20farmer&um=1&safe=off&gbv=2&gs_sm=&gs_upl=&bav=on.2,or.r_gc.r_pw.r_cp.,cf.osb&biw=1366&bih=624&wrapid=tljp1324679419567014&ie=UTF-8&sa=N&tab=iw&ei=AwH1TtuXIaOVi


49 posted on 12/23/2011 3:08:24 PM PST by Revolting cat! (Let us prey!)
[ Post Reply | Private Reply | To 47 | View Replies]

To: Revolting cat!

sorry wrong link.


50 posted on 12/23/2011 3:10:03 PM PST by Revolting cat! (Let us prey!)
[ Post Reply | Private Reply | To 49 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-100101-114 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Bloggers & Personal
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson