Skip to comments.Help Vanity: Fixing damage from Virus (can't access Regedit)
Posted on 12/23/2011 11:13:55 AM PST by GeronL
I have kind of done this before. I have been working to delete a virus all morning on this borrowed computer. I think I have succeeded in the main.
The problem is the virus did cause some problems. Some exe files will not execute. It is probably a registry value that has been changed.
This is a BORROWED computer. I was using it when it apparently got infected. So I have a duty to fix this.
It an an EEPC netbook running Windows XP.
So the registry value at exe in the command line should be what?
SO how do I get access to the registry since Regedit an exe file?
Internet Explorer works but if I try to open Malware Bytes or Regedit it says “Choose the program to use to open this file...”
It sounds like the virus may have messed with regedit itself.
You might be able to fool the virus by making a copy of Regedit.exe (that is where I would start).
I would think you can find regedit.exe on another computer or through a google or yahoo search.
You can try running it explicitly by entering: “c:\windows\regedit.exe”
There is a registry fix file somewhere on the Internet that you can run that corrects a lot of the usual virus fudges. Don’t know where it is, but all I had to do when I used it was type the file name, something like xxxx.reg and it popped those entries in and let me rebuild from there..
Maybe one of these (https://en.wikipedia.org/wiki/List_of_live_CDs#Microsoft_Windows-based) will allow you to boot a clean system with a working regedit. Haven’t used any of them, haven’t even checked the sites (not a Windows user for a long, long time).
I am going to try using the command line real quick as FR FREAK suggests.
command line thing didn’t work.
The virus must have changed the registry values to block it.
I am going to do a Google search for something like what you said.
Start in safe mode & see if it runs?
There should be a backup copy of the registry somewhere you can try to restore.
Was it called “Registry Cleaner”??
sfrog has a good idea — also have you just tried old fashioned System Restore?
If you have access to the internet, google ‘bleepingcomputer.com combofix download’ and download Combofix.exe. Ignore the hype on it itself being a virus. THE best one-shot program I’ve used countless times on my own and client computers to find and slit the throat of nasty viruses. Put it on a memory stick, boot into Safe Mode (safe with networking if it works) and from the command prompt run it.
It will take about 20 minutes. Ignore the parts about antivirus installed or running in Recovery Console mode.
Has worked for me 99.8% of the time. (Can’t remember the .02% instance)
Similar for Windows 7.
This will roll your system back to before the virus struck.
“regedit” is not an .exe file. “c:\windows\regedit.exe” is. If it finds something named “regedit” in the current path, it will try to run that. Try running it using the full path and filename.
This site might be the thing I need. Lets see.
Here is a link to a google search for exefix and some tools for registry repair. I’ve use these tools on my XP machine an they do work well.
Something like this happened to my sister’s computer a few years ago (her kids liked to install stuff). The Task Manager would go down as soon as it came up. I had to rename the Task Manager exe just to get a chance to see what was going on. LOL!
Assuming you have rebooted —
Depending on the virus, it my have destroyed part of the original .exe files.
If so, you might try a system restore from a time previous to your getting the virus.
Otherwise, you may have to re-install those programs.
Can you open Malware Bytes in safe mode? If you can - and find someting - run it a few more times. Could be tentacles...
If you don’t hear back from me in an hour, I goofed up big time. oops. heh.
I downloaded something called “regeditfix” and it seems to have fixed that particular problem. Now to run Malwarebytes!
Try this, or go to the root dougknox.com
There must be more parts to the virus than I thought. It was preventing Malware bytes from running and slowing everything down.
It was called ping.exe in the Task Manager.
Drop rkill to your computer. Run it. It will stop all processes.
Download a temp version of Kaspersky.
Run kaspersky. That should get rid of it. Malwarebytes will coat some bucks.
If the puter is borrowed you are not going to want to spend money on it.
AVAST (Free) has a boot time scanner, it worked for me on a nasty little virus which, wouldn’t let me access command prompt, took all my desktop icons, etc. this was on a Win7 machine. Assuming you can download it, give it a shot.
Hope this helps.
BTW regular scan DID NOT catch virus, only “boot time scan” worked.
Seems to have worked good ‘nuff.
I wonder if there isn’t a couple of monitoring and logging files left from the virus though.
Guess I can run Malware Bytes again to make sure.
You can mess with it by finding ping.exe, and replacing it with an empty file named ping.exe. Mark it read-only.
When you do CCleaner’s Registry Cleaner, you need to run it TWICE.
Once to initially clean it, then again to see if it missed anything the first time. It sometimes does...............
There is also a system file named ping.exe thats been here since March 2008.
The problem one is apparently a temporary file created by ANOTHER program. dang.
That's why you want to leave an empty file in it's place, and make it read only.
Once you do that, whatever is launching it will still find the file where it's expecting it, but it won't run. If whatever is creating tries to create a new one, it will fail because there's already a file there by that name. Making it read-only prevents it from being overwritten by the other program. It may start throwing an error that will tell you what the name of the program that tried to create it is.
Someone else already stated this - but SYSTEM RESTORE
This will change the registry keys back to where they were before you got the virus.
I got bombarded one day after posting on a blog where the virus corrupted everything. I had a terrible time getting into any system files. I was even unable to do a system restore from my desktop. I had to run it in safe mode and killed the little bugger instantly and restored everything back to an earlier time. It’s my best friend!
The actual name of the file is PING.EXE-31216D26.pf and it is located in the Wondows “Prefetch” folder. I am not sure what file is creating it, but I guess we should see.
The blank ping file is now 63 kb.
Apparently whatever is writing into it doesn’t care if I delete and replace it.
While it appears I got the main virus and fixed the exe association I still have associated files on the computer.
One of them comes up on task manager as ping.exe and is hogging the processor but is just a ruse apparently. I replaced it with a blank notebook file and it is now around 85kb, so it doesn’t do anything.
There’s another program that writes to this file. I have to figure out how to identify the culprit.
Now I have a different problem
Did you mark the replacement as Read Only?
The second time. It wouldn’t let me after it was being written to by whatever other program. lol.
I need to track down that troll!
ping.exe is running again according to Task Manager and its taking 55-80% of the CPU
There are several suspicious files running on TaskManager...
See if you can find where it's getting loaded.
sorry wrong link.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.