Help Vanity: Fixing damage from Virus (can't access Regedit)

geronl

[GeronL]

I have kind of done this before. I have been working to delete a virus all morning on this borrowed computer. I think I have succeeded in the main.

The problem is the virus did cause some problems. Some exe files will not execute. It is probably a registry value that has been changed.

This is a BORROWED computer. I was using it when it apparently got infected. So I have a duty to fix this.

It an an EEPC netbook running Windows XP.

So the registry value at exe in the command line should be what?

SO how do I get access to the registry since Regedit an exe file?

[GeronL]

The blank ping file is now 63 kb.

Apparently whatever is writing into it doesn’t care if I delete and replace it.

[GeronL]

While it appears I got the main virus and fixed the exe association I still have associated files on the computer.

One of them comes up on task manager as ping.exe and is hogging the processor but is just a ruse apparently. I replaced it with a blank notebook file and it is now around 85kb, so it doesn’t do anything.

There’s another program that writes to this file. I have to figure out how to identify the culprit.

[GeronL]

Now I have a different problem

[tacticalogic]

Did you mark the replacement as Read Only?

[GeronL]

The second time. It wouldn’t let me after it was being written to by whatever other program. lol.

I need to track down that troll!

[GeronL]

ping.exe is running again according to Task Manager and its taking 55-80% of the CPU

[GeronL]

There are several suspicious files running on TaskManager...

PSIMREAL.exe??

[tacticalogic]

Well, we know what executable name it's using now. I'd search the registry for any reference to ping.exe.

See if you can find where it's getting loaded.

[Revolting cat!]

https://www.google.com/search?pq=newt&hl=en&ds=i&cp=9&gs_id=17&xhr=t&q=black%20farmer&um=1&safe=off&gbv=2&gs_sm=&gs_upl=&bav=on.2,or.r_gc.r_pw.r_cp.,cf.osb&biw=1366&bih=624&wrapid=tljp1324679419567014&ie=UTF-8&sa=N&tab=iw&ei=AwH1TtuXIaOVi

[Revolting cat!]

sorry wrong link.

[Revolting cat!]

https://www.google.com/search?source=ig&hl=en&rlz=1G1TSNA_ENUS374&q=psimreal&oq=psimreal&aq=f&aqi=g2g-v8&aql=&gs_sm=s&gs_upl=6574l9045l0l12156l8l8l0l2l2l0l146l728l1.5l6l0

(Read the 3rd entry.)

[eyedigress]

Do you still need help....I have some programs that will fix quite a bit of problems. I run them from a thumb drive when needed.

[GeronL]

I am going to try Combofix

[eyedigress]

Kill any process that has 3 characters as a name.

[Revolting cat!]

I would recommend that you download from CNET several freeware repair tools, even if they overlap each other, and run scans to cleanup the machine.

I use CCleaner, Avast, Glary Utilities, IOBit Freeware, Advanced System Care, MRU-Blaster, Spybot, all of them carefully chosen after reading CNET reviews.

Beware, as some (all?) install spyware, not always giving you an option. But that’s a minor problem, as the crap is harmless and easily removable.

[eyedigress]

You may not have to do that but it will probably work. be careful

[eyedigress]

I kill 3 letter processes then run Rkill (DOS) then FixNCR. It is effective against some of the new nasties that sneak past the AV and firewall.

[GeronL]

The Combofix tool from bleepingcomputer doesn’t execute properly, ggrrr

[eyedigress]

Do you have the latest copy?

[Revolting cat!]

I know, I tried downloading it, seeing you mention it and it won’t install. Try the other products I mentioned. There is also IO Bit Malware Fighter.