Solved

trojan.zlob-x.a

Posted on 2007-12-05
20
495 Views
Last Modified: 2013-11-22
Hi all
one of my nasty user has a virus infection it report Trojan.zlob-x.a
the simthoms are that all the applications appears with the same icon and aplication in this case is excel.
I try to clean the virus using  smithfraudfix, but all programs are enable to run all the applications launch excel and in the case of the .exe files simply do nothing.
Please any posiblle solution for this mess
thanks
edo
0
Comment
Question by:edo60
  • 10
  • 6
  • 4
20 Comments
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20416402
Does sound like Smitfraud. But it also sounds like something else has happened here...
Did you try to run Smitfraudfix option 2 in Safe Mode? If not try that.
Also,
It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20417517
If you  run smitfraudfix using option 1, it will just scan and will not remove the nasties that it finds, it's the option 2 that does the fix (removes nasties)
Is you smitfraudfix the latest version? --> Version 2.258

Or, maybe you have other nasties there besides smitfraud,
You could show us a hijackthis log as InDiGenus already suggested,
or try and download ComboFix to your Desktop, from either of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/Beta/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Attach the log as a "Code Snippet" so we can check it please.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Combofix will terminate your connection while scanning, and will resume connection when it's done.
If you have issues connecting to your network or internet after running combofix you can either simply

reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternatively, if the Network icon appears in the notification area in the lower right corner of Desktop,

right-click it, and then click Repair from the shortcut menu.

0
 

Author Comment

by:edo60
ID: 20421028
the system didn't allow me to run any program, them come disable even in safe mode
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 500 total points
ID: 20422101
Did you try Hijackthis? Or does it do the same thing? It is an .exe so...

Sounds like it caused a file association problem. Not sure if this would work but...

This is one of Doug Knox file association fixes. This one for .exe's:

http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

Download the ZIP and open it.  Extract the REG file to your hard disk and double click it.  Answer yes to the import prompt.  REG files can be viewed in Notepad.  Each of the REG files contains the default settings for the file extension indicated.

For reference, fix is from this page: http://www.dougknox.com/xp/file_assoc.htm

Hope that helps.
Dave

0
 

Author Comment

by:edo60
ID: 20423537
I put the disk as slave in another pc , I run house call, that may work?
thanks edo
0
 

Author Comment

by:edo60
ID: 20430595
I finaly run the HiJackThis.exe
and the log file give me this
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:21:15 p.m., on 07/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
E:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: Yahoo! Barra de herramientas - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Video On-line - {BD907325-42B2-4077-BA63-F636B627C998} - C:\WINDOWS\SYSTEM32\PowerVideo.dll (file missing)
O3 - Toolbar: (no name) - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - (no file)
O3 - Toolbar: Yahoo! Barra de herramientas - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: IE Custom Tools - {70CC76D5-A4EE-4F25-9931-B109A63E298E} - C:\Archivos de programa\Video Add-on\ictmdl.dll (file missing)
O3 - Toolbar: The jokwmp - {2623E5C5-B0C2-4300-8C63-9F51D133CA0A} - C:\WINDOWS\jokwmp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Documents and Settings\camposej\Escritorio\Jaime\pps\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: 3Com Launcher.lnk = C:\Archivos de programa\3Com\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Archivos%20de%20programa/Amazing%20Adventures%20The%20Lost%20Tomb/Images/stg_drm.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191365527900
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Archivos%20de%20programa/Amazing%20Adventures%20The%20Lost%20Tomb/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ingenieria.corp
O17 - HKLM\Software\..\Telephony: DomainName = ingenieria.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDDB0E82-5021-4190-AB30-F4D8322123FB}: NameServer = 192.168.1.2,192.168.1.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ingenieria.corp
O23 - Service: Servicio de alerta (Alerter) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicio de puerta de enlace de capa de aplicación (ALG) - Unknown owner - C:\WINDOWS\
O23 - Service: 3Com Wireless LAN Support (AllWirelessLansService) - 3Com Corp. - C:\Archivos de programa\Archivos comunes\3Com\AllWirelessLansService.exe
O23 - Service: Administración de aplicaciones (AppMgmt) - Unknown owner - C:\WINDOWS\
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\
O23 - Service: Audio de Windows (AudioSrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicio de transferencia inteligente en segundo plano (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Examinador de equipos (Browser) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicio de Index Server (CiSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicios de cifrado (CryptSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Iniciador de procesos de servidor DCOM (DcomLaunch) - Unknown owner - C:\WINDOWS\
O23 - Service: Cliente DHCP (Dhcp) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\
O23 - Service: Administrador de discos lógicos (dmserver) - Unknown owner - C:\WINDOWS\
O23 - Service: Cliente DNS (Dnscache) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicio de informe de errores (ERSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\
O23 - Service: Compatibilidad de cambio rápido de usuario (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\
O23 - Service: Ayuda y soporte técnico (helpsvc) - Unknown owner - C:\WINDOWS\
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\
O23 - Service: Servidor (lanmanserver) - Unknown owner - C:\WINDOWS\
O23 - Service: Estación de trabajo (lanmanworkstation) - Unknown owner - C:\WINDOWS\
O23 - Service: 3Com LAN Support (LanSupportService) - 3Com Corporation - C:\Archivos de programa\Archivos comunes\3Com\LanSupportService.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Archivos de programa\LEC\LogoMedia TranslateDotNet Server.exe
O23 - Service: Ayuda de NetBIOS sobre TCP/IP (LmHosts) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicio de registro de McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Mensajero (Messenger) - Unknown owner - C:\WINDOWS\
O23 - Service: Inicio de sesión en red (Netlogon) - Unknown owner - C:\WINDOWS\
O23 - Service: Conexiones de red (Netman) - Unknown owner - C:\WINDOWS\
O23 - Service: NLA (Network Location Awareness) (Nla) - Unknown owner - C:\WINDOWS\
O23 - Service: Proveedor de compatibilidad con seguridad LM de Windows NT (NtLmSsp) - Unknown owner - C:\WINDOWS\
O23 - Service: Medios de almacenamiento extraíbles (NtmsSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicios IPSEC (PolicyAgent) - Unknown owner - C:\WINDOWS\
O23 - Service: Almacenamiento protegido (ProtectedStorage) - Unknown owner - C:\WINDOWS\
O23 - Service: Administrador de conexión automática de acceso remoto (RasAuto) - Unknown owner - C:\WINDOWS\
O23 - Service: Administrador de conexión de acceso remoto (RasMan) - Unknown owner - C:\WINDOWS\
O23 - Service: Registro remoto (RemoteRegistry) - Unknown owner - C:\WINDOWS\
O23 - Service: Localizador de llamadas a procedimiento remoto (RPC) (RpcLocator) - Unknown owner - C:\WINDOWS\
O23 - Service: Llamada a procedimiento remoto(RPC) (RpcSs) - Unknown owner - C:\WINDOWS\
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\
O23 - Service: Administrador de cuentas de seguridad (SamSs) - Unknown owner - C:\WINDOWS\
O23 - Service: Sistema de ayuda de tarjeta inteligente (SCardDrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\
O23 - Service: Programador de tareas (Schedule) - Unknown owner - C:\WINDOWS\
O23 - Service: Inicio de sesión secundario (seclogon) - Unknown owner - C:\WINDOWS\
O23 - Service: Notificación de sucesos del sistema (SENS) - Unknown owner - C:\WINDOWS\
O23 - Service: Conexión de seguridad a Internet (ICF) / Conexión compartida a Internet (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\
O23 - Service: Detección de hardware shell (ShellHWDetection) - Unknown owner - C:\WINDOWS\
O23 - Service: Cola de impresión (Spooler) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicio de restauración de sistema (srservice) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicio de descubrimientos SSDP (SSDPSRV) - Unknown owner - C:\WINDOWS\
O23 - Service: Adquisición de imágenes de Windows (WIA) (stisvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\
O23 - Service: Telefonía (TapiSrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicios de Terminal Server (TermService) - Unknown owner - C:\WINDOWS\
O23 - Service: Temas (Themes) - Unknown owner - C:\WINDOWS\
O23 - Service: Cliente de seguimiento de vinculos distribuidos (TrkWks) - Unknown owner - C:\WINDOWS\
O23 - Service: Administrador de carga (uploadmgr) - Unknown owner - C:\WINDOWS\
O23 - Service: Host de dispositivo Plug and Play universal (upnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Sistema de alimentación ininterrumpida (UPS) - Unknown owner - C:\WINDOWS\
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\
O23 - Service: Horario de Windows (W32Time) - Unknown owner - C:\WINDOWS\
O23 - Service: Cliente Web (WebClient) - Unknown owner - C:\WINDOWS\
O23 - Service: Instrumental de administración de Windows (winmgmt) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicio del número de serie de medio portátil (WmdmPmSN) - Unknown owner - C:\WINDOWS\
O23 - Service: Extensiones de controlador de Instrumental de administración de Windows (Wmi) - Unknown owner - C:\WINDOWS\
O23 - Service: Centro de seguridad (wscsvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Actualizaciones automáticas (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Configuración inalámbrica rápida (WZCSVC) - Unknown owner - C:\WINDOWS\
O23 - Service: Servicio de aprovisionamiento de red (xmlprov) - Unknown owner - C:\WINDOWS\

--
End of file - 12387 bytes
 Any clue
thank you
0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 500 total points
ID: 20431713
How did you get HJT to run? It is no doubt Smitfraud. Have you tried running the tool again?

Download SmitfraudFix (by S!Ri) to your Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

Upload the log from Smitfraudfix and re-run HJT, upload that log too. Please don't post them here. Do the following:
Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here

NOTE: If you have issues with that please use the Attach Code Snippet.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20433631
Yeah smitfraud entries are showing although it says file missing, we don't know for sure.
An SDBot variant is present there as well, please download and run SDFix.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and attach the contents of the results file "Report.txt" back
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20433648
Oh I just noticed, that both SDFix and Smitfraudfix removes this variant --> C:\WINDOWS\jokwmp.dll

So only run SDFix if problem persists after running Smitfraudfix as already InDiGenus already suggested.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20435686
In case you still have the problem, here's also another tool that you can use...
This tool eliminates the Trojan.Zlob-X.a and Trojan.Win32.Agent.akk "Fake Alerts"

1. Download FixIEDef.exe by ShadowPuterDude to the Desktop.
http://downloads.malwareteks.com/FixIEDef.exe

2. Double-click FixIEDef.exe.
3. Click the Extract Button.
4. There will be a new folder on your desktop. Locate the FixIEDef folder and double click.
5. Locate FixIEDef.bat and double-click on it.
6. FixIEDef will now run.
You can safely close the Command Console after Explorer has restarted.

WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running. The icons and Start Menu on your Desktop will not be visible while FixIEDef is running. This is necessary to remove parts of the infection that would otherwise not be removed. FixIEDef will re-start Explorer at the end of the removal process

NOTE: You will need to temporarily disable any programs you have running that will block attempts to edit the registry. As FixIEDef calls REGEDIT to delete registry keys added by Zlob, Trojan.Downloader.Delf, AntiSpyPro, and IE Defender.

FixIEDef will now run.
You can safely close the Command Console after Explorer has restarted.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:edo60
ID: 20442510
the sistem didn't allow me to run smitfraud,
any posible solution

thank you
edo
0
 

Author Comment

by:edo60
ID: 20442550
where is the SDfx  link
thank you
edo
 
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20442573
Hi edo,

Did you try SDFix or FixIEDef.exe as rpg had mentioned. If not I would advise those. Here is a link to SDFix.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Just follow the instructions to run it in Safe Mode as rpg had advised. Upload the logs to eestuff

Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

If you have problems uploading then just use the Attach Code Snippet.
0
 

Author Comment

by:edo60
ID: 20442712
it didn't allow me to do nothing
i can't run exe files
0
 

Author Comment

by:edo60
ID: 20443363
ok, I finaly can run exe files
i run smitfraud.exe it  runs, but the file asociation still bad
0
 

Author Comment

by:edo60
ID: 20444025
how can i restore the file asociation that is missing
all opens with excel
thank you
0
 

Author Comment

by:edo60
ID: 20445159
Thank you guys
is a virus problem  but also a file asoc problem
with  you support i  restore the file asociation with command prompt
and this line
 assoc.xls=excel  
This is the link that actualy help me
 http://www.dougknox.com/xp/file_assoc.htm


 Thank you

edo
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20445218
Sorry about the missing link,  smitfraudfix and SDFix won't run at all? Do you have an option which program to run if you rightclick on the program?
Did you get any error when you run SDFix?
You were able to run hijackthis.exe but not any other .exes?
Could it be the batch files that won't run?

Maybe cmd.exe is in the wrong place, try running this to check:
Start > Run > paste the below txt and see if cmd.exe is in the system32 folder

%comspec% /c (ver & echo.%comspec%)>\a.txt&\a.txt




-----------------
Also check in the registry, navigate to this subkey;

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

On the right pane, the "Path" under Type should have -->  Reg_Expand_SZ
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20445239
Ooops, didn't refresh the page while I was typing..and didn't realize it's now solved, lol.
0
 

Author Comment

by:edo60
ID: 20445256
thank you any way
you guys helps me a lot
edo
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Read about achieving the basic levels of HRIS security in the workplace.
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now