Jump to content

program won't run - suspect registry problems


Recommended Posts

I am working on a XP system, I could not do anything on it due to Malware, so I removed the disk and was able to run Malwarebytes on it from another system. It found and removed one serious problem (Protector-qlkq.exe). The system now seems to run normally and I can install Malwarebytes (and other anti virus software) but they won't run. (none of them). I then did a repair installation on the system, the exact same thing happens, Malwarebytes and other anti-virus software won't run so I suspect there are some issues with the registry. Can anyone suggest anything to narrow this down or have suggestions other than a complete new installation to save this system? There appears to be nothing else wrong with it, other software seems to work ok but for some reason none of the antivirus programs will work.

Thank You

Steve

Link to post
Share on other sites

Hello Steve and welcome to MalwareBytes forums.

Note that a repair install is not the way to remove malware. I'll suggest a tool or two to get you going insofar as being able to Run applications. However, you must still follow up with a whole bunch of diagnostics, including new MBAM scan and virus checks.

Please download ExeFix.reg by farbar and save it to a flashdrive or on the root of the system drive (usually C:).

  • Important: Boot your computer into the account that has trouble running exe files.
  • Right-click it and select Merge.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Link to post
Share on other sites

The "Merge" was not working (said file not found) and for some reason I can't run "regedit" directly from the command window, it says the program is not found but I was able to find it and run it (by changing the name) and managed to import the ExeFix.req file successfully into the registry.

The net result of running the FixPolicies.exe was no change unfortunately. I see in the Fix_policies.cmd script he's not displaying output (> NUL) so no real idea if it was successful or not. I'll try to examine the registry and see if I can tell but so far this did not help.

One more note, Norton Internet Security did install and work correctly on the system, but Malarebytes same result, seems to install but not execute. One more thing, the task manager doesn't seem to work.

Regards,

Steve

Link to post
Share on other sites

I was able to get the task manager and regedit commands to work as they should by repairing the registry, there was an intercept being done there by this former Protector-qlkq.exe virus and that was not removed from the registry by Malwarebytes. I had assumed, maybe incorrectly, that this would have been done by Malwarebytes running on the external disk, but is there an issue there why it wasn't ?

I had to delete 2 keys from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

taskmgr.exe

regedt.exe

But still looking at this as Malwarebytes still isn't able to execute on the system in question.

Link to post
Share on other sites

HEY ! I got it working !!

In the registry there is something called "Image File Execution Options" and some virus must have put some entries in there as there were entries for mbam.exe mbamgui.exe abd nbamservice.exe. (I removed them)

Incidentally when I was trying to run malwarebytes, I could see the "svchost.exe" program trying to run but now I know why since that was what they put in there !!!! So hey, got it. Is this typically caught when Malwarebytes runs ? I'm just curious since it was done as a remote disk from another computer and that didn't fix it. Anyway, it's running perfectly now. thanks for giving me some leeds. I've been up to my eyeballs in registry crap and glad to be out of it. What a frickin mess.

Link to post
Share on other sites

<moderator note: Moved topic to Malware removal forum>

The two tools I gave you were only to get over an initial hurdle. Please now follow my guidance to check for any malwares onboard. Do not make fixes on your own.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

First, make sure you have saved all your work before you begin, and close your open apps.

Close all open windows on the Task Bar.

Note: If using Firefox browser, right-click on any download links and choose Save As

Please download OTH to your desktop

Please download OTL to your desktop

Double click the OTH file to run it and click Kill All Processes button, your desktop will go blank. (That is normal & expected).

If running on Windows 7 or Vista, to start tools, do a RIGHT-Click and then select "Run As Administrator".

OTH_Main.gif

Then press Start OTL button. OTL will now run. If prompted to allow it to run, press YES.

  • In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
Then copy/paste the following into your post (in order):
  • the contents of OTL.txt;
  • the contents of Extras.txt ; and
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

For others who see this the display on the screen will usually read "Windows Turnkey Console" and usually has the Protector-xxxx.exe file associated with it. I have been playing with it and found a fairly easy way to remove. This works just fine on a system infected with the live virus, I just tried it.

Move the virus spam window to the side so you can work,

Open the Explorer (Right click on Start, click on "Explore").

Navigate to C:Windows\system32 and copy the taskmgr.exe to your desktop

Rename the taskmgr.exe to something else and then you can double click on it to execute it.

Look for "Windows turnkey console" or a task that begins with "Protector" and hit the "End process" button.

This will stop the active component of the virus that is currently running in memory.

If you don't have Malwarebytes installed you can install it now either from your web browser or load from your memory stick.

Do not try to run directly after installing it. (It won't matter really but it won't start anyway)

Then in your Explorer window, navigate to C:\Program Files and go into the "MalwareByes Anti-Malware" folder

Click on "Mbam.exe" and copy it to a different name but leave it in the same folder (this is necessary)

Double click on the copy, and it will run, update virus definitions if asked and run a "Quick Scan".

It will completely remove the virus, I just verified this twice in fact. :-)

Link to post
Share on other sites

Yes, MalwareBytes removed the virus using the procedure I described above. One thing I forgot to add though and it could be important is to also physically remove the virus file before running MalwareBytes since the virus could reactivate itself when Malwarebytes is modifying the registry. (I've see it happen).

First, make sure you can see hiden files and folders. (Enable showing the Hidden files and folders from the "Folder Options" application in the Control Panel). The virus wil be in the "Documents and Settings" directory under the user account your logged into and then in the "Application Data" directory. The virus has so far been called ProtectorXXX.EXE. IT's safe to just delete this (or move it to a different name) and then run MalwareBytes and it will take care of everything. I've seen some others talk about this virus and given more complex procedures to remove it but so far this is the easiest way I have found and I setup a machine to recreate the problem just to find the best way to remove it which I have done 4 or more times now. Hope it can help some others.

Link to post
Share on other sites

Also I noticed that Malwarebytes does the registry repairs first and then does the quarantene of the virus file. I'm not sure if you have other reasons for doing it this way but for this particular virus (and possibly others) if that could be reversed then this step of having the user remove/move the virus would be unnecessary. Again, I'm speaking about this virus in particular but it may be something to think about. If the registry has been hijacked then removal of the program on the disk has to be done first as every time the registry is modified it attempts to restart the virus.

Link to post
Share on other sites

Steve,

If you have fixed the problem, please say so and I can close the topic. You seem to be saying this pc had Windows Turnkey Console malware & you have fixed it.

You have not posted any logs as I asked, so I think you are making observations on your findings, right?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.