
Can't open any programs except photoshop not even OTL
#106
Posted 21 April 2012 - 03:55 AM

#107
Posted 21 April 2012 - 10:41 AM

Anyway see if you can do:
Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. (Or get into Command Prompt any way you can) Type with an Enter after each line:
sfc /scannow (Once this finishes - Does it finish?) cd \windows copy regedit.exe regedit.com regedit.com (Are you able to get into the registry editor? Leave it running and get back to me.)
#108
Posted 21 April 2012 - 12:17 PM

Edited by neataznyam, 21 April 2012 - 12:17 PM.
#109
Posted 21 April 2012 - 12:49 PM

Copy this line:
reg delete HKEY_CURRENT_USER\SOFTWARE\Classes\exefile
Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Right click and Paste or Edit then Paste and the copied line should appear. Hit Enter.
Do you get an error? What does the error say?
When you right clicked on the unhookexe.inf file did you have an option to Merge?
#110
Posted 21 April 2012 - 01:39 PM

http://www.raymond.c...ing-in-windows/
Start with:
1. Download PC Regedit
They give you some info on how to burn the CD but the easiest way is with the free iso burner:
http://www.freeisoburner.com/
If you can get it to boot then you probably need to have it open C:\Users\henry\NTUSER.DAT or USRCLASS.DAT to find the HKEY_CURRENT_USER\SOFTWARE\Classes\exefile
which we want to delete.
If you can't get that to work then try the Windows Defender Offline program:
http://windows.micro...efender-offline
Apparently if MSSE finds a problem it can't handle it tells the user to run Windows Defender Offline but I don't think you need MSSE to run it. The nice thing about it is it does not need a second program to burn a CD or create a bootable USB drive. There is a separate program for 32 and 64 bit systems. You will need the 64 bit version. Then you have a choice of blank CD or a USB drive or .iso file. You boot off the CD or USB and it gives you some choices (Quick Scan and Full Scan if I remember correctly - may be other choices). Then it scans your system and fixes anything it knows how to fix but I think it asks permission so you can't just let it run overnight.
#111
Posted 21 April 2012 - 04:33 PM

Edited by neataznyam, 21 April 2012 - 04:37 PM.
#112
Posted 21 April 2012 - 04:39 PM

#113
Posted 21 April 2012 - 04:57 PM

Right click on a file that won't run and select Properties then look if it says anything about the file being blocked. Click on Unblock. See if it will run now.
Try copying the next line and pasting it into a command prompt as before.
reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "%userprofile%\Desktop\ifeo.txt"
It should create a file called ifeo.txt on your desktop. If so please attach the file to your next post.
#114
Posted 21 April 2012 - 05:54 PM

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe]
"DisableExceptionChainValidation"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe]
"DisableExceptionChainValidation"=dword:00000000
@=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe]
"DisableExceptionChainValidation"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe]
"DisableExceptionChainValidation"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions]
"mscoree.dll"=dword:00000001
"mscorwks.dll"=dword:00000001
"mso.dll"=dword:00000001
"msjava.dll"=dword:00000001
"msci_uno.dll"=dword:00000001
"jvm.dll"=dword:00000001
"jvm_g.dll"=dword:00000001
"javai.dll"=dword:00000001
"vb40032.dll"=dword:00000001
"vbe6.dll"=dword:00000001
"ums.dll"=dword:00000001
"main123w.dll"=dword:00000001
"udtapi.dll"=dword:00000001
"mscorsvr.dll"=dword:00000001
"eMigrationmmc.dll"=dword:00000001
"eProcedureMMC.dll"=dword:00000001
"eQueryMMC.dll"=dword:00000001
"EncryptPatchVer.dll"=dword:00000001
"Cleanup.dll"=dword:00000001
"divx.dll"=dword:00000001
"divxdec.ax"=dword:00000001
"fullsoft.dll"=dword:00000001
"NSWSTE.dll"=dword:00000001
"ASSTE.dll"=dword:00000001
"NPMLIC.dll"=dword:00000001
"PMSTE.dll"=dword:00000001
"AVSTE.dll"=dword:00000001
"NAVOPTRF.dll"=dword:00000001
"DRMINST.dll"=dword:00000001
"TFDTCTT8.dll"=dwo rd:00000001
"DJSMAR00.dll"=dword:00000001
"xlmlEN.dll"=dword:00000001
"ISSTE.dll"=dword:00000001
"symlcnet.dll"=dword:00000001
"ppw32hlp.dll"=dword:00000001
"Apitrap.dll"=dword:00000001
"Vegas60k.dll"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]
"DisableExceptionChainValidation"=dword:00000000
"DisableUserModeCallbackFilter"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MovieMaker.exe]
"CWDIllegalInDllSearch"=dword:ffffffff
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLXAlbumDownloadWizard.exe]
"CWDIllegalInDllSearch"=dword:ffffffff
#115
Posted 21 April 2012 - 07:02 PM

reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "%userprofile%\Desktop\LMRun.txt"
It should create a file called LMRun.txt on your desktop.
Let's see if we can get it to delete the malware entries now that we have a backup copy.
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v devicemob
if that seems to work
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v xmlimig
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v dplaysvr
Then
reg export HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "%userprofile%\Desktop\CURun.txt"
It should create a file called CURun.txt on your desktop.
reg delete HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v devicemob
reg delete HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v xmlimig
reg delete HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v dplaysvr
reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" "%userprofile%\Desktop\Winlogon.txt"
Attach or copy and paste "Winlogon.txt"
reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System "%userprofile%\Desktop\LMPolicies.txt"
Attach or copy and paste "LMPolicies.txt"
reg export "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]" "%userprofile%\Desktop\Policies.txt"
Attach or copy and paste "CUPolicies.txt"
#116
Posted 21 April 2012 - 07:33 PM

#117
Posted 21 April 2012 - 07:35 PM

Edited by neataznyam, 21 April 2012 - 07:38 PM.
#118
Posted 21 April 2012 - 07:42 PM

Can you get the reg export lines to work? Pleas copy and paste any you can get.
#119
Posted 21 April 2012 - 07:44 PM

#120
Posted 21 April 2012 - 07:47 PM

reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v devicemob /f
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:






