lulmars128
New Member
- Reaction score
- 0
Hello everyone, been enjoying reading these forums since I signed up a little while ago. Read a lot of interesting tips and tricks, and a lot of just googles its, which make me lol. Thought I'd leave my morsel of information here and share an interesting trick I picked up while battling Rogue AVs and root kits.
I often travel with my full compliment of tools, sometime just with my 4GB thumb drive side kick. But more often than not I'm knee deep in a social situation and off guard and someone spots the computer geek, its an emergency. "I just got a bug and now everything won't work." Sure enough, every program opened reports *.exe is not a recognized file extension. And I don't have any tech tools on me, looks like this one comes by hand.
Stopping to analyze the situation, I've no use of task manager, obviously some shell exts are making it, as I see the rogue AV and explorer shell still running. A few minute later, eureka! A broswer page flicks open to register the mishap AV and the fix was born. iexplore.exe is obviously on this bugs exception list. Although it won't let me browse away from its page without a local redirect. I've still the fundamental abilites of renaming, copy and paste, etc.
Now, the details of this fix vary depending on which Windows OS your using as well as what internet browser. I've tested this method on Windows XP, Vista, and 7 (64 and 32 on Vista/7) and with firefox and internet explorer as browsers.
Navigate to the system directory (Normally c:\windows\system32)
The files we are looking for are taskmgr.exe, notepad.exe, and regedit.exe. Now, playing around in the system folder is on wise, one wrong move could crash your OS. I recommend copying these 3 files to the desktop.
Next, navigate a window to your default browsers directory. (This is which ever browser the rogue AV is using. Normally, C:\program files\internet explorer.)
Rename your internet browser something like oldfirefox.exe or firefox.old.
Rename the taskmgr.exe file to the name of the browser (taskmgr.exe to iexplorer.exe.
Copy the newly renamed taskmgr into the browser folder. (In most cases Internet Explorer will have already replaced the renamed file. Its ok to replace it, we have the back-up renamed.)
Now either double click the renamed tskmgr, or have the rogue AV open it for you.
Task manger should come up, allowing you to look through the process list and spot the rogue. Killing its process right away will likely just cause it to restart. Write down or remember the name, and look for the file. (Normally I see them in c:\program files; c:\users\(user)\application data; or C:\documents and setting\user name\application data.
After finding the file click delete, but do not answer the prompt.
Next go back to task manger, end the task and quickly respond yes to the delete prompt.
This should take it out of memory and hard drive at once. In some cases this restores .exe functionality across the board allowing a AV to do the rest. In some cases not.
If not...
Repeat the rename trick for notepad.exe and clear the host files of any redirects.
Use google
to find a fix tool, or regedit to repair the problem yourself (only if you know what your doing, registry can be a dangerous place)
This trick isn't intended to fully remove any virus, only restore functionality to a point where proper removal can be done with ease.
Hope you found it helpful.
-Mars
I often travel with my full compliment of tools, sometime just with my 4GB thumb drive side kick. But more often than not I'm knee deep in a social situation and off guard and someone spots the computer geek, its an emergency. "I just got a bug and now everything won't work." Sure enough, every program opened reports *.exe is not a recognized file extension. And I don't have any tech tools on me, looks like this one comes by hand.
Stopping to analyze the situation, I've no use of task manager, obviously some shell exts are making it, as I see the rogue AV and explorer shell still running. A few minute later, eureka! A broswer page flicks open to register the mishap AV and the fix was born. iexplore.exe is obviously on this bugs exception list. Although it won't let me browse away from its page without a local redirect. I've still the fundamental abilites of renaming, copy and paste, etc.
Now, the details of this fix vary depending on which Windows OS your using as well as what internet browser. I've tested this method on Windows XP, Vista, and 7 (64 and 32 on Vista/7) and with firefox and internet explorer as browsers.
Navigate to the system directory (Normally c:\windows\system32)
The files we are looking for are taskmgr.exe, notepad.exe, and regedit.exe. Now, playing around in the system folder is on wise, one wrong move could crash your OS. I recommend copying these 3 files to the desktop.
Next, navigate a window to your default browsers directory. (This is which ever browser the rogue AV is using. Normally, C:\program files\internet explorer.)
Rename your internet browser something like oldfirefox.exe or firefox.old.
Rename the taskmgr.exe file to the name of the browser (taskmgr.exe to iexplorer.exe.
Copy the newly renamed taskmgr into the browser folder. (In most cases Internet Explorer will have already replaced the renamed file. Its ok to replace it, we have the back-up renamed.)
Now either double click the renamed tskmgr, or have the rogue AV open it for you.
Task manger should come up, allowing you to look through the process list and spot the rogue. Killing its process right away will likely just cause it to restart. Write down or remember the name, and look for the file. (Normally I see them in c:\program files; c:\users\(user)\application data; or C:\documents and setting\user name\application data.
After finding the file click delete, but do not answer the prompt.
Next go back to task manger, end the task and quickly respond yes to the delete prompt.
This should take it out of memory and hard drive at once. In some cases this restores .exe functionality across the board allowing a AV to do the rest. In some cases not.
If not...
Repeat the rename trick for notepad.exe and clear the host files of any redirects.
Use google
to find a fix tool, or regedit to repair the problem yourself (only if you know what your doing, registry can be a dangerous place)This trick isn't intended to fully remove any virus, only restore functionality to a point where proper removal can be done with ease.
Hope you found it helpful.
-Mars
