Exe's pretend to launch

[Rob_NNCC]

I have a desktop that a client dropped off. This client likes to do things himself, so it is in an interesting state and he is fuzzy on what he did. The system is a Gx520 running windows 7 HP 64 Bit.

The issue is, almost no EXEs will launch. If I try to launch IE, MABM, Hijack this, or anything else the little circle hourglass will come up for a second then go away. If I try to launch a program that needs admin rights, UAC will pop up correctly identifying the program, but then nothing will come up after I hit OK.

Some EXEs will launch, such as regedit, cmd and MSCONFIG, but nothing off my flash drive or the already installed programs will go.

I have tested the HDD, RAM (6 passes), removed all startup items and services, scanned with Mcafe (it is what is installed it it runs) and tried the EXE association reg fixes.

I think what happened is he got hit with malware and cleaned it up partway by himself. If knew what he got hit by I would do some research...

Thanks in advance.

 

[NYJimbo]

The issue is, almost no EXEs will launch.

Since it appears to be selective I would say the machine is probably still infected. Do the whole normal virus diag process.

The quickest things is try safe mode or D7 & then KillEmAll. Stuff like that for quick analysis.

But you should just go on with a normal diag because the fact it does boot and doesn't appear to produce errors until you try to run something I think you got something in there.

 

[Romaniac]

Definitely sounds like an infection. If you don't use D7, try "rkill" to stop any running malware.

You may need to run a 'fix file association/fix.exe' registry fix.

 

[glricht]

Definitely sounds like an infection. If you don't use D7, try "rkill" to stop any running malware.

You may need to run a 'fix file association/fix.exe' registry fix.

The latest version of RKILL has the exe file association fix built-in.

 

[FoolishTech]

The latest version of RKILL has the exe file association fix built-in.

Well, the OP already said he did that (not that it would make any difference because certain EXEs launch) but also D7 has this built in...

I say look for an existing infection on this PC.

Interesting that certain EXEs will launch. Granted I don't know how most programs are actually programmed, I know how mine is and what it depends on (extremely little), and wonder if D7 or KillEmAll launches?

 

[NYJimbo]

and wonder if D7 or KillEmAll launches?

KillEmAll is run as a .SCR, right ? As a standalone he might be able to do that.

ps - "Amphetamine v1.0", LOL nice name.

 

[Rob_NNCC]

I tried D7, no dice. I will try killemall though, thanks for the heads up on it being a scr.

P.S. I already tried a reg exe fix.

Thanks again.

EDIT: Safe mode exhibits the same issues.

 

[Rob_NNCC]

OK. I booted and ran the kaspersky rescue disk. It found and removed a bootkit and a few other goodies. Great! I rebooted and got 0x7b...

Ok, ran some tools, just for kicks ran /rebuildbcd and it came back with no windows installs. So I took a look and used diskpart to make the part active. Ran /rebuildbcd again, it found it and bam, system booted right up.

Again, I share solutions like this so that I can look back at them in the future.

Thanks for your advice in getting this fixed. This is the first bootkit I have run across so it was quite different for me to fix than the usual virus.

 

[NYJimbo]

If you can edit that make it a "0x7b", it would help you and others when searching in the future.