Had IS2010 now Windows cant open files

Hi
Two weeks ago I had 2 Trojans (TROJAN-SPY.ZBOT.YETH & TROJAN-SPY.ZBOT.A) infect my pc, and IS2010 (not sure if they're the same thing, pls excuse my ignorance).

I ran your READ & RUN ME FIRST procedure, posted logs to the Malware Forum and with TimW's help (he also asked me to run sfc /scannow which found no problems) cleaned the machine.

The virus seems to have corrupted something and TimW said I should now post to this forum, so here goes.....

My user account seems perfectly OK but my daughter's seems to be corrupted although apparently for a couple of days after I cleared the virus it was ok. When I log onto her profile most of the desktop items do not appear properly - they display the Firefox icon instead of their own. I also get the msg
"Windows cannot open this file
File: ie4uinit.exe"
About 23 windows open when I log onto this user profile, all with the same msg, just a different file name.

I don't know enough about computers to figure out how to get round this, so can't open any files as this user.

I created a new user profile with a different name for my daughter to use until I got the old one fixed, but this new one is doing exactly the same as the old one.

Since the clean-up I have installed Comodo - so don't know if I may have blocked/allowed something that I shouldn't have. Since I disabled SpywareDoctor (paid-for version) while doing the clean-up, I can't get it working again. I have now unistalled it but cannot reinstall it, so have activated Defender hoping that will be better than nothing . Hoping that you can help me reinstall SpywareDoctor at some point. If you need them I can give you the error msgs obtained while trying to do the reinstall.

I still can't run SAS or MBAM from the corrupted account, although I can run them from mine.

Am running running Vista Home Premium SP2, 4gB RAM, IntelCore2 Duo, E6750@2.66GHz, 32 bit.

Thanks for any assistance - hope someone can help!

 

As Tim said, you've got an awful lot of accounts, I hope only one admin, right? And it is password protected? Verify that there is just this one admin account.
SAS and Mbam may require admin privileges, right click on program and select "run as admininstrator"
Try this program, Dialafix;
http://majorgeeks.com/downloadget.php?id=4899&file=15&evp=7d21ae5c611baf9a52b1750805534dda

If it finds a lot to fix, run it again.

I assume Comodo antivirus and Windows Defender anti-spyware. Are you certain you totally uninstalled Spyware Doctor? Run cCleaner and the registry cleaner in same program, create reg backup when prompted.

But first, as Tim suggested, get all the data you need/want off the machine.

Did you run the SFC /scannow, try again after you try the above.

For free anti-virus, the most highly recommended are Avast or AVG, my preference is AVG, have had only good luck with it. You really don't need to lay out $'s for anti-vir, but it's your choice of course.:wave

 

Hi
I didn't know there were so many accounts - my kids must have set them up. The only profiles that show when we log on are now Kate, KT, Liz and Toby (not sure what the difference is between an account and a profile). Would like to delete the unused accounts at some point if you could tell me how.

As far as I know there is only one admin account which is not password protected.

I can't get SAS or MBAM to run on the corrupted account. If I right click on the programs, I can't see "Run as administrator". Can't run them from the desktop or from the Start menu either. When I try to run them a Firefox browser opens with "file:///C:/Program Files/SUPERAntiSpyware.exe" instead of the url. Also another window opens which says
Opening SUPERAntiSpyware.exe
You have chosen to open
SUPERAntiSpyware.exe
which is a: EXE file
from c:\Program Files\SUPERAntiSpyware
Would you like to save this file?
Save File Cancel.

Downloaded Dialafix from your link, but when I run it, this message appears
"Dial-a-fix is not ready for Vista (yet). There are many changes in Vista that prevent the normal operation of Dial-a-fix. Check the Dial-a-fix website after Windows Vista has been released in the retail market."
So I couldn't run it.

Neither could I run CCleaner from the corrupt account (pls explain what you mean by 'Run CCleaner and the registry cleaner in the same program' - where should I get registry cleaner from?)

I am now running Comodo Firewall. Windows Defender antispyware is a temporary measure until I can get SpywareDoctor running again. Am also running AVAST av (used to run AVG but changed as this seemed to slow things up.)

The uninstall of SpywareDoctor appeared to go ok and I found some uninstall logs earlier but now I can't find them.

As you've probably guessed I'm not at all computer savvy so please go easy on me. Appreciate your help - what do should I do now?

Thanks.

 

Dialafix, strange because the MG site says Vista compatable but you and others have said it doesn't work for Vista?? Not sure what the right answer is.

In cCleaner, look at the boxes on the left in the main screen. Click on registry, then scan, then backup registry, name it Feb. 16 Reg, saved in your documents, though I've never needed to use it.

When you right click on SAS or M-bam, you don't get a menu, with one choice being "Run as Admininstrator"?? That would only be the case if you are clicking on the zipped file. You should get that option, I get it on all programs on my Vista desktop.

i would run the cleaning programs, uninstall Firefox, SAS, Mbam, and Comodo.

Then clean again, and the registry.

Then install just SAS and Mbam and try running those, turning off Avast of course.

 

Hi
I can't run CCleaner (or any .exe file apart from Outlook) from the corrupt Katie account. When I try (whichever way I choose), a Firefox browser window opens with a smaller window which says

Opening CCleaner.exe
You have chosen to open
CCleaner.exe
which is a: EXE file
from C:\Program Files\CCleaner
Would you like to save this file?
SaveFile Cancel

When I right-click on SAS or MBAM from the Katie account, the "Run as Administrator" option is not present on the menu. When I run these programs from the admin account, the "Run as Administrator" option IS available on the menu. So I still haven't been able to run SAS or MBAM from the Katie account.

I haven't uninstalled Firefox, SAS, MBAM or Comodo yet as I'm so afraid that I might not be able to install them again properly (if you remember, I uninstalled SpywareDoctor and the uninstall seemed to go ok, but I cannot reinstall it now).

When you say to "clean again, and the registry", how do I clean the registry, and exactly what do you want me to run to "clean again"?

I hope that this all makes sense to you. Thanks for helping.

 

Those are limited user accounts so it may be that those programs will only run in the admin account, and being the only admin account that should take care oof everything on the computer.

Are you still having odd messages in the limited user accounts?
Did you run the SFC /scannow in a cmd prompt from the admin account.

Do you have an install disk? Perhaps a repair from the disk is in order. Run eveything from your account only.

In cCleaner, look at the boxes on the left in the main screen. Click on registry, then scan, then backup registry, name it Feb. 16 Reg, saved in your documents, though I've never needed to use it.

Did you do this, in the admin acct only?

 

Hi
The limited user accounts aren't operating normally at all.

Most of the icons on the Katie desktop show the Firefox icon, not the ones they should be. On the KT desktop most of the icons display as Nikon Viewer. I cannot run ANY .exe files from these user accounts (have only found that I can run Outlook, which we don't use anyway!)

When I created the KT user account a couple of days ago, this was also corrupted and not operating properly.

I did run SFC /scannow from the admin account and I got the message back, "Windows resource protection did not find any integrity violations".

I don't have Vista disk - the pc came with a recovery disk which I think will wipe the hard drive if I run it, so that has to be a last resort if at all possible.

I ran CCleaner as you suggested and it found issues with the registry. I haven't fixed them yet as wasn't sure whether I should. How do I back up the registry?

Do you think there is still malware on this pc, or is it corrupted?

Thanks for any more help you can offer.

 

If your kids do not have admin rights on their accounts,
they must have known your name and logged into your admin account so they could create more accounts for themselves.

I wonder what else they did using your admin rights.
Install something dangerous perhaps ! ! !

Passwords are good
Alan

 

The Malware Fighters here are the best, if they say you are clean, I'd be strongly inclined to believe them.

But having system problems after malware removal is very common. I hope you have all your data saved off your computer by now because; 1) It's just prudent, your HD could die the next minute, 2) A reformat after removal is not uncommon.

When you run the registry cleaner in cCleaner, you first scan for issues, then select fix all issues, at that time you will be given a prompt to first backup the registry. At this point you can accept, decline, or cancel. Accept and name it Feb. 18 Reg, and save in your documents. I've never had to use this but it will be there for peace of mind.

Then reboot. I would also delete the corrupted user accounts until this is resolved.

You may well end up using that recovery disk. I THINK if you boot from it you will be given a repair option that would save the data. It also gives a restore to factory settings option, that would wipe out the data.

Try the other steps first but at some point you may decide it is less effort just to restore the thing and put your data back on.:wave:wave

 

Thanks for all the help and advice.

I've saved as much data as I can find (I'm not the only user and the others are away at uni atm so I'm doing my best).

Have run CCleaner and backed up the registry.

Have deleted the new KT corrupted account but have left the corrupted Katie account so that I can see if the EXE problem is resolved.

Am resigned to using the recovery disk, but can I ask one last question.....

Originally all this seems to have been caused by infections with the TROJAN-SPY.ZBOT.YETH and TROJAN-SPY.ZBOT.A viruses, and at the time of the infection I got a msg (from AVAST, I think), that registry entries had been changed...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon,Userint = C:\\Windows\system32\userinit.exe C:\\Windows\system32\sdra64.exe

Obviously, I have now cleaned the pc and my current registry setting is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon,Userint = C:\Windows\system32\userinit.exe,

(Please note, there IS a comma after userinit.exe - should that be there?)

My question is - I CAN run .exe files from my user account which is an admin account, but they CAN'T be run from the Katie account - are there different registry entries for that account that may have been corrupted? Also, a newly-created user account is corrupted too, so is that picking up a corrupted registry entry?

Thanks again.

 

So, the admin account is ok, but user accounts with limited privileges are not?

Limited user accounts are just that, limited. They will run executable programs like notepad, word, excel, etc. But they will not allow executables that make changes to the system. Still, your limited user accounts are off.

See this article from microsoft about user account set-up;
http://windows.microsoft.com/en-US/windows-vista/Fix-a-corrupted-user-profile

Also, try this;
Click start - run - type cmd, then in the command box type net user, this will show you the accounts you have set up.
Then for the corrupted user accounts type in, for instance named "katie", type net user katie /delete

But make sure you have the data saved per the MS article.

For more options with this command, type net help user

Yes, that comma should be there.:wave

 

Hi
Thanks for suggesting the microsoft link - I have already seen it and it doesn't work because the new profile is corrupted when it is created. This means that any new limited user profiles will be unusable.

When I type in the net user command, I can only see six of the accounts that you mentioned; not all of them are displayed in the list!

Thanks again for all your help, I can see that I'm going to have to use that recovery disk after all!