Programs won't run.

[Devante]

Hey guys, having a tough issue with my PC. Windows 7 - 64bit

My virus scanner (AVG) was down for a week or two and I got a virus in that time.
The fake virus scanner virus and also one that pops up random ad websites.

I did some virus scanning but now when I try to run a program, it won't do anything.
I'll see it pop up in task manager for a few seconds, then go away again.
Happens even in Safe Mode.

Let me list the things I've done:

Session 1: Safe Mode
Ran: Super ANTISpyware, Malwarebytes, Spybot, HiJackThis, CCleaner
Result: Got rid of fake virus scanner, but not website popups.

Session 2: Safe Mode
Ran: Same programs + Ad-Aware
Result: Aforementioned issue - programs won't run.

Session 3: Booted off of UBCD4Windows disk.
Ran: McAfee Stinger, Avira, Super ANTISpyware, SpyBot, Avast! Tool
Result: Same - Programs won't run.

Session 4: Scanned HDD externally from another Windows 7 machine.
Ran: Super AntiSpyware, Spybot, Malwarebytes, AVG, Anti-Malware (formally a-squared)
Result: Same - programs won't run.

Session 5: Safe Mode
Tried: rkill (tried exe, scr, com, and the other variations), ComboFix - neither will run
Tried: Renaming rkill to notepad.exe and running from Windows folder - same problem, although notepad itself will work
Tried: Uninstalling Ad-Aware (in Safe Mode and normal mode) - gives error "Cannot access the Windows Installer service"


So I'm at a loss at what to do now.

Any suggestions guys?
Anyone come across this?

Thanks for any advice.

 

[FAST6191]

"The fake virus scanner virus"

The vast majority of these I see reroute the exe/PE launch routines to make it activate on every attempt to launch an exe by standard means- it is one of the reasons Super AntiSpyware comes as a .com file and one of the reasons gmer comes with a self contained command line/program launch and most methods will have you. This is besides the point- if one of the removal programs restored the launch method badly I can see this happening.

Try to get to the command line and launch things from there- the same thing that allows the scanner to be good will work here as well.

"%1" %* quotes included should be the value. You can do this from the registry but I do not know offhand where 7's entry is. XP is HKCR\exefile\shell\open\command

I am not sure if it will fix the problem (probably not as it is a registry issue) but "SFC /scannow" from a command line is a good idea as well.

Session 3: Booted off of UBCD4Windows disk.
Ran: McAfee Stinger, Avira, Super ANTISpyware, SpyBot, Avast! Tool
Result: Same - Programs won't run.

Interesting- before I say something like BIOS loaded malware (such things returned to the fore the other month) I will mention most of those malware tools have serious issues running from livecds.

Equally it might be the boot sector- malware that hits there is considerably more common these days. Plenty of tools to sort this.
On the same line of thought just to be safe when you stuck the drive in your other machine it did not have autoplay enabled?

 

[Devante]

Session 6: Booted off of UBCD4Windows disk.
Ran: gmer
Found: TDR@MBR virus
Ran: Recovery Console > bootrec /fixmbr
Results: Profit!

Thanks for the gmer suggestion. Never heard of that one.

So it turns out I had a boot sector virus after all. Crazy, in all my years working on PC's (even as a EasyTech at Staples) I've never had a PC infected with a boot sector virus. I guess they're making a come back? ha

Anyway, thanks again man.