PDA

View Full Version : Cust gets tricked into EXEs opening with Notepad.


Xander
05-23-2010, 11:46 PM
Fellow calls me up around noon asking for a housecall; seems he's infected himself with a fake AV. The laptop was a simple infection, found a jibberish filename, end process, delete file. Scan.

The desktop was pretty similar but here's the fun part: He'd gone online and someone had convinced him that he could 'patch' Windows and to paste what I'm assuming was a VBS into Notepad, save and run it. He alleges it turned off the fake AV for a while but all the EXEs started opening in Notepad.

Got rid of the fake AV by renaming combofix to a .com; it couldn't run half its stuff but still did the job.

Fixing the EXE was another matter. Regedit wouldn't open nor would it accept renaming to .com; merging my emergency "exe file association" reg file didn't work either.

I tried a few command line tricks including: assoc.exe=exefile ... nothing. Twas already set to that.

Thinking it might have been a per-user setting, I created a new user profile and logged into that. Right off the bat, it tried to open things in notepad. Fail.

In the end, I logged into Safe Mode w/CMD and got System Restore to run, rolling it back to before he'd run the VBS. Since System Restore ran, and before it did its thing, I opened up Regedit and the associations were fine (of course they were, since I was able to open Regedit and SysRest).

I set him, secondarily, with SAS Pro, Dropbox to keep his files safe, Firefox (over IE) with Weave to sync his bookmarks to the laptop. He was more than pleased with the results and threw another 40% on the bill as a tip.

I'm trying to think of what I might have missed with the association. I hate resorting to System Restore so who has ideas on what else might have worked?

NYJimbo
05-24-2010, 12:10 AM
I think you attacked the problem in the right manner, I mean your diags are sound and the association stuff (including the reg file fix) were all logical and that usually fixed most of these kind of things.

If anything I wonder about this:

Thinking it might have been a per-user setting, I created a new user profile and logged into that. Right off the bat, it tried to open things in notepad. Fail.

It would be something global, maybe a logon program replacement or some registry setting added to the "what to do right after logging on". I cant remember the stuff in regedit, but it's there.

If it were possible to get the VBS snippet the client put in and google anything about it's content there might be clues. But I think the bottom line is you did all the proper things to diag this as much as possible and then went for a system restore because it was available and it worked.

I would still do a thorough assortment of scans to make sure the thing isn't lurking aroung waiting to be triggered again.

Xander
05-24-2010, 03:44 AM
Yeah, ran quick scans of all the major players while there; left it running fulls scans to pick up any crumbs.

Also of note: It would run the default programs like Windows Mail from the start menu but, when I saw that, I thought I'd rename WM and try copying regedit into its place. No could do. Even after taking ownership. Weirdness.

Anyway, thanks for the second opinion, Jim.

tkrabec
05-24-2010, 02:24 PM
It's pretty simple, or at least on the few I've seen. Just delete the .exe in the registry for that user hkey currentuser.
Also renaming the .exes you need to complete this to .com works often

Although theatest varient I'm working on now is detecting more program renamed and flagging them as infected

NYJimbo
05-24-2010, 02:50 PM
It's pretty simple, or at least on the few I've seen. Just delete the .exe in the registry for that user hkey currentuser.
Also renaming the .exes you need to complete this to .com works often


But he made a brand new user and the problem followed.

Vakman
05-24-2010, 10:04 PM
Wouldn't this (http://www.technibble.com/xp_fileassoc-bat-xp_exe_fix-reg-repair-tool-of-the-week/) work. It was featured on Technibble, I used it before, the .reg didn't work but the .bat one worked since Regedit wouldn't open (as you said but you didn't say you tried the .bat version)
Maybe you could try it next time.

Xander
05-24-2010, 10:51 PM
It's pretty simple, or at least on the few I've seen. Just delete the .exe in the registry for that user hkey currentuser.
Also renaming the .exes you need to complete this to .com works often

Although theatest varient I'm working on now is detecting more program renamed and flagging them as infected
Yeah, like Jimbo restated, I'd created a new user profile so the problem was universal, not user-specific.
And, as said, I was able to rename Combofix to a .com to get it started but it brings out subsidiary .exes which failed.
Regedit.exe refused to run as a .com.

Vakman, I'm pretty sure that's the same .reg I've got on my locking USB for these occasions. However, those are XP and it was a Vista system. I found some similar .regs on another reputable site (his wife's comp) and tried those, but to no avail.

Vakman
05-25-2010, 12:49 AM
Vakman, I'm pretty sure that's the same .reg I've got on my locking USB for these occasions. However, those are XP and it was a Vista system. I found some similar .regs on another reputable site (his wife's comp) and tried those, but to no avail.

The link has the .reg you have but there is also a .bat you can run from this link but maybe I am incorrect and they will both fail because they are essentially doing the same thing but I am pretty sure the .bat file would likely work and that is the reason it is there if the .reg can't be used.

NRTS
05-28-2010, 10:53 PM
I've had great success using a BartPE boot cd with registry editing tools to open the broken pc's keys and update to the correct values. I also carry a netbook booting multiple OS so that i can check the registry of a reference machine... especially handy if you cannot get to the internet for answers.