Go Back   Technibble Forums > General Computers > Tech-to-Tech Computer Help

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 05-23-2010, 10:46 PM
Xander's Avatar
Xander Xander is online now
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,753
Xander is a jewel in the roughXander is a jewel in the roughXander is a jewel in the roughXander is a jewel in the rough
Question Cust gets tricked into EXEs opening with Notepad.

Fellow calls me up around noon asking for a housecall; seems he's infected himself with a fake AV. The laptop was a simple infection, found a jibberish filename, end process, delete file. Scan.

The desktop was pretty similar but here's the fun part: He'd gone online and someone had convinced him that he could 'patch' Windows and to paste what I'm assuming was a VBS into Notepad, save and run it. He alleges it turned off the fake AV for a while but all the EXEs started opening in Notepad.

Got rid of the fake AV by renaming combofix to a .com; it couldn't run half its stuff but still did the job.

Fixing the EXE was another matter. Regedit wouldn't open nor would it accept renaming to .com; merging my emergency "exe file association" reg file didn't work either.

I tried a few command line tricks including: assoc.exe=exefile ... nothing. Twas already set to that.

Thinking it might have been a per-user setting, I created a new user profile and logged into that. Right off the bat, it tried to open things in notepad. Fail.

In the end, I logged into Safe Mode w/CMD and got System Restore to run, rolling it back to before he'd run the VBS. Since System Restore ran, and before it did its thing, I opened up Regedit and the associations were fine (of course they were, since I was able to open Regedit and SysRest).

I set him, secondarily, with SAS Pro, Dropbox to keep his files safe, Firefox (over IE) with Weave to sync his bookmarks to the laptop. He was more than pleased with the results and threw another 40% on the bill as a tip.

I'm trying to think of what I might have missed with the association. I hate resorting to System Restore so who has ideas on what else might have worked?
__________________
Xander St Catharines Computer Repairs

New here? Watch this and read this. Remember, it's not our problem, it's yours so ask your questions well.
e.g. Make/Model#, Win version/SP#, BSOD 0x#. Consider posting Event Viewer logs, Autoruns exports or Speccy reports.
More info means better answers and less snark.

Don't be parasitic and only pose your own questions. Help others.

D7 question/idea/etc? Bring it to the D7 Forums.
Reply With Quote
  #2  
Old 05-23-2010, 11:10 PM
NYJimbo's Avatar
NYJimbo NYJimbo is offline
 
Join Date: Jul 2008
Location: Long Island, you know, like the iced tea.
Posts: 6,588
NYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of light
Default

I think you attacked the problem in the right manner, I mean your diags are sound and the association stuff (including the reg file fix) were all logical and that usually fixed most of these kind of things.

If anything I wonder about this:

Thinking it might have been a per-user setting, I created a new user profile and logged into that. Right off the bat, it tried to open things in notepad. Fail.

It would be something global, maybe a logon program replacement or some registry setting added to the "what to do right after logging on". I cant remember the stuff in regedit, but it's there.

If it were possible to get the VBS snippet the client put in and google anything about it's content there might be clues. But I think the bottom line is you did all the proper things to diag this as much as possible and then went for a system restore because it was available and it worked.

I would still do a thorough assortment of scans to make sure the thing isn't lurking aroung waiting to be triggered again.
__________________
Asking for help ? If the make and model of your computer OR the O/S info is left off your post, I probably will not help you. It gets real old, real quick for me to have to ask for basic info just to help people.
Reply With Quote
  #3  
Old 05-24-2010, 02:44 AM
Xander's Avatar
Xander Xander is online now
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,753
Xander is a jewel in the roughXander is a jewel in the roughXander is a jewel in the roughXander is a jewel in the rough
Default

Yeah, ran quick scans of all the major players while there; left it running fulls scans to pick up any crumbs.

Also of note: It would run the default programs like Windows Mail from the start menu but, when I saw that, I thought I'd rename WM and try copying regedit into its place. No could do. Even after taking ownership. Weirdness.

Anyway, thanks for the second opinion, Jim.
Reply With Quote
  #4  
Old 05-24-2010, 01:24 PM
tkrabec's Avatar
tkrabec tkrabec is offline
 
Join Date: Mar 2007
Location: Indiantown
Posts: 307
tkrabec is on a distinguished road
Send a message via ICQ to tkrabec Send a message via AIM to tkrabec Send a message via MSN to tkrabec Send a message via Yahoo to tkrabec Send a message via Skype™ to tkrabec
Default Cust gets tricked into EXEs opening with Notepad.

It's pretty simple, or at least on the few I've seen. Just delete the .exe in the registry for that user hkey currentuser.
Also renaming the .exes you need to complete this to .com works often

Although theatest varient I'm working on now is detecting more program renamed and flagging them as infected
Reply With Quote
  #5  
Old 05-24-2010, 01:50 PM
NYJimbo's Avatar
NYJimbo NYJimbo is offline
 
Join Date: Jul 2008
Location: Long Island, you know, like the iced tea.
Posts: 6,588
NYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of light
Default

Quote:
Originally Posted by tkrabec View Post
It's pretty simple, or at least on the few I've seen. Just delete the .exe in the registry for that user hkey currentuser.
Also renaming the .exes you need to complete this to .com works often
But he made a brand new user and the problem followed.
__________________
Asking for help ? If the make and model of your computer OR the O/S info is left off your post, I probably will not help you. It gets real old, real quick for me to have to ask for basic info just to help people.
Reply With Quote
  #6  
Old 05-24-2010, 09:04 PM
Vakman's Avatar
Vakman Vakman is offline
 
Join Date: May 2010
Location: Ontario, Canada
Posts: 22
Vakman is an unknown quantity at this point
Default

Wouldn't this work. It was featured on Technibble, I used it before, the .reg didn't work but the .bat one worked since Regedit wouldn't open (as you said but you didn't say you tried the .bat version)
Maybe you could try it next time.
Reply With Quote
  #7  
Old 05-24-2010, 09:51 PM
Xander's Avatar
Xander Xander is online now
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,753
Xander is a jewel in the roughXander is a jewel in the roughXander is a jewel in the roughXander is a jewel in the rough
Default

Quote:
Originally Posted by tkrabec View Post
It's pretty simple, or at least on the few I've seen. Just delete the .exe in the registry for that user hkey currentuser.
Also renaming the .exes you need to complete this to .com works often

Although theatest varient I'm working on now is detecting more program renamed and flagging them as infected
Yeah, like Jimbo restated, I'd created a new user profile so the problem was universal, not user-specific.
And, as said, I was able to rename Combofix to a .com to get it started but it brings out subsidiary .exes which failed.
Regedit.exe refused to run as a .com.

Vakman, I'm pretty sure that's the same .reg I've got on my locking USB for these occasions. However, those are XP and it was a Vista system. I found some similar .regs on another reputable site (his wife's comp) and tried those, but to no avail.
__________________
Xander St Catharines Computer Repairs

New here? Watch this and read this. Remember, it's not our problem, it's yours so ask your questions well.
e.g. Make/Model#, Win version/SP#, BSOD 0x#. Consider posting Event Viewer logs, Autoruns exports or Speccy reports.
More info means better answers and less snark.

Don't be parasitic and only pose your own questions. Help others.

D7 question/idea/etc? Bring it to the D7 Forums.
Reply With Quote
  #8  
Old 05-24-2010, 11:49 PM
Vakman's Avatar
Vakman Vakman is offline
 
Join Date: May 2010
Location: Ontario, Canada
Posts: 22
Vakman is an unknown quantity at this point
Default

Quote:
Originally Posted by Housecalls View Post
Vakman, I'm pretty sure that's the same .reg I've got on my locking USB for these occasions. However, those are XP and it was a Vista system. I found some similar .regs on another reputable site (his wife's comp) and tried those, but to no avail.
The link has the .reg you have but there is also a .bat you can run from this link but maybe I am incorrect and they will both fail because they are essentially doing the same thing but I am pretty sure the .bat file would likely work and that is the reason it is there if the .reg can't be used.

Last edited by Vakman; 05-25-2010 at 12:02 AM.
Reply With Quote
  #9  
Old 05-28-2010, 09:53 PM
NRTS NRTS is offline
 
Join Date: May 2010
Location: UK
Posts: 3
NRTS is an unknown quantity at this point
Send a message via Skype™ to NRTS
Default

I've had great success using a BartPE boot cd with registry editing tools to open the broken pc's keys and update to the correct values. I also carry a netbook booting multiple OS so that i can check the registry of a reference machine... especially handy if you cannot get to the internet for answers.
Reply With Quote
Reply

Tags
exe file associations

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:21 PM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.