Go Back   Technibble Forums > General Computers > Tech-to-Tech Computer Help

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 05-23-2010, 11:46 PM
Xander Xander is offline
Banned
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,870
Xander is just really niceXander is just really niceXander is just really niceXander is just really niceXander is just really nice
Question Cust gets tricked into EXEs opening with Notepad.

Fellow calls me up around noon asking for a housecall; seems he's infected himself with a fake AV. The laptop was a simple infection, found a jibberish filename, end process, delete file. Scan.

The desktop was pretty similar but here's the fun part: He'd gone online and someone had convinced him that he could 'patch' Windows and to paste what I'm assuming was a VBS into Notepad, save and run it. He alleges it turned off the fake AV for a while but all the EXEs started opening in Notepad.

Got rid of the fake AV by renaming combofix to a .com; it couldn't run half its stuff but still did the job.

Fixing the EXE was another matter. Regedit wouldn't open nor would it accept renaming to .com; merging my emergency "exe file association" reg file didn't work either.

I tried a few command line tricks including: assoc.exe=exefile ... nothing. Twas already set to that.

Thinking it might have been a per-user setting, I created a new user profile and logged into that. Right off the bat, it tried to open things in notepad. Fail.

In the end, I logged into Safe Mode w/CMD and got System Restore to run, rolling it back to before he'd run the VBS. Since System Restore ran, and before it did its thing, I opened up Regedit and the associations were fine (of course they were, since I was able to open Regedit and SysRest).

I set him, secondarily, with SAS Pro, Dropbox to keep his files safe, Firefox (over IE) with Weave to sync his bookmarks to the laptop. He was more than pleased with the results and threw another 40% on the bill as a tip.

I'm trying to think of what I might have missed with the association. I hate resorting to System Restore so who has ideas on what else might have worked?
Reply With Quote
  #2  
Old 05-24-2010, 12:10 AM
NYJimbo's Avatar
NYJimbo NYJimbo is offline
 
Join Date: Jul 2008
Location: Long Island, you know, like the iced tea.
Posts: 6,735
NYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of light
Default

I think you attacked the problem in the right manner, I mean your diags are sound and the association stuff (including the reg file fix) were all logical and that usually fixed most of these kind of things.

If anything I wonder about this:

Thinking it might have been a per-user setting, I created a new user profile and logged into that. Right off the bat, it tried to open things in notepad. Fail.

It would be something global, maybe a logon program replacement or some registry setting added to the "what to do right after logging on". I cant remember the stuff in regedit, but it's there.

If it were possible to get the VBS snippet the client put in and google anything about it's content there might be clues. But I think the bottom line is you did all the proper things to diag this as much as possible and then went for a system restore because it was available and it worked.

I would still do a thorough assortment of scans to make sure the thing isn't lurking aroung waiting to be triggered again.
__________________
If I helped you, please consider giving me a positive reputation vote (upper right of the post). Thank you.
Reply With Quote
  #3  
Old 05-24-2010, 03:44 AM
Xander Xander is offline
Banned
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,870
Xander is just really niceXander is just really niceXander is just really niceXander is just really niceXander is just really nice
Default

Yeah, ran quick scans of all the major players while there; left it running fulls scans to pick up any crumbs.

Also of note: It would run the default programs like Windows Mail from the start menu but, when I saw that, I thought I'd rename WM and try copying regedit into its place. No could do. Even after taking ownership. Weirdness.

Anyway, thanks for the second opinion, Jim.
Reply With Quote
  #4  
Old 05-24-2010, 02:24 PM
tkrabec's Avatar
tkrabec tkrabec is offline
 
Join Date: Mar 2007
Location: Indiantown
Posts: 307
tkrabec is on a distinguished road
Send a message via ICQ to tkrabec Send a message via AIM to tkrabec Send a message via MSN to tkrabec Send a message via Yahoo to tkrabec Send a message via Skype™ to tkrabec
Default Cust gets tricked into EXEs opening with Notepad.

It's pretty simple, or at least on the few I've seen. Just delete the .exe in the registry for that user hkey currentuser.
Also renaming the .exes you need to complete this to .com works often

Although theatest varient I'm working on now is detecting more program renamed and flagging them as infected
Reply With Quote
  #5  
Old 05-24-2010, 02:50 PM
NYJimbo's Avatar
NYJimbo NYJimbo is offline
 
Join Date: Jul 2008
Location: Long Island, you know, like the iced tea.
Posts: 6,735
NYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of light
Default

Quote:
Originally Posted by tkrabec View Post
It's pretty simple, or at least on the few I've seen. Just delete the .exe in the registry for that user hkey currentuser.
Also renaming the .exes you need to complete this to .com works often
But he made a brand new user and the problem followed.
__________________
If I helped you, please consider giving me a positive reputation vote (upper right of the post). Thank you.
Reply With Quote
  #6  
Old 05-24-2010, 10:04 PM
Vakman's Avatar
Vakman Vakman is offline
 
Join Date: May 2010
Location: Ontario, Canada
Posts: 22
Vakman is an unknown quantity at this point
Default

Wouldn't this work. It was featured on Technibble, I used it before, the .reg didn't work but the .bat one worked since Regedit wouldn't open (as you said but you didn't say you tried the .bat version)
Maybe you could try it next time.
Reply With Quote
  #7  
Old 05-24-2010, 10:51 PM
Xander Xander is offline
Banned
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,870
Xander is just really niceXander is just really niceXander is just really niceXander is just really niceXander is just really nice
Default

Quote:
Originally Posted by tkrabec View Post
It's pretty simple, or at least on the few I've seen. Just delete the .exe in the registry for that user hkey currentuser.
Also renaming the .exes you need to complete this to .com works often

Although theatest varient I'm working on now is detecting more program renamed and flagging them as infected
Yeah, like Jimbo restated, I'd created a new user profile so the problem was universal, not user-specific.
And, as said, I was able to rename Combofix to a .com to get it started but it brings out subsidiary .exes which failed.
Regedit.exe refused to run as a .com.

Vakman, I'm pretty sure that's the same .reg I've got on my locking USB for these occasions. However, those are XP and it was a Vista system. I found some similar .regs on another reputable site (his wife's comp) and tried those, but to no avail.
Reply With Quote
  #8  
Old 05-25-2010, 12:49 AM
Vakman's Avatar
Vakman Vakman is offline
 
Join Date: May 2010
Location: Ontario, Canada
Posts: 22
Vakman is an unknown quantity at this point
Default

Quote:
Originally Posted by Housecalls View Post
Vakman, I'm pretty sure that's the same .reg I've got on my locking USB for these occasions. However, those are XP and it was a Vista system. I found some similar .regs on another reputable site (his wife's comp) and tried those, but to no avail.
The link has the .reg you have but there is also a .bat you can run from this link but maybe I am incorrect and they will both fail because they are essentially doing the same thing but I am pretty sure the .bat file would likely work and that is the reason it is there if the .reg can't be used.

Last edited by Vakman; 05-25-2010 at 01:02 AM.
Reply With Quote
  #9  
Old 05-28-2010, 10:53 PM
NRTS NRTS is offline
 
Join Date: May 2010
Location: UK
Posts: 3
NRTS is an unknown quantity at this point
Send a message via Skype™ to NRTS
Default

I've had great success using a BartPE boot cd with registry editing tools to open the broken pc's keys and update to the correct values. I also carry a netbook booting multiple OS so that i can check the registry of a reference machine... especially handy if you cannot get to the internet for answers.
Reply With Quote
Reply

Tags
exe file associations

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:04 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.