Sign in with
Sign up | Sign in
Your question
Solved

Broken/changed .exe association due to virus

Last response: in Windows 7
Share
December 18, 2012 1:06:57 PM

I stupidly got the "Windows 7 Security Center" virus from an attack site that neither my browser (Firefox) nor Microsoft Security Essentials caught in time. I immediately knew what happened, but it had "hijacked" all of my programs to redirect to it (I'm guessing this lead to the broken association), so that I was unable to open my actual security program or Malwarebytes and clean up (I'm accessing the internet at work ATM).

I managed to identify the invading process, shut it down, and revoked all of its permissions which seems to have it in remission as far as interrupting things. It's still there, of course, though. Now when I try to open any executable, I am met with a permission error. I am no expert at all on these matters, but it appears as though the virus changed the exe association to direct to itself, and changing the permissions only nullified the effect of accessing it.

How can I go about setting exes to open correctly so I can get rid of this thing?

I haven't done much yet (I attempted a lengthy virus scan on my Linux laptop using Clam that failed miserably), so I can't rule a lot out so far. I do know that I do not seem to have the "command.com" tool that a lot of solutions for repairing the registry reference. I checked the directory and everything -- it doesn't seem to be there.

I have a recent restore point; would that help? Could I make use of the command line in Safe Mode provided it runs?
a b $ Windows 7
December 18, 2012 1:27:25 PM

Try the system restore and if that doesn't work make a new user account and shift across the whole profile.
m
0
l
Related resources

Best solution

a b $ Windows 7
December 18, 2012 1:32:47 PM

the good news is this virus mostly affects only the current user.

step 1. download and runFixncr registry fix

step 2. download and run Kaspersky tds killer just to make sure you dont have the rootkit version

step 3. download and run Combofix

step 4. download and run Malwarebytes
Share
December 18, 2012 1:38:28 PM

unoriginal1 said:
I'd run a rescue disk like Avg's to try to get the virus.
http://www.avg.com/us-en/avg-rescue-cd (go to free download and make a disk, or usb to boot from)
Then use either your restore point to fix the file associations or come here and follow the directions http://www.sevenforums.com/tutorials/19449-default-file...

This sounds like a good thing to try. I didn't know about rescue disks (never had too many viruses). This would be a lot more convenient than one of my initial ideas of finding a Linux distro with a pre-installed AV and running a liveCD...

One other concern here with killing the virus first: the big reason my ClamAV scan failed was that it appeared to pick out every .exe on the hard disk indiscriminately. For all I know, this was just because Clam isn't as advanced as a lot of other options and really didn't know the difference, but I'm worried these files might have been singled as threats because they all point to the virus. If that's the case, might not AVG or another AV do the same (i.e. not really helping if it deletes all my exes)?
m
0
l
December 18, 2012 1:39:46 PM

the great randini said:
the good news is this virus mostly affects only the current user.

step 1. download and runFixncr registry fix

step 2. download and run Kaspersky tds killer just to make sure you dont have the rootkit version

step 3. download and run Combofix

step 4. download and run Malwarebytes

Glad to see you're familiar with this. I'll definitely try this and post results.
m
0
l
a b $ Windows 7
December 18, 2012 1:45:23 PM

barber surgeon said:
This sounds like a good thing to try. I didn't know about rescue disks (never had too many viruses). This would be a lot more convenient than one of my initial ideas of finding a Linux distro with a pre-installed AV and running a liveCD...

One other concern here with killing the virus first: the big reason my ClamAV scan failed was that it appeared to pick out every .exe on the hard disk indiscriminately. For all I know, this was just because Clam isn't as advanced as a lot of other options and really didn't know the difference, but I'm worried these files might have been singled as threats because they all point to the virus. If that's the case, might not AVG or another AV do the same (i.e. not really helping if it deletes all my exes)?


Ive had this issue a couple of times on work computers and home computers that ive fixed for family.
Ive never had an issue with it actually deleting the .exe files. But, that's still not a guarantee...(aka try at your own risk ;)  ) Randini is right thou it mostly affects a specific profile. Do you have another admin profile set up on that pc?

I personally run my scans off the rescue disk anymore. Trying it in safe mode, or running it with windows fully booted just never seems to get rid of it cleanly.
m
0
l
December 18, 2012 2:03:30 PM

unoriginal1 said:
Ive had this issue a couple of times on work computers and home computers that ive fixed for family.
Ive never had an issue with it actually deleting the .exe files. But, that's still not a guarantee...(aka try at your own risk ;)  ) Randini is right thou it mostly affects a specific profile. Do you have another admin profile set up on that pc?

Unfortunately, no. I've never suffered a major attack like this because I'm generally pretty careful, so I was content with the Windows default "user as admin" setup. Is it too late to configure a separate account now due to the risk of the infection crossing over?

Rescue disk still seems like the best way to go. I'll try Randini's method to correct the association first, then (whether that works or not) clean from the outside. Thanks for all the help!
m
0
l
a b $ Windows 7
December 18, 2012 2:14:21 PM

To restore the exe functioning you can go here and download the .reg file listed under exe -- this is a text file that has the needed steps to restore the default opening program for exe files correctly -- just download the proper .reg file to your desktop - right click and select Merge (should be at the top of the list) - This will run the reg file and fix it so the exe files properly launch again -- Afterwards you can run your AV products again from safe mode to get rid off any remnants off the virus.
m
0
l
December 18, 2012 2:20:40 PM

After you manage to clean the malware and boot that machine properly, use this software to repair (most of) the damage:

http://www.tweaking.com/content/page/windows_repair_all...

Saved me from reinstalling several machines. Be aware, it might take many hours to do it's thing if the machine has many things installed.
m
0
l
December 18, 2012 6:15:54 PM

UPDATE: It looks like everything is going to be okay. Following Randini's advice first I managed to take care of the specific problem (now posting from affected computer). I'll now make several passes with the software you've all mentioned.

Thanks so much for the help! Glad that's over.
m
0
l
December 18, 2012 6:16:08 PM

Best answer selected by barber surgeon.
m
0
l
a b $ Windows 7
December 18, 2012 7:07:54 PM

ya this virus sucks even my users without admin rights get it most times i just crush the profile and make a new one, but when execs get it i have to clean it.
m
0
l
!