Hi guys, one of my family members got caught with the XP AntiVirus 2012 fake AV. He had MSE installed but it totally missed this variant. I managed to download Eset Online Scanner and Housecall which both came back as no infections. A SuperAntiSpyware scan found everything and cleaned it up but since the clear up he is unable to run any .exe files. Now, I know about the .exe file fixes, and I installed the fix to download AVAST! but now after every reboot no .exe files will run again so AVAST etc. fail to load. I don't suppose any of you have had the same problem and found a fix that works and allows .exe files to run after reboot without first running the fix? I've tried Full scans with HitmanPro, Eset Online Scan, SAS, MBAM and Norton Security Scan as well as; Tools, Folder Options, File Types and making a new .exe file extension and setting it to application. Also I reset the lnk extension. After reboot these both disappear. and file association REG files as well as manually changing the registry fail to keep settings. Any ideas? Thanks
Try Kaspersky rescue CD. Sometimes Dr Web will catch stuff the others miss. I had an infected computer I worked on for someone one time and after MBAM and the other usual tools scanned and got rid of stuff I knew there was something still there but none of the scanners I was using could see it. I tried Dr Web and it found it and got rid of it.
Ah yes I did try DrWeb but only a Quick Scan. Nothing was found. I will try a full scan though. Thanks
Sometimes if an infection is bad enough that is the best course of action. That is where a good backup plan comes in.
Just a tip.. Most of the time, system restore snapshots are perfectly intact and unmodified. If you go into the System Volume information folder (hidden system folder by default), then you can get a snapshot of the registry and the ntuser.dat and usrclass.dat for each user. Simply restoring these files (from a clean snapshot) to their appropriate place will disable 99% of all infections. You have to do this with the system offline, like mounted in another computer or from a PE disc. The core registry files need to be renamed and replaced in system32\config s-1-5-18 goes to C:\windows\system32\config\systemprofile S-1-5-19 goes to Local Service user profile S-1-5-20 goes to Network Service user profile Everything else goes to the user directories the usrclass.dat goes in the userprofile\local settings\application data\Microsoft\Windows directory for each user I usually do a hitmanpro scan of the system32\drivers folder, fix the boot sector & mbr, and clear out any weird scheduled tasks before rebooting the computer back into Windows. For good measure you can do a virus scan of the computer as well with your favorite A/V.
Yes I agree with you that imaging is the way to go. Thanks for the info that could come in handy some time. I will try and get him to have a simple backup program though then if he has any more problems hopefully I can explain a few easy clicks he can do rather than having to look at the computer myself. Anything other than opening Internet Explorer is a challenge to him.