[Albert Lionheart]

I doubt I am the only one to have found this but I am amazed at the lack of reference to it on the 'net.
I cleared the system of this threatware by identifying the offending file (called fab.exe) and removing it. No problem - but on restarting the machine I find that no com or exe files will run at all. All I get is the Windows box Open With...
Some windows files work but not all.
The problem means that things like restore, msconfig, task manager all refuse to function.
Any ideas anyone?

[wektech]

try running malware bytes anti-malware ( I usually down load it from download.com) in safe mode (making sure to update the definitions first), kill everything it finds, and restarting. It is usually pretty good at killing rogues.

[Albert Lionheart]

Hi Wektech - thanks for the idea. The problem is that I cannot run any programs once this has happened.
I deleted two files - fab.exe and the prefetch for it. The problem was fixed but left me with no way of running any .com or ,exe files.
cheers

[wektech]

Your file associations are messed up., there are a few fixes such as Download Fix EXE File Association Free - A simple utility for fixing EXE association problem - Softpedia out there. Often you can rename the exe to com or bin extension to get it to run.

[Joshuashawharvey]

Hi Albert. I have also had some experience with this issue. The malware corrupts the registry key that contains the .exe file association. The fix that wektech posted modifies this registry key back to its default values.

Fake anti-virus exploits seem to be very common nowadays, even for Mac owners. These exploits seem to be getting more and more sophisticated and have at times lead me to simply formatting and reinstalling Windows, due to the irreversible damage they cause.

[Albert Lionheart]

Thanks Josh - I have a new one in today so will see if it works.
If the registry key is relatively easy to find, is it worth making the change manually? Should be easy enough to find given I know what the name of the offending file is called...

[Joshuashawharvey]

Personally, I'd stick with using the fix that wektech recommended, particularly for an environment where there is a mass-scale infection, or even if you may run into this issue again, as we are likely to do in our line of work, simply for the convenience. After all, it's easier to save a file on your computer than to remember a registry fix that you may not use again for a while.

However, mvps.org offer a manual solution for this sort of issue, and it covers the necessary registry entires requiring modification. However these may vary depending upon the damage caused by the virus in question.

[Albert Lionheart]

Very helpful - thanks again.

[Albert Lionheart]

Update - this system has been pre-repaired by someone which has screwed up the registry and nothing works properly cannot even get files to run from the flash drive. I found the entries for exefiles and exe in the registry were directed to a non-existent directory so someone must have removed them. I think I i knew what the default settins were I might be able to fix this but I will not bother and am planning to format the drive and reinstall everything again once I have backed up all the files - only 16Gb of them....

[Albert Lionheart]

Third machine.
This one was not pre-repaired by anyone and I saw the threatware on the thing on site. It has been sitting in my workshop for the last 10 days or so waiting for a round tuit which happened at sparrow-fart this morning. In case any of you think I am being idle, the owner is on his happy holliers somewhere.
Anyway..
Nothing. Nada. Nix. Bu**ger all.
RKill found nothing
ComboFix faffed around for an hour or so and found a couple of rootkits which it said it had fixed.
MalwareBytes' found a few odds and sodds but nothing really nasty - the log is as below.
I have set MWB to do a full scan but don't think it will find anything.
Very strange. Storm in a teacup.
I will leave it running all day today to see if anything happens but there is no trace of anything there at all.
The log
Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

08/06/2011 07:03:05
mbam-log-2011-06-08 (07-03-05).txt

Scan type: Quick Scan
Objects scanned: 67324
Time elapsed: 3 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{9fb5bec5-01d6-446f-9cde-47863645c5a3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9fb5bec5-01d6-446f-9cde-47863645c5a3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Common Files\DriveCleaner Freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.

[Joshuashawharvey]

Very strange indeed.

If the malware has still not been removed, I have a couple of suggestions that might help.

I use a program called Hitman Pro. It is a cloud-based scanner which can run without an installation. It's extremely easy to use and has a very small footprint. Once scanning has complete it will ask for a license, but there's also an option to activate a free 30-day trial. This has helped me out of many situations where most all other scanners have failed me.

I would also recommend using the BitDefender Rescue CD. Most Anti-Virus companies provide these free recovery CDs. These linux-based live CDs will provide a more thorough scan and will remove infections that other scanners may not be able to when running in Windows. I personally recommend the BitDefender version because from past experiences it has worked extremely well.

[Albert Lionheart]

For all the wrong reasons I am waiting for a new 'infection' to come my way - these things seem to come in bunches so it should not be long!.

Incidentally I was introduced to OTLPENnet.exe from beeping computer's site. It was no help in this case but the downloadable CD creator routine contains some very useful tools and all for free!Bleeping Computer - Computer Help and Discussion

[Albert Lionheart]

Well the new infection arrived this afternoon - fortunately next door so I hitched up the trousers and paid a call.
It was the same XP machine I had seen last week so it was a completely new infection.
In the application data folder I found a whole lot of strangely named folders each with a single file inside - so I cleared the lot when in safe mode.
I also ran a MWB scan which found nothing but hijackthis found the references to the files and folders I had removed and marked them as nasties. It also found askbar which I think might have been responsible.
I messed around some more and found a Genealogical Software package which had installed a banner into the default browser so I cleared that too.
A reboot confirmed everything cleared again so we will see,
The user visits travel websites a lot so he will keep an eye out for any strange happenings when he visits these so we can at least try and find where the threatware is coming from.
Be brave peeps, they can be beaten!

[Blackmirror]

Might suggest adding WOT to his browser

[Albert Lionheart]

WOT he really needs is to stop visiting dodgy web sites, dahling!

[Blackmirror]

Men honestly !!!!!!!

[Albert Lionheart]

Trouble with WOT is that is slows it all down too much

[Blackmirror]

What a load of codswallap
Using it on FF and no slow down here

[Albert Lionheart]

You are so right - WOT is a load of codswallop, seafeathers and elephant wings. I wouldn't go near it with your bargepole, let alone mine!