PDA

View Full Version : Windows has forgotten how .exes work! Cause I, uh, messed with the registry.



The Linker
2011-03-31, 05:46 AM
Um... so, current status: virus quelled, scan running... and I have to specifically run any .exes as an administrator if I want them to work. This means Steam and other such programs no longer come up on startup, which is inconvenient, but I can use my computer again! Hooray!

I'm trying to get it back to normal, but, uh, class starts soon. If anyone knows of a way to reverse the damage I did in my registry and make Windows Vista easily recognize that my .exe applications are, in fact, .exe applications, I would love you forever and bake rice krispie squares.

Specifically, I'm pretty sure I need to have something in:

HKEY_CURRENT_USER\Software\Classes\Wow6432Node\exe file\shell\open\command "(Default)" =

Default is currently blank. I think there needs to be... something, there. :smallconfused:

This thread was originally a 'crap crap crap virus' thread, but I've gotten over that now. Full text below, for full disclosure.

Note: As I currently type from an iPod and really want to get this going asap, my grammar and punctuation will be, uh, hampered.

So, yeah. Virus got me, titled 'vista internet security 2011', trying to convince me that I'm infected (well, I am) and should go buy more viruses. I mean, the full version. There are plenty of helpful guides on removal of this very virus, which pinpoint exact processes to close and files to delete.

None of them exist for me. I must have a different version of the virus. All the guides give 'pw.exe' and 'MSASCui.exe' as both processes to close and files to delete, but there's nothing there.

Here's my one lead. I dug into the registry to look for what the guides say to delete. It wants me to go after:

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open \command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*

Hey, pw.exe! That's one of the files they wanted me to delete! I figure this hijacks any .exe process and makes it open pw.exe instead. Ah, but that's not actually ON here. Furthermore, it hasn't actually prevented me from executing anything -- just opening webpages, hence the iPod. BUT! In place of pw.exe in the registry path above, it reads 'sub.exe', giving me:

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open \command "(Default)" = "%UserProfile%\Local Settings\Application Data\sub.exe" /START "%1" %*

Actually, this thing just deleted by a script I copied and ran. Default is empty now. Uh, put the past couple paragraphs in past tense. None of my problems are gone, though,

However, I'm still hopeful this could be a lead. If sub.exe is the program being used by this version of the virus, then perhaps one can use this information to find an up-to-date removal guide? I failed, but searching is slow on this thing and man my fingers hurt by now.

Any help would be incredibly appreciated and rewarded with cookies and pony-baked muffins. Clarification will be offered upon query, I'm sure I've missed like seventeen things trying to write this out.

--Second post--

Hmmm, sub.exe still exists. Want to delete it, but don't to accidentally kill something vital. It doesn't exist on your uninfected machines, does it? Full path: users\[your profile name]\AppData\local\sub.exe

Edit: Ah-ha! I can use the 'find' function with the registry editor to find things that still point to sub.exe. But I REALLY don't want to mess with the registry unless vaguely trusted source tells me to.

Edit edit: only one more place points to sub.exe:

HKEY_CURRENT_USER\Software\Classes\Wow6432Node\exe file\shell\open\command "(Default)" = "%UserProfile%\AppData\local\sub.exe" -a "%1" %*

Edit the third: sub.exe is also a running process. Absolutely everything Points to this being a malicious thing I need to delete and end. I'm, um, I'm just nervous.

Edit the fourth: bit the bullet and did all that. I'm back on the computer and no signs of the virus are present. But, uh, now my computer has forgotten what .exes are and how to open them -- UNLESS I open them 'as administrator'. It's almost like the registry editor wasn't supposed to be messed around in by someone with only a moderate idea of what they're doing. o_O Currently looking at how to rebuild the set association.

Spartacus
2011-03-31, 06:58 AM
I recommend heading to the forum of a major antivirus program, like MalwareBytes or Avast!, both of which I recommend grabbing and running asap. I know when I've had a nasty virus, they helped wonderfully.

Also, if you have Vista but do not have the latest Service Pack, try updating. I know when my explorer.exe got corrupted by a virus, updating got me a fresh one.

The Linker
2011-03-31, 07:00 AM
Oops, sorry, Spartacus. I was hoping for no casualties when I switched the thread around to account for new developments. I figured no one had seen it, so it was safe to sort of 'make a new one'. :smalltongue:

Spartacus
2011-03-31, 07:05 AM
When the page loaded I was like "Gwuh?"

Kinda threw me off for a moment.

EDIT: I would still go to an antivirus or Vista forum, and download a Service Pack if you aren't fully updated. Also, should totally still get/run MalwareBytes and Avast!, unless you have something awesome like Kaspersky.

The Linker
2011-03-31, 07:10 AM
Hmm, I do have... 567 megs of update to download. That might help.

Also, I have McAfee -- I think it may have come installed on this thing or something. It keeps telling me 'your subscription has run out! You can't scan until you renew!' yet seems to happily scan for me regardless. 7% done...

Ah, update just failed. Seems I won't be able to update until I get this .exe file association thing straight.

Spartacus
2011-03-31, 07:14 AM
I've never liked McAffee, myself.

Also, what Service Pack do you have? I forget how to check, as I am on an XP machine right now, but after school ends I could find where it says, if you need it.

The Linker
2011-03-31, 07:20 AM
...Service Pack 1.

How many packs are there...?

OK, only two. I thought there might be like five and I'd have been needlessly living with horribly outdated crap.*

*In before 'still running Vista' cracks. :smalltongue:

douglas
2011-03-31, 10:14 AM
I don't have a Vista machine handy to check, but I looked on a Windows 7 machine (which is based on Vista and should be similar) and nothing like that registry key exists on my computer.

Here's my guess about what's happening and why:
You try to run a .exe normally, Windows looks up its association in the registry, sees the key is there, reads its value, and tries to open the program with, well, nothing. This fails for obvious reasons.

You try to run a .exe as administrator, Windows says "run as admin account, ignore current user account settings", Windows looks up appropriate information in the registry - ignoring your user settings, which would normally be the first place to look - and finds the real correct info in the admin account or machine settings and opens the program successfully.

If this is correct, the way to fix it would be to delete that registry key entirely. Then running a .exe normally would find nothing at all for local user account associations when it looks in the registry and would move on to the machine settings as the fallback, which work.

Make sure you have the information copied somewhere so you can reverse the deletion before trying this, of course.

The Linker
2011-03-31, 10:21 AM
You try to run a .exe as administrator, Windows says "run as admin account, ignore current user account settings", Windows looks up appropriate information in the registry - ignoring your user settings, which would normally be the first place to look - and finds the real correct info in the admin account or machine settings and opens the program successfully.

This makes a lot of sense. Save for the fact that, well, the account I'm using is the admin account, but I'm willing to accept that there are different settings regardless. I should be able to look in the registry for what it's set to when an admin account runs it and copy that into the 'current user' section. Maybe. Hopefully. Otherwise, yeah, I can try deleting that and see what happens.

I'm not at the computer right now, though, so I won't be able to give a status update for a while.

douglas
2011-03-31, 10:30 AM
With Vista and 7, there's admin and then there's ADMIN. There is only one "real" true admin account, defined for you invisibly behind the scenes by the installation process, and it's not normally even possible to log in under that account. You have to do some very specific advanced tweaking to make the admin account available on the login screen.

Any other account, even one designated as an administrator, has reduced privileges compared to that account. Notably, if I'm remembering what I read about it correctly, if you're logged in on that special admin account all those security warnings go away - everything gets run as admin automatically without asking for confirmation. Normal admin accounts have to specifically say when they want to use their admin powers, and there may be some advanced things that they just can't do at all. In fact, I'd guess that the "run as admin" option is implemented by something similar to marking the program as being run by the special admin account instead of the account actually running it.

To extend my guess a little further, I'm guessing the virus created that registry entry in the first place, specifically because it would override normal behavior. Then every time you run a program it calls the virus instead and also tells it what you're trying to run. The virus was probably written to take that information and call the real system routines for opening an executable, so victims wouldn't suspect too much, and then also use the info for nefarious purposes.

factotum
2011-03-31, 03:26 PM
The situation with Vista and W7 isn't actually as complicated as all that, douglas. There is no "super-superuser account" like you're talking about. UAC (User Account Control) can be disabled if you like, and if you do that then any admin account is a full admin account with no ifs or buts.

It's only with UAC active that you get the thing of an admin account not actually being a full admin, and all that means is that it will *ask* via a UAC prompt whenever you do anything that requires admin privileges--your admin account will be a full admin account in order to do that one thing. Right-clicking something and selecting "Run as administrator" gives whatever you're running full admin privileges, too.

Just checked on my Vista 64 system here, incidentally, and it doesn't have the key you're talking about, The Linker--closest I could find is HKCU\Software\Classes\Wow6432Node\.exe , and that key is completely empty on my system.

The Linker
2011-03-31, 06:14 PM
Think I got it working. I just substituted the same mixture of percent signs and asterisks that's in every other 'empty' command section. Like it's the command for 'eh, do what you do', or something. :smalltongue:

I'm a bit iffy, though. May report back if things start to screw up.

Lorn
2011-03-31, 06:28 PM
With Vista and 7, there's admin and then there's ADMIN. There is only one "real" true admin account, defined for you invisibly behind the scenes by the installation process, and it's not normally even possible to log in under that account. You have to do some very specific advanced tweaking to make the admin account available on the login screen.
To enable the superaccount:

Start menu
Search for CMD
Right click on it when it appears, select Run As Admin
Type "net user administrator /active:yes" (obviously, minus quotes)
Enter.
Done. Relog as admin if you want. To get rid of it, same process, except type "net user administrator /active:no" instead.


While this would probably get around the needing to run things as an admin problem, it's possibly not the safest if the virus may still exist - if McAfee isn't working, AVG might work at a pinch. It may not be perfect, but if the virus is suitably well-known it'll probably at least find it.

factotum
2011-04-01, 01:27 AM
While this would probably get around the needing to run things as an admin problem, it's possibly not the safest if the virus may still exist

It wouldn't. The account named "Administrator" is just as subject to UAC as any other admin account.