Windows "Open With" dialog keeps popping up

[SDFrankie]

My daughter's account on our Win7 laptop is infected with some virus that prevents the running of any program. Whenever we try to launch a program (IE, Notepad, CMD etc), the OS launches the Open With dialog. I ran MalwareBytes and it cleaned 5 infected files, but we still can't run any programs. I am attaching the logs as requested in the pinned topic, but they were run from the Admin account since we can't run anything from her account.

DDS.txt

Attach.txt

[miekiemoes]

Hi,

To fix this, you will need to run Malwarebytes from the infected account. This is possible since our latest Malwarebytes version has a way to bypass this.

I assume you have latest version of Malwarebytes installed alrready. If so, please navigate to the following folder:

C:\Program Files (x86)\Malwarebytes' Anti-Malware

In there, you will find an additional folder called Chameleon

Open that folder and doubleclick firefox.com

This will also launch malwarebytes and run a scan.

Let me know if that fixed your problem.

On another note, I notice from your log that there's more than 1 Antivirus installed. Norton Internet Security and Eset Smart Security.

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously! The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time. Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown. So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.Then reboot after uninstalling.

[SDFrankie]

I was able to run MalwareBytes on the affected account. I have attached the log from the scan. However, I still get the Windows "Open With" dialog every time I try to run an app from that account. I believe the file associations are messed up in the registry. I cannot run RegEdit on that account because I just get the "Open With" dialog. What should I do next? Thanks,

Frank

mbam-log-2012-01-17 (07-04-34).txt

[SDFrankie]

Correction to my last post. If I try to run RegEdit (or Notepad for example) by typing "RegEdit" into the the "Search program and files" box on the Start menu, I get a File Not Found dialog. However, I can get a file explorer going by right clicking and navigating to Documents. Once there I can navigate to the Windows folder and RegEdit.exe is there. If I double-click it, I get the "Open With" dialog. If I use "Run As Administrator" it launches once I enter the Admin password. Hope this helps. Thanks,

Frank

[miekiemoes]

Hi,

Yes, it's indeed a problem with your associations and Malwarebytes normally detects and restores this. However, in this case, it looks like a new variant - that's why I need an export of a certain key first, so I can have a look at it and add detection for it in Malwarebytes.

I know you are not able to run regedit in the normal way, but you actually can run it when you rename regedit.exe to regedit.com. So navigate to your C:\Windows folder, locate regedit.exe in there and rename to regedit.com.

Then launch regedit.com in order to open it.

Then, navigate to the following key: HKEY_CURRENT_USER\Software\Classes\.exe

Please make sure it's that correct key I mention in above!

Rightclick that key and select export. Export it as a txtfile and attach it to this thread here, so I can have a look and add detection to Malwarebytes.

While you are in the registry on that key, you'll see for the HKEY_CURRENT_USER\Software\Classes\.exe key, on the right, it will have a value called (default), next to default, in your case, it will probably have a random name there. That name needs to get changed to exefile

Here's a screenshot of what I mean:

So, in your case, it will most probably don't say exefile there but something else. So to change this, doubleclick the value (default) there, and in the valuedata field, edit this to exefile

That should fix your association again. But I really need you to export that key first before you edit it, so I know what its previous valuedata was, so we can add detection for malwarebytes.

[SDFrankie]

Hi,

WIn7 would not allow me to rename RegEdit no matter what I tried. What I did was run regedit as admin, search for a key of .exe with a weird default value and found one with zzz. If was not the Current User since I was running as admin. I exported the key and attached it. Then I changed it to exefile and all is well. Thanks so much for your help.

Frank

badregentry.txt

[miekiemoes]

Interesting. After looking at your attachement, We should have detected this one through Malwarebytes though.

When I asked you to run Malwarebytes previously, did you actually run it from the useraccount where exes wouldn't run? Not as admin? Because that would explain it. The main reason is, the HKCU registry branch actually applies for the current user and that's where the registry modification was.

Anyway, good to hear that after changing the valuedata in your case already fixed the issue

So I can set this as resolved now?

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.