Jump to content

Windows "Open With" dialog keeps popping up


Recommended Posts

My daughter's account on our Win7 laptop is infected with some virus that prevents the running of any program. Whenever we try to launch a program (IE, Notepad, CMD etc), the OS launches the Open With dialog. I ran MalwareBytes and it cleaned 5 infected files, but we still can't run any programs. I am attaching the logs as requested in the pinned topic, but they were run from the Admin account since we can't run anything from her account.

DDS.txt

Attach.txt

Link to post
Share on other sites

  • Staff

Hi,

To fix this, you will need to run Malwarebytes from the infected account. This is possible since our latest Malwarebytes version has a way to bypass this.

I assume you have latest version of Malwarebytes installed alrready. If so, please navigate to the following folder:

C:\Program Files (x86)\Malwarebytes' Anti-Malware

In there, you will find an additional folder called Chameleon

Open that folder and doubleclick firefox.com

This will also launch malwarebytes and run a scan.

Let me know if that fixed your problem.

On another note, I notice from your log that there's more than 1 Antivirus installed. Norton Internet Security and Eset Smart Security.

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously! The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time. Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown. So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.Then reboot after uninstalling.

Link to post
Share on other sites

I was able to run MalwareBytes on the affected account. I have attached the log from the scan. However, I still get the Windows "Open With" dialog every time I try to run an app from that account. I believe the file associations are messed up in the registry. I cannot run RegEdit on that account because I just get the "Open With" dialog. What should I do next? Thanks,

Frank

mbam-log-2012-01-17 (07-04-34).txt

Link to post
Share on other sites

Correction to my last post. If I try to run RegEdit (or Notepad for example) by typing "RegEdit" into the the "Search program and files" box on the Start menu, I get a File Not Found dialog. However, I can get a file explorer going by right clicking and navigating to Documents. Once there I can navigate to the Windows folder and RegEdit.exe is there. If I double-click it, I get the "Open With" dialog. If I use "Run As Administrator" it launches once I enter the Admin password. Hope this helps. Thanks,

Frank

Link to post
Share on other sites

  • Staff

Hi,

Yes, it's indeed a problem with your associations and Malwarebytes normally detects and restores this. However, in this case, it looks like a new variant - that's why I need an export of a certain key first, so I can have a look at it and add detection for it in Malwarebytes.

I know you are not able to run regedit in the normal way, but you actually can run it when you rename regedit.exe to regedit.com. So navigate to your C:\Windows folder, locate regedit.exe in there and rename to regedit.com.

Then launch regedit.com in order to open it.

Then, navigate to the following key: HKEY_CURRENT_USER\Software\Classes\.exe

Please make sure it's that correct key I mention in above!

Rightclick that key and select export. Export it as a txtfile and attach it to this thread here, so I can have a look and add detection to Malwarebytes.

While you are in the registry on that key, you'll see for the HKEY_CURRENT_USER\Software\Classes\.exe key, on the right, it will have a value called (default), next to default, in your case, it will probably have a random name there. That name needs to get changed to exefile

Here's a screenshot of what I mean:

post-102-0-65274500-1326869271.png

So, in your case, it will most probably don't say exefile there but something else. So to change this, doubleclick the value (default) there, and in the valuedata field, edit this to exefile

That should fix your association again. But I really need you to export that key first before you edit it, so I know what its previous valuedata was, so we can add detection for malwarebytes.

Link to post
Share on other sites

Hi,

WIn7 would not allow me to rename RegEdit no matter what I tried. What I did was run regedit as admin, search for a key of .exe with a weird default value and found one with zzz. If was not the Current User since I was running as admin. I exported the key and attached it. Then I changed it to exefile and all is well. Thanks so much for your help.

Frank

badregentry.txt

Link to post
Share on other sites

  • Staff

Interesting. After looking at your attachement, We should have detected this one through Malwarebytes though.

When I asked you to run Malwarebytes previously, did you actually run it from the useraccount where exes wouldn't run? Not as admin? Because that would explain it. The main reason is, the HKCU registry branch actually applies for the current user and that's where the registry modification was.

Anyway, good to hear that after changing the valuedata in your case already fixed the issue :)

So I can set this as resolved now?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.