I keep having to System Restore

2

Sorry the question title isn't very helpful.

Anyway, every so often (week or so, irregular intervals) my computer just stops working properly. I get a program claiming to be something like "Win7 Security 2012". It reads all of my files and marks random ones with random "virus" warnings. It hooks into .exe binaries and claims that they are keyloggers and trojans and should be deleted. If I happen to have a browser already open, it blocks all HTTP requests and claims that the site I'm trying to access contain malware.

The program is located in %LOCALAPPDATA% and has what appears to be three random letters (it changes each time and sometimes there's two of them) followed by .exe. If I kill it in Task Manager (which I can only get to via Ctrl+Alt+Delete => Start Task Manager) it just comes back again. If I delete the file, I can no longer run .exes because it asks me what program to open them with (which is of course an infinite loop).

The only way I can fix this is to run System Restore. I'm assuming that it's something in the registry that's being restored.

Can someone please tell me how to make .exes run on their own again, and optionally find out where these .exes are coming from and how to block them in future? Bonus points if you can tell me if it's possible (and if so how) to "protect" the .exe entry in the registry to stop it happening again.

Niet the Dark Absol

Posted 2012-01-09T03:57:13.183

Reputation: 547

1

have you tried the usual proper AV stuff like malwarebytes or combofix? There's a question/community wiki on it. Failing which, back up, and nuking it would be a good idea, since what you have is obviously a rather pesky persisitant virus

– Journeyman Geek – 2012-01-09T04:15:43.103

1

My answer to http://superuser.com/questions/314830/hum-exe-programs-not-launching-on-windows-7/314846#314846 will get .exe running again. I think you have a corrupted backup (the virus is in it)

– soandos – 2012-01-09T04:17:33.697

Yes, I have tried AV, antimalware, rootkit finder, everything I could think of. I could nuke the computer (I have full backup with JungleDisk) but I would rather not if an alternative is available because then I'd have to get all of my programs installed again. – Niet the Dark Absol – 2012-01-09T04:18:38.720

@Kolink, does the patch allow you to run .exe s again? – soandos – 2012-01-09T04:24:43.917

I imagine it would. Obviously I can't test it until I get the problem again, but I'm pretty sure that would fix it. – Niet the Dark Absol – 2012-01-09T04:29:34.590

If you're running your A/V scans in safe mode and in normal (you should be) and you're still seeing an infection, you are either re-infecting the OS or the virus has infected the boot sector of your OS. You could be reinfecting the OS with a USB/thumb drive or another program you're running after install. I agree with above that your restore image could be infected as well. – skub – 2012-01-09T04:58:58.700

Answers

0

Seen it before. If you can pull out the hard drive and put it into another computer, delete the files in question from your %APPDATA%\Local folder, which are probably hidden. Otherwise, start in Safe Mode with Networking. Download the .EXE fix (directions to create it from Microsoft are here). Once you apply that fix, you can run applications. Connect to the internet and download a program such as Malwarebytes Antimalware and run a scan (NOTE: Link is from Ninite to get the install right away). Do a full system scan, then you can restart your computer in normal mode

Canadian Luke

Posted 2012-01-09T03:57:13.183

Reputation: 22 162

FYI I have never downloaded a single piece of pirated software. As a developer myself I am strongly against such practices and would appreciate it if you didn't accuse me of them. – Niet the Dark Absol – 2012-01-09T06:03:29.733

@Kolink Appologies, removed the comment – Canadian Luke – 2012-01-09T08:16:43.360

Answer accepted, because it just happened again (I wasn't even doing anything at the time, just idling) and this answer helped a lot. btw, can anyone tell me how to track the source of an exe? Windows can ("Downloaded form the Internet" / "CD-DVD" / "Hard drive on local machine" etc) so can I? – Niet the Dark Absol – 2012-01-13T00:36:06.203

That would be another question, but it's basically from the ADS (Alternate Data Stream). I don't know how much info it stores though – Canadian Luke – 2012-01-13T00:51:46.750

Asked: 2012-01-09T03:57:13.183

Viewed: 1 612 times

Active: 2012-01-09T08:16:06.497