Windows 7: Executables will not run after malware removal

When I click on an executable or a shortcut from the start menu, etc. programs will not run. I saw that some people had issues like this with Windows XP but I did not want to try the XP fixes without asking questions first as this is Windows 7.

I have a machine with Fake-AV type symptoms. I ran Malwarebytes on it and the malware appears to be gone but I am left with the issue where clicking on an exe causes a dialog to ask what program should be used to open the file and iexplore is the suggested program. The problem only occurs in the profile of the user who was infected so I think there is some registry change that needs to be made.

I'm about ready to start comparing working registry to bad user registry to see if I can find any obvious issues. I have included the pertinent log bits below.


Thanks to anyone with pointers on how to restore the .exe functionality.

-Nate


--------------------------------------------------------------------------


Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1 (Malware.Trace) -> Value: 1 -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\HomePage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\JoeUser\AppData\Local\qjo.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\JoeUser\AppData\Local\qjo.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\JoeUser\AppData\Local\qjo.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\JoeUser\AppData\Local\css.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\Users\JoeUser\AppData\Local\qjo.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

 

Excellent. Thanks for the link, that was the key piece I was looking for to resolve this issue.

Many thanks for sharing your knowledge.

Was there a particular item in the readme that you were directing me to, or is it just standard operating procedure to make sure everyone is well informed?

I would call my issue resolved.

Thanks again.

-Nate