Vista AntiVirus 2011 - Removal killed all exe files?!

osaddictosaddict London, UK
edited July 2011 in Science & Tech
Tried to remove following this guide:
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

I couldn't run MBAM after clicking the reg file and adding it, so I logged in as myself, rather than the user, run MBAM and deleted the resulting (1) file.

Asked the dude to login under his user profile, which worked but for some reason you can't run a single EXE file - nothing - not notepad, anything. They all come up with the prompt 'which program should be used to run this program' as if the PC can't handle exe files or every exe has had it's extension removed?

Anyone got any ideas for a fix because right now it's looking like a morning rebuild at this rate...

Comments

  • kryystkryyst Ontario, Canada
    edited March 2011
    If you log in as yourself to the exe's work? If so I'd say delete the user account and recreate it. It's highly possible the file type index got messed up for them. If it doesn't even work for you, you can try and repair it running sc /scannow or doing a windows repair install.
  • osaddictosaddict London, UK
    edited March 2011
    kryyst wrote:
    If you log in as yourself to the exe's work? If so I'd say delete the user account and recreate it. It's highly possible the file type index got messed up for them. If it doesn't even work for you, you can try and repair it running sc /scannow or doing a windows repair install.

    Yeah, if I login it's A okay. That thought struck me on the way home, and I quickly tried to Google it on my phone! - It's bad I know but I've never had to delete a domain account's user profile from a PC before.

    It's Vista, I assume I'll be able to find some guide on Google pretty easily?

    I guess when that's done it's as if it's a new PC for the user - so Outlook config again etc. Luckily there's a spare PC near by.

    I'd love to know how these gits get through. The PC is running Kaspersky Workstation Anti-Virus and Windows Defender was running :/ (despite it not even being necessary I guess)
  • AnnesAnnes Tripped Up by Libidos and Hubris Alexandria, VA Icrontian
    edited March 2011
    I believe that this particular baddie is just a .exe in the user's directory. Try C:\users\username - there might be a gibberishly-named .exe there that you can delete. If not, probe a bit deeper into the user's profile, maybe \appdata\local and see if you can find it. After you find it and remove it you should be able to run some scans in safe mode to make sure everything is a-ok.
  • kryystkryyst Ontario, Canada
    edited March 2011
    If it's a PC on a domain deleting the user and recreating it is pretty simple.

    Logon as admin. Go to the c:\users folder and move the users folder out of there to some other place (make a c:\hold folder for example). Reboot the machine then have the user logon and it'll recreate their account.

    Then you'll have to go and setup some programs like Outlook for example and maybe setup their printers. Then just copy back the contents of their Documents and Favorites from the hold file to their new user. If you aren't using exchange then you'll have to import their pst file back into outlook as well.
  • osaddictosaddict London, UK
    edited March 2011
    Ahh, well it's sorted but I did it a different way! - I went to System --> Advanced --> User Profiles and deleted the persons profile from there. This did whinge at me that not everything was deleted, which concerned me slightly, however, a reboot and logging in as the user seemed to work.

    Once this was done I simply recreated the users exchange account with Auto Discover (so 2 second job). We re-direct 'my documents' to our server and tell people not to save on desktops. I did look on the desktop before I killed the profile and there wasn't anything there/

    I was tempted to go down the delete route actually as you mention but it seemed too simple - like it would not go far enough.

    Oh well, seems to be okay now. The user's been using it all day with no complaints so far.

    I'm still perplexed as to how something like this gets through when the PC has Kaspersky and Defender (both updated) running. The person had about 6 Firefox tabs open (yes, Firefox not IE!) all of which were Fund Manager websites - so not Russian Warez or something obviously dodgy!

    Thanks for the help as always everyone :)
  • TushonTushon I'm scared, Coach Alexandria, VA Icrontian
    edited March 2011
    For future info, at my job, we just rename their existing profile folder to %name%.old. They still have all the security access to it, and a whole new profile gets created.
  • osaddictosaddict London, UK
    edited March 2011
    It would seem that both of these methods are quicker than going through the process I did! - It took ages even for the OS to load the list if local profiles then the (incomplete) delete took a little while too.

    If/when I encounter this in the future I think I'll skip the method I used last time :D

    Thanks
  • breaksh1tbreaksh1t
    edited July 2011
    http://www.dougknox.com/xp/file_assoc.htm GREAT SITE TO FIND REG FIXES FOR EXTENSION FILES. i would keep these on a usb
Sign In or Register to comment.