My Experiments with Life

August 17, 2011

Vista, Trojan and File Association issues

Filed under: Tech — alanabraham @ 4:16 am
Tags: , , ,

2:00 AM

Cellphone ring cracked into my sleep.  “ahh..aww Hello…!”

“Da, it’s me Nayana.”

“Ha.. What’s the matter?”

“Nothing, my Laptop got a virus infection”

“OKaaay….”

“Some Program called Vista Antivirus tells it detected viruses on my Laptop. No I can’t access web”

“It’s a fake application, a trojan”

“What shall I do?”

“Go to Symantec site and Get norton trial”, I told the easy way.

“I can’t access internet.”

“Okay. Then can you bring it next day.”

“Yeah, sure.”

Two days later. She called again,”I removed the trojan with AVG.”

“Good , fine.”

“But I can’t open any programs by double clicking.”

“What happens when you do that?”

“It shows some error.”

“What error?”

“File Type….blah blah.”

I tried explaining methods to remove them, but as she said the trojan was already removed by AV. I assumed some left over piece of worm or any OS problems caused by the trojan.“OK. Bring it next day.”

“Sure.”

 

Next Day.

She told me that she installed AVG followed by Malwarebytes’ Anti-malware. Now I have to diagnose it considering the modification done by the AVs also. After a brief analysis, I found it was some problem with file association and began to check the regular file association Tools->Options as in Windows XP. Sadly, Vista abstracted that features(Win 7 also). Now I need to sail through the registry. I guessed it should be somewhere near the shell\open option for exe and my memory on some earlier reg tests points to somewhere in HKEY_CLASSES_ROOT. Normal .exe option was seen to be inappropriate. But searching through, I got to the key HKEY_CLASSES_ROOT\exefile

All other options except ‘open’ in the right click menu were working like ‘run as administrator’ etc. Observing the key I found HKEY_CLASSES_ROOT\exefile\shell\open has no ‘command’ key inside whereas HKEY_CLASSES_ROOT\exefile\shell\runas and HKEY_CLASSES_ROOT\exefile\shell\runasuser. I created a command key inside open key with values as below.

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

which is same as in runas\command and runasuser\command.

Hurray, it worked.

Blog at WordPress.com.