Vista Security Tool 2010, aftermath.

[Ai Haibara]

Argh. Well, first, let me make one thing clear - I'm obviously a complete idiot.

Now that that's out of the way, here's my problem:

A family member managed to get our Vista64 system infected with Vista Security Tool 2010, this evening, in a drive-by installation. In attempting to eradicate that, as it adds itself to the running of executables (.EXE), I found a .reg file that would reverse the changes (back to the original version). So, with the VST2010 exe killed, I right-clicked on the .reg file and merged it - yes, forgetting I should've opened regedit as admin and merged it from there.

Of course, that didn't completely work, but I still rebooted anyway. Then, Windows didn't know what to do with .exe files. Somehow, and this is the part where I was REALLY an idiot, I somehow managed to get .exe files set to open in WordPad.

It's mainly in the two non-admin accounts, though. I was able to repair it in the admin account, so THAT one is working correctly, as far as I can tell. But attempting to use System Restore (with restore points from the 17th and 15th) failed, for some reason.
The second user account doesn't know what to do with .exes, either, but I don't want to make the same mistake I did with the main user account.

So. What I'm asking, is if there's any OTHER way to fix this? A .com file, or .vbs? I have an .inf from one of those sources (one of the places that was offering a .reg) that'll supposedly do it, but attempting to run it throws an error that Windows doesn't know what to do with grpconv.exe (and who knows how many others). Or is there a way to fix the two user accounts from the admin account?

And if I end up having to create a new user account, will the problems appear in the new account?

This is probably the LAST time I'm going to attempt to manually fix a spyware/virus infection in Windows. Far, far too easy to royally screw everything up in the more recent versions of Windows.
(and I STILL don't know why anything can happily run from an appdata folder without opposition from the anti- programs...)

[guns1inger]

Back up your data, and blow it all away. We get a couple of infections by this thing (or a close variant - there are several around at any given time) a week, and there really is no way to get a system back to a fully working state and have any faith in it. Another good reason to take an image as soon as you have a clean, working install.

[freebird73717]

Download and unzip this on a good computer then use in on the computer with the problems.
http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

I've used this to fix those errors in xp. It will work with vista.

[stiltman]

http://social.answers.microsoft.com/Forums/en/vistaprograms/thread/039ceca1-c81f-4136-...4-bf13c0378495


http://www.winhelponline.com/articles/105/1/File-association-fixes-for-Windows-Vista.html

[hech54]

I had a variant of that the other day here on this computer(Win XP) and got rid of it with:
First: SuperAntiSpyware, BootSafe to Safe Mode and scan/remove.
Second(for good measure): MalwareBytes(starting it from the Programs folder
because all shortcuts were disabled).
Third: CCleaner - standard and registry cleaning

I installed the virus myself via an e-mail executable. I know....DUMB...but I was fooled
because the e-mail appeared to come from a company I had JUST dealt with (DHL - Deutsche Post).

[Ai Haibara]

So far, it seems like I've managed to get it all back to normal. I had to promote (temporarily) the 'normal user' account to admin just to get it to apply the .reg, though. I used the winhelponline .reg, rather than the ones I'd already found, because it seemed fairly thorough (more than the others) and definitely included this fix. Thanks, everyone.

guns1inger: I've only encountered three infections since the fake suite/tool problem began, and they were all more or less like the old joke/scare programs (such as the one that claims it's formatting drive C:, or whatever), just a bit more invasive. None of my scans turned up any additional open ports, things being sent or other crap left behind, though I KNOW that's no guarantee. And, I've changed all the passwords, of course.

[stiltman]

I would go to safe mode and run combofix. I betcha it will find something the others missed.

[MJA]

plus remove your old AV and try few new AV trials(NOD32,Avira) just to be sure there is nothing left

you can say for more opinions