Tuesday, March 9, 2010

Antivirus 2010

So I had a user get the malware known as Antivirus 2010.  It was not prevented from running by our Trend Micro Officescan but was immediately destroyed after the install.  Unfortunately, the user could not open any programs after this.  She could however open a file and the program would open up fine.  I found this KB from Microsoft to help clean up this sort of thing. But this article was for the system.  Our users are not admins and so they could not have changed this key.  Evidenced by the fact that other users could use the computer fine.  So I did a search in HKEY_CURRENT_USER for .exe and found HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command and the default was set to "c:\somepath\av.exe" "%1" %* So I deleted the line and changed to "%1" %* 

Then I did a search on av.exe and found a few more lines that were very similar.  Once those were all returned to "%1" %* and the computer was rebooted, the user was back in business.

No comments:

Post a Comment