I keep having to System Restore

Posted on

QUESTION :

Sorry the question title isn’t very helpful.

Anyway, every so often (week or so, irregular intervals) my computer just stops working properly. I get a program claiming to be something like “Win7 Security 2012”. It reads all of my files and marks random ones with random “virus” warnings. It hooks into .exe binaries and claims that they are keyloggers and trojans and should be deleted. If I happen to have a browser already open, it blocks all HTTP requests and claims that the site I’m trying to access contain malware.

The program is located in %LOCALAPPDATA% and has what appears to be three random letters (it changes each time and sometimes there’s two of them) followed by .exe. If I kill it in Task Manager (which I can only get to via Ctrl+Alt+Delete => Start Task Manager) it just comes back again. If I delete the file, I can no longer run .exes because it asks me what program to open them with (which is of course an infinite loop).

The only way I can fix this is to run System Restore. I’m assuming that it’s something in the registry that’s being restored.

Can someone please tell me how to make .exes run on their own again, and optionally find out where these .exes are coming from and how to block them in future? Bonus points if you can tell me if it’s possible (and if so how) to “protect” the .exe entry in the registry to stop it happening again.

ANSWER :

Seen it before. If you can pull out the hard drive and put it into another computer, delete the files in question from your %APPDATA%Local folder, which are probably hidden. Otherwise, start in Safe Mode with Networking. Download the .EXE fix (directions to create it from Microsoft are here). Once you apply that fix, you can run applications. Connect to the internet and download a program such as Malwarebytes Antimalware and run a scan (NOTE: Link is from Ninite to get the install right away). Do a full system scan, then you can restart your computer in normal mode

Leave a Reply

Your email address will not be published.