Virus/Spyware that removes file associations

My younger brother lives in CA and I live in TX so I cannot help him first hand. He has Windows XP Pro SP2. So far 3 times after reformatting and using his computer for 7-10 days he gets a severe virus/spyware that goes in a removes the file associations for .com, .exe, .pif, .reg, .scr, .bat and .lnk. Not being able to be there and not being able to send him a .bat or a .reg file (He can't open them) to fix the problem he just reformats which makes it very hard on him considering he has had to re-activate XP Pro with MS several times in the last month. After each time I increased his security level. The first time he was just running Norton Antivirus Corp v9. Then I added Spybot (v1.3 w/latest Defs) and Ad-Aware (SE v1.05 Pro w/latest defs) and taught him how to scan with them. Then after the second time I made sure Ad-Watch was loaded and told him not to allow any suspicious changes but he did anyway. Here is the Ad-Watch log for all of the reg entries he allowed:

Ad-Watch Logfile, exported on 4/30/2005
Total number of events:51
===============================================
4/30/2005 12:39:18 PM - Definitions file SE1R40 20.04.2005 loaded successfully.
Build:SE1R40 20.04.2005
Total Signatures :37523
Target Families :650
Target Categories :6
CSI data Size :55284

File Size :1395231

===============================================
4/30/2005 12:39:18 PM - Sites file loaded.
Sites file loaded successfully.
C:\Program Files\Lavasoft\Ad-Aware SE Professional\sites.txt
Total entries : 3229

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\regfile\shell\open\command
Value:
Data:
New Data:regedit.exe "%1 "

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\lnkfile\CLSID
Value:
Data:
New Data:{00021401-0000-0000-C000-000000000046}

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\exefile\shell\open\command
Value:
Data:
New Data: "%1" %*

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.com
Value:
Data:
New Data:comfile

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.scr
Value:
Data:
New Data:scrfile

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.bat
Value:
Data:
New Data:batfile

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.pif
Value:
Data:
New Dataiffile

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.reg
Value:
Data:
New Data:regfile

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.lnk
Value:
Data:
New Data:lnkfile

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.exe
Value:
Data:
New Data:exefile

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
ValueostBootReminder
Data:
New Data:{7849596a-48ea-486e-8937-a2a3009f31a9}

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\System
Value:dontdisplaylastusername
Data:
New Data:0

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:NoDriveTypeAutoRun
Data:
New Data:145

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:ForceClassicControlPanel
Data:
New Data:1

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value:AppInit_DLLs
Data:
New Data:

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
ValueiskeeperSystray
Data:
New Data: "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe "

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:AIM
Data:
New Data:C:\Program Files\AIM\aim.exe -cnetwait.odl

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Search
Value:SearchAssistant
Data:
New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Valueefault_Page_URL
Data:
New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

===============================================
4/30/2005 12:42:17 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\SearchUrl
Valuerovider
Data:
New Data:

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Main
Value:Local Page
Data:
New Data:C:\WINXP\system32\blank.htm

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Main
Value:Start Page
Data:
New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Valueefault_Search_URL
Data:
New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Search
Value:CustomizeSearch
Data:
New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:NeroFilterCheck
Data:
New Data:C:\WINXP\system32\NeroCheck.exe

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:NoSMConfigurePrograms
Data:
New Data:1

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\System
Value:legalnoticecaption
Data:
New Data:

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value:CDBurn
Data:
New Data:{fbeb8a05-beee-4442-804e-409d6c4515e9}

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.exe
Value:Content Type
Data:
New Data:application/x-msdownload

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Main
Value:Search Page
Data:
New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Search Page
Data:
New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:ccApp
Data:
New Data: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:NoInternetIcon
Data:
New Data:1

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\System
Value:legalnoticetext
Data:
New Data:

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value:WebCheck
Data:
New Data:{E6FB5E20-DE35-11CF-9C87-00AA005127ED}

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Local Page
Data:
New Data:%SystemRoot%\system32\blank.htm

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:vptray
Data:
New Data:C:\PROGRA~1\SYMANT~1\VPTray.exe

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:NoSharedDocuments
Data:
New Data:1

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\System
Value:shutdownwithoutlogon
Data:
New Data:1

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value:SysTray
Data:
New Data:{35CEC8A3-2BE6-11D2-8773-92E220524153}

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Start Page
Data:
New Data:http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:Smapp
Data:
New Data:C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:ClearRecentDocsOnExit
Data:
New Data:1

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\System
Value:undockwithoutlogon
Data:
New Data:1

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:AWMON
Data:
New Data: "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe "

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:NoRecentDocsMenu
Data:
New Data:1

===============================================
4/30/2005 12:42:18 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:NoSaveSettings
Data:
New Data:0

He has since reformatted (reaprtitioned, full reformat with NTFS) and will inevitably get this problem again. I wish to know what virus/spyware program this is in particular so I can permanetly block it with a hotfix or something of that nature. He honestly inst saavy enough to knwo which entries to allow and which to block and I do not want him to call me everytime it pop's up. Any help would be greatly appreciated.

 

Welcome to WindowsBBS nouturn20

I see nothing in that log that shouldn't be. Could he possible do an online virus scan, say with RAV (there are others available, I just like RAV), when this problem occurs, to verify some foul play?

 

I see nothing odd in there, either.
For right now, I would advise your brother to deny anything if he himself did not install or update any program or do a visit to windows update.
What you may be interested in is Microsoft Anti-Spyware Beta, which has a process that monitors system changes such as you describe and automatically will stop changes to those file extension associations.
When it detects something legit and recognized as safe, it is automatically allowed, and he is notified of this by a window that acts something like a Tooltip, it appears and then goes away without user intervention.
Anything unrecognized will cause the user to be prompted as to what to do. If something is allowed by the user, it will log what was done, and by what program.
http://www.microsoft.com/athome/security/spyware/software/default.mspx

 

On his machine I removed Nav Corp 9 and installed Norton Antivirus 2005 as well as MS Antispyware Beta and Trojan Hunter v4.2. He really isn't smart enough to know when to block the pop-ups and when to allow them. He would download a program that is spyware and MS antispyware would pop-up and say block or allow and he would say allow because he just opened a file that he wants so tellign him not to allow unless he just installed a program wouldn't do any good. I'm hoping Nav 2005 along with Trojan Hunter v4.2, Spybot, Adaware and MS Antispyware will be enough to remedy the problem. The only thing is he is using a god awful amount of resources just to get online. I only upgrade at Service Pack level since I hate downloading and installing 20 some odd hotfixes between service packs. He has Service Pack 2 installed but no windows updates after that. I am in particular looking for a virus or spyware name so I can apply that one patch because it seems one of the sites he goes to a lot is putting it on his machine. Any leads on a virus name or family? Also if he cannot run any programs that are .exe, .bat, .com, .pif, .reg, .inf, .scr, .lnk how am I supposed t o get into the registry to correct the problem? I cannot scan with adaware or spybot or any virus scanners. I cannot use IE to use an onlien scan. Pretty much the system is hosed to the point of no return. Am I right in assuming this?

 

EXEfix08 will fix the EXE associations.
You can install everything in the world, and none of this will override the user saying "YES, INFECT ME ", or "change my associations "
There are quite a few critical updates released since SP2, he needs them.
I have no leads on a virus or trojan name, then again he is apparently saying YES to everything, not caring what happens, as you save him from himself. I would let him learn a lesson and stop assisting him on this. I do like to help someone who needs and wants it, but...

If you want to limit the online infection, see that IEspyads link below? Get it. Go into Internet Options\Security, click on the Restricted icon and then select Custom Level and set EVERYTHING to disable. Then unzip the download, and double click the IE-ads.Reg file and let it merge into the registry. What this does is put a few thousand sites into the Restricted Zone, preventing 99% of infections. He won't get the prompt for something to download and install if one of these sites are called on.

 

I realize he needs to make his own mistakes to learn. I know that's how I learned. But when he calls me at 8pm his time 10pm my time and bugs me to help him I get upset. Soon he will learn to be more cautious about what he allows in. He doesn't use IE he uses Firefox but I do like the IE-SPYADS program and I intend on rolling it out to a few workstation PC's who are forced to use IE for some horrible reasons. MS releases a new hotfix every 3 days it seems and he is on a slow dila-up connection and becasue of that I have automatic updates off so it doesn't just download the updates when he is trying to browse. I have no intention on updating the OS at any other level (on my machine) than SP level but if it does continue to happen I may recomend it to him. Thanks for your help.