<

IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM

Published on
46,349 Points
11,549 Views
63 Endorsements
Last Modified:
Awarded
Community Pick
When a system is infected, one of the symptoms might be the failure to run executables. Any virus or malware scanners that you've downloaded and try to run may trigger an error, you may be alerted that the file is infected, or it might just not open.

This happens because some malware (particularly variants of Bagle and TDSS rootkits) block programs from installing and executing. And if you've already tried .exe file associations reg fixes and it didn't resolve the issue, you need some other options.


This article describes simple workarounds so you'll be able to run those tools.

As mentioned, malware and rootkits can block security programs from running, so when you download the tools, you will need to rename them to a different name prior to saving their files to your desktop.
Renaming the file after it has been downloaded will not work as these nasties can immediately detect and block your attempts to rename the file, or even block the download itself.
If using another PC to download the file to transfer via a USB drive you need to rename the file before inserting or connecting the USB drive to the infected PC.

In most cases [URL="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]ComboFix[/URL] only need to be renamed one time. However, as some programs, such as the rogue "antivirus" trojans get more advanced ('Windows Police Pro', for example), you may need to rename Combofix to CF.bat prior to saving the file to your desktop. Make sure the 'Save as Type:' is "All Files."

Also, in some cases with [URL="http://www.malwarebytes.org/mbam-download.php"]MalwareBytes[/URL] you need to rename it twice:

1.  Prior to downloading the file/before saving it to your desktop; and,
2.  After installation, by going to its directory, locating mbam.exe and renaming it.


NOTE: In case I haven't made it clear enough: it is important to rename the file before saving to your desktop (before in contact with the infected PC)! Renaming it after it's been downloaded just doesn't work if Bagle or TDSS rootkit are present.

You might also want to check for the presence of the TDSS driver.
Go to the Control Panel.
Select System -> Hardware -> Device Manager.
Select View from the Menu, then "Show hidden Devices".
Expand "Non Plug and Play Drivers". ,
Right click on the TDSSserv.sys driver and select Properties, Stop and Disable it.
If asked to restart the computer, Select No.
Also disable these other variants if found: seneka*,  gao*, UAC*, geyek*, ytasfw* etc...variants of these rootkits evolve all the time.

Some variants of rogue antivirus (e.g. SystemSecurity) have a random number process running from the Application Data folder (it will look like 4283411.exe or 3251452.exe) which monitors any programs trying to load. When you try to open or run a program it will be flagged as infected. It will block every executable except critical system files.

To bypass the block you can download Process Explorer and rename it to svchost.exe or winlogon.exe (which makes it look like one of those critical system files) and then run it. You can then locate the SystemSecurity random number process and kill it. You should be able to run MalwareBytes or ComboFix afterwards.

Recently, malware and rootkits have begun patching system files and messing with permissions; in those situations no amount of renaming will help, as these need a different approach. You would need to run a certain diagnostic tool to help us determine which system files are being patched and replace them before security programs are able to run. So far those diagnostic tools have mostly not been targeted, so I'll keep their names out of this article.

If you think this is your situation, please Ask A Question in the Virus and Spyware Zones and we'll be there to assist you.


*** UPDATE: ***

Instead of reg fixes for file assocations and renaming tools..., you can just use this excellent tool by maliprog to run first, specially when the system has lots of issues e.g., file associations are borked, desktop shortcuts and startmenu are hidden, or utilities are disabled, this tool will take care of those.
Download TheKiller by maliprog
http://maliprog.geekstogo.com/explorer.exe

Note that "TheKiller" is renamed as explorer.exe
Double click on it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Press OK when the program finished.
Do not restart your system after this step. You then run other tools like MalwareBytes, TDSSKiller or ComboFix.

NOTE: If malware blocks TheKiller from running please try to run it again.
63
Comment
30 Comments
 
LVL 38

Expert Comment

by:lherrou
Great article, it got my YES vote above.
0
 
LVL 54

Expert Comment

by:b0lsc0tt
Great article!  Thanks for all the information in one place for this issue.  Luckily it doesn't seem to be something I run into a lot with malware problems but the cases above can be especially nasty and frustrating.  The steps and advise will really help avoid some of that (if not all).  I am especially glad you emphasized the need for renaming BEFORE downloading or copying the file to the computer.  I hadn't really thought of that and it is such an obvious key to getting those steps to work. :)

Thanks for the article and your time and expertise making it.

bol
0
 
LVL 47

Author Comment

by:rpggamergirl
And thank you for the Yes vote lherrou, :)


Hi bol,

Thanks for your input and the Yes vote.


Additional info:

Kaspersky has released a tool TDSSKiller which supposedly take care of all TDSS variants. It might be a good idea to run this one first in case it's only the TDSS that are blocking the apps from running.

TDSSKiller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.


How to remove malware belonging to the family Rootkit.Win32.TDSS
http://support.kaspersky.com/viruses/solutions?qid=208280684
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
LVL 18

Expert Comment

by:Ravi Agrawal
One more Yes vote to your kitty from me. One more tool which I keep with me is the "Enable Registry Tool" It is a Visual Basic Applet which toggles the value of the registry editor variable that manages access to regedit as many of those nasties disable access to the windows registry. You need to logoff / restart to enable regedit.

Rename the file to regtools-enable-regedit.vbs

Ravi.
regtools-enable-regedit.vbs.txt
0
 
LVL 72

Expert Comment

by:Qlemo
grtraders,

While it's a good idea to have that script at hand, I prefer the simple approach of using a prepared .REG file. For the VBS code, I would definitely allow for providing a switch on commandline for on/off, or one script for each on and off.
0
 
LVL 38

Expert Comment

by:younghv
Another big ol' yes here.
I think I'm just going to save these links in a spreadsheet and start posting them in questions.
Instead of being a 'Google Monkey', I'll be the first "EE Monkey".

Thanks for all the work on these rpg - really solid material and advice.
Vic
0
 
LVL 72

Expert Comment

by:Qlemo
Forgot to press YES! Of course the article was helpful.
0
 
LVL 47

Author Comment

by:rpggamergirl
grtraders,

Thanks, but somehow your vote was 'gone with the wind' somehow it was not logged.

Thank you for your input. I didn't go as far as providing any fix to enable regedit as this article is mainly to bypass the blocks so scanners are able to run. Usually registry editing is not necessary if the scanners like MBAM and ComboFix are able to run . Though I agree with Qlemo, I'm a fan for reg files, :)


And thank you younghv and Qlemo for your comments and the Yes votes, :)

"EE monkey" ....we are now monkeys? lol
0
 

Expert Comment

by:djoscar
whoops sorry about that! It was my son, i can't leave him near my pc...
Sorry.
0
 
 

Administrative Comment

by:younghv
djoscar:
Not a problem - kids will be kids.
I deleted that comment for you and please feel free to 'Vote' on this question (if you haven't already).

younghv
Page Editor
0
 
LVL 18

Expert Comment

by:Ravi Agrawal
Lol : pressed the Yes Button again for once more. See this Post-

http://www.experts-exchange.com/Community_Support/General/Q_24970827.html

Ravi.
0
 
LVL 47

Author Comment

by:rpggamergirl
Hi Ravi,

I'm sorry for your trouble.
I do believe that you pressed the Yes button... it's probably just a bug.
By the way, thanks!
0
 
LVL 32

Expert Comment

by:DrDamnit
Got my 'yes'.

The renaming process explorer to svchost.exe is brilliant!
0
 
LVL 27

Expert Comment

by:michko
Got a yes vote from me also.

I've recently started using a program called "Process Hacker" instead of the old sysinternals process explorer.  So far I've found it extremely useful.  Everything process explorer has, and then some.  Below link is to the PCWorld article where I first ran across it.  Just thought you may be interested.

http://www.pcworld.com/downloads/file/fid,80648/description.html?tk=nl_ddx_t_dlfeat

0
 
LVL 12

Expert Comment

by:jazzIIIlove
Will be a classic in time. You have my 'Yes'.
0
 
LVL 47

Author Comment

by:rpggamergirl
michkko,

Thanks for the Yes vote and for sharing the info on that tool, much appreciated.
It's great to know that another good tool is available when needed.

DrDamnit, jazzIIIlove, and to all who voted Yes... Thank you, :)
0
 
LVL 3

Expert Comment

by:samithsukumar
Good work.. rp

0
 
LVL 47

Author Comment

by:rpggamergirl
Thank you for the Yes vote samithsukumar.

Malware Expert Raktor has created a tool that also works with these rogues.
I'd use this first specially if .exe file association is messed up and registry editor, task manager, Folder Options, etc are disabled.

McAfee and some resident antivirus may flag this as a risk tool so you may just have to disable resident antivirus shield.

Please download exeHelper to your desktop.
http://www.raktor.net/exeHelper/exeHelper.com

Double-click on exeHelper.com to run the fix.
0
 
LVL 3

Expert Comment

by:samithsukumar
My AV  is taking this file as Worm.
0
 
LVL 47

Author Comment

by:rpggamergirl
<<<"My AV  is taking this file as Worm.">>>

Just a false positive detection, it is not a worm, the file is clean. It's common with some antivirus to flag a legit tool as virus or risk tool. Happened to well-known tools like Hijackthis, SDFix, Smitraudfix etc. Just turn off your AV shield.
0
 
LVL 12

Expert Comment

by:acl-puzz
the most easy  fix to this problem is http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip and there are many fixes also for other file associations
0
 

Expert Comment

by:dhahnbgrdc
Thank you for posting this...  I'm going to try the steps right now on a laptop that I can not run any exe's on.

Much appreciated.

dph
0
 
LVL 47

Author Comment

by:rpggamergirl
dph,

I didn't get the alert that you posted.

Anyway, let me know if I can be of help.
0
 

Expert Comment

by:valdezf
very good post. just learned something new. Thanks!
0
 
LVL 27

Expert Comment

by:Jonvee
As is usually the case, your article is both helpful and informative!
Definitely a 'yes' vote.
0
 
LVL 1

Expert Comment

by:Tigzy
Hello

You can also rename files with an analogue extension, such as .com ,  .scr
When renaming tools, choose system names like "winlogon", "explorer", etc...


0
 
LVL 47

Author Comment

by:rpggamergirl
valdezf, Jonvee,

Thanks for your comments and the 'Yes'votes.
It's really good to see positive feedbacks in my article.



Hi Tigzy,

Thank you for your input, much appreciated.
Welcome to Experts-Exchange!
0
 

Expert Comment

by:calavera44
Hiya,

This article is incredibly great.  I encounter virus, especially the police pro type as well as TDSS infections frequently in my job as a network engineer.  I have used your information many times and to see it all together in an article is so helpful.  Recently, I used the Gparted software to eliminate an infection that created a little tiny 2 mb partition from which the PC was booting.

The client actually paid with credit card thinking it was a legitimate Microsoft thing.  OMG, I could not believe that;  but I've seen that happen before.  Anyway, your help in the whole scheme of virus removal has made my job much easier.  Keep up the good work!

John A
0
 
LVL 47

Author Comment

by:rpggamergirl
Hi John,

Yes, those family of rogues/fake security programs are very convincing that some users actually get conned by them.

Fake security software and TDSS/TDL/ZeroAccess rootkits are now common, not so long ago a 64bit system is so secure that rootkits can't infect it but that's all in the past now. Makes me wonder what new variant these malware writers will come up next.

I'm glad you find this article helpful.
Thanks.
0
 

Expert Comment

by:awsumken
Going to spend some time tonight trying to digest all of this stuff, and hopefully tomorrow will be ready to make this thing go away. Thanks to all for their inputs and assistance.

Ken
0

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month