<

IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM

Published on
46,941 Points
12,141 Views
63 Endorsements
Last Modified:
Awarded
Community Pick
When a system is infected, one of the symptoms might be the failure to run executables. Any virus or malware scanners that you've downloaded and try to run may trigger an error, you may be alerted that the file is infected, or it might just not open.

This happens because some malware (particularly variants of Bagle and TDSS rootkits) block programs from installing and executing. And if you've already tried .exe file associations reg fixes and it didn't resolve the issue, you need some other options.


This article describes simple workarounds so you'll be able to run those tools.

As mentioned, malware and rootkits can block security programs from running, so when you download the tools, you will need to rename them to a different name prior to saving their files to your desktop.
Renaming the file after it has been downloaded will not work as these nasties can immediately detect and block your attempts to rename the file, or even block the download itself.
If using another PC to download the file to transfer via a USB drive you need to rename the file before inserting or connecting the USB drive to the infected PC.

In most cases [URL="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]ComboFix[/URL] only need to be renamed one time. However, as some programs, such as the rogue "antivirus" trojans get more advanced ('Windows Police Pro', for example), you may need to rename Combofix to CF.bat prior to saving the file to your desktop. Make sure the 'Save as Type:' is "All Files."

Also, in some cases with [URL="http://www.malwarebytes.org/mbam-download.php"]MalwareBytes[/URL] you need to rename it twice:

1.  Prior to downloading the file/before saving it to your desktop; and,
2.  After installation, by going to its directory, locating mbam.exe and renaming it.


NOTE: In case I haven't made it clear enough: it is important to rename the file before saving to your desktop (before in contact with the infected PC)! Renaming it after it's been downloaded just doesn't work if Bagle or TDSS rootkit are present.

You might also want to check for the presence of the TDSS driver.
Go to the Control Panel.
Select System -> Hardware -> Device Manager.
Select View from the Menu, then "Show hidden Devices".
Expand "Non Plug and Play Drivers". ,
Right click on the TDSSserv.sys driver and select Properties, Stop and Disable it.
If asked to restart the computer, Select No.
Also disable these other variants if found: seneka*,  gao*, UAC*, geyek*, ytasfw* etc...variants of these rootkits evolve all the time.

Some variants of rogue antivirus (e.g. SystemSecurity) have a random number process running from the Application Data folder (it will look like 4283411.exe or 3251452.exe) which monitors any programs trying to load. When you try to open or run a program it will be flagged as infected. It will block every executable except critical system files.

To bypass the block you can download Process Explorer and rename it to svchost.exe or winlogon.exe (which makes it look like one of those critical system files) and then run it. You can then locate the SystemSecurity random number process and kill it. You should be able to run MalwareBytes or ComboFix afterwards.

Recently, malware and rootkits have begun patching system files and messing with permissions; in those situations no amount of renaming will help, as these need a different approach. You would need to run a certain diagnostic tool to help us determine which system files are being patched and replace them before security programs are able to run. So far those diagnostic tools have mostly not been targeted, so I'll keep their names out of this article.

If you think this is your situation, please Ask A Question in the Virus and Spyware Zones and we'll be there to assist you.


*** UPDATE: ***

Instead of reg fixes for file assocations and renaming tools..., you can just use this excellent tool by maliprog to run first, specially when the system has lots of issues e.g., file associations are borked, desktop shortcuts and startmenu are hidden, or utilities are disabled, this tool will take care of those.
Download TheKiller by maliprog
http://maliprog.geekstogo.com/explorer.exe

Note that "TheKiller" is renamed as explorer.exe
Double click on it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Press OK when the program finished.
Do not restart your system after this step. You then run other tools like MalwareBytes, TDSSKiller or ComboFix.

NOTE: If malware blocks TheKiller from running please try to run it again.
63
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free