Browse All Articles > IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM
When a system is infected, one of the symptoms might be the failure to run executables. Any virus or malware scanners that you've downloaded and try to run may trigger an error, you may be alerted that the file is infected, or it might just not open.
This happens because some malware (particularly variants of Bagle and TDSS rootkits) block programs from installing and executing. And if you've already tried .exe file associations reg fixes and it didn't resolve the issue, you need some other options.
This article describes simple workarounds so you'll be able to run those tools.
As mentioned, malware and rootkits can block security programs from running, so when you download the tools, you will need to rename them to a different name prior to saving their files to your desktop.
Renaming the file after it has been downloaded will not work as these nasties can immediately detect and block your attempts to rename the file, or even block the download itself.
If using another PC to download the file to transfer via a USB drive you need to rename the file before inserting or connecting the USB drive to the infected PC.
In most cases [URL="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]ComboFix[/URL] only need to be renamed one time. However, as some programs, such as the rogue "antivirus" trojans get more advanced ('Windows Police Pro', for example), you may need to rename Combofix to CF.bat prior to saving the file to your desktop. Make sure the 'Save as Type:' is "All Files."
Also, in some cases with [URL="http://www.malwarebytes.org/mbam-download.php"]MalwareBytes[/URL] you need to rename it twice:
1. Prior to downloading the file/before saving it to your desktop; and,
2. After installation, by going to its directory, locating mbam.exe and renaming it.
NOTE: In case I haven't made it clear enough: it is important to rename the file before saving to your desktop (before in contact with the infected PC)! Renaming it after it's been downloaded just doesn't work if Bagle or TDSS rootkit are present.
You might also want to check for the presence of the TDSS driver.
Go to the Control Panel.
Select System -> Hardware -> Device Manager.
Select View from the Menu, then "Show hidden Devices".
Expand "Non Plug and Play Drivers". ,
Right click on the TDSSserv.sys driver and select Properties, Stop and Disable it.
If asked to restart the computer, Select No.
Also disable these other variants if found: seneka*, gao*, UAC*, geyek*, ytasfw* etc...variants of these rootkits evolve all the time.
Some variants of rogue antivirus (e.g. SystemSecurity) have a random number process running from the Application Data folder (it will look like 4283411.exe or 3251452.exe) which monitors any programs trying to load. When you try to open or run a program it will be flagged as infected. It will block every executable except critical system files.
To bypass the block you can download Process Explorer and rename it to svchost.exe or winlogon.exe (which makes it look like one of those critical system files) and then run it. You can then locate the SystemSecurity random number process and kill it. You should be able to run MalwareBytes or ComboFix afterwards.
Recently, malware and rootkits have begun patching system files and messing with permissions; in those situations no amount of renaming will help, as these need a different approach. You would need to run a certain diagnostic tool to help us determine which system files are being patched and replace them before security programs are able to run. So far those diagnostic tools have mostly not been targeted, so I'll keep their names out of this article.
If you think this is your situation, please Ask A Question in the Virus and Spyware Zones and we'll be there to assist you.
*** UPDATE: ***
Instead of reg fixes for file assocations and renaming tools..., you can just use this excellent tool by maliprog to run first, specially when the system has lots of issues e.g., file associations are borked, desktop shortcuts and startmenu are hidden, or utilities are disabled, this tool will take care of those.
Download TheKiller by maliprog
http://maliprog.geekstogo.com/explorer.exe
Note that "TheKiller" is renamed as explorer.exe
Double click on it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Press OK when the program finished.
Do not restart your system after this step. You then run other tools like MalwareBytes, TDSSKiller or ComboFix.
NOTE: If malware blocks TheKiller from running please try to run it again.
This happens because some malware (particularly variants of Bagle and TDSS rootkits) block programs from installing and executing. And if you've already tried .exe file associations reg fixes and it didn't resolve the issue, you need some other options.
This article describes simple workarounds so you'll be able to run those tools.
As mentioned, malware and rootkits can block security programs from running, so when you download the tools, you will need to rename them to a different name prior to saving their files to your desktop.
Renaming the file after it has been downloaded will not work as these nasties can immediately detect and block your attempts to rename the file, or even block the download itself.
If using another PC to download the file to transfer via a USB drive you need to rename the file before inserting or connecting the USB drive to the infected PC.
In most cases [URL="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]ComboFix[/URL] only need to be renamed one time. However, as some programs, such as the rogue "antivirus" trojans get more advanced ('Windows Police Pro', for example), you may need to rename Combofix to CF.bat prior to saving the file to your desktop. Make sure the 'Save as Type:' is "All Files."
Also, in some cases with [URL="http://www.malwarebytes.org/mbam-download.php"]MalwareBytes[/URL]
1. Prior to downloading the file/before saving it to your desktop; and,
2. After installation, by going to its directory, locating mbam.exe and renaming it.
NOTE: In case I haven't made it clear enough: it is important to rename the file before saving to your desktop (before in contact with the infected PC)! Renaming it after it's been downloaded just doesn't work if Bagle or TDSS rootkit are present.
You might also want to check for the presence of the TDSS driver.
Go to the Control Panel.
Select System -> Hardware -> Device Manager.
Select View from the Menu, then "Show hidden Devices".
Expand "Non Plug and Play Drivers". ,
Right click on the TDSSserv.sys driver and select Properties, Stop and Disable it.
If asked to restart the computer, Select No.
Also disable these other variants if found: seneka*, gao*, UAC*, geyek*, ytasfw* etc...variants of these rootkits evolve all the time.
Some variants of rogue antivirus (e.g. SystemSecurity) have a random number process running from the Application Data folder (it will look like 4283411.exe or 3251452.exe) which monitors any programs trying to load. When you try to open or run a program it will be flagged as infected. It will block every executable except critical system files.
To bypass the block you can download Process Explorer and rename it to svchost.exe or winlogon.exe (which makes it look like one of those critical system files) and then run it. You can then locate the SystemSecurity random number process and kill it. You should be able to run MalwareBytes or ComboFix afterwards.
Recently, malware and rootkits have begun patching system files and messing with permissions; in those situations no amount of renaming will help, as these need a different approach. You would need to run a certain diagnostic tool to help us determine which system files are being patched and replace them before security programs are able to run. So far those diagnostic tools have mostly not been targeted, so I'll keep their names out of this article.
If you think this is your situation, please Ask A Question in the Virus and Spyware Zones and we'll be there to assist you.
*** UPDATE: ***
Instead of reg fixes for file assocations and renaming tools..., you can just use this excellent tool by maliprog to run first, specially when the system has lots of issues e.g., file associations are borked, desktop shortcuts and startmenu are hidden, or utilities are disabled, this tool will take care of those.
Download TheKiller by maliprog
http://maliprog.geekstogo.com/explorer.exe
Note that "TheKiller" is renamed as explorer.exe
Double click on it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Press OK when the program finished.
Do not restart your system after this step. You then run other tools like MalwareBytes, TDSSKiller or ComboFix.
NOTE: If malware blocks TheKiller from running please try to run it again.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (29)
Commented:
You can also rename files with an analogue extension, such as .com , .scr
When renaming tools, choose system names like "winlogon", "explorer", etc...
Author
Commented:Thanks for your comments and the 'Yes'votes.
It's really good to see positive feedbacks in my article.
Hi Tigzy,
Thank you for your input, much appreciated.
Welcome to Experts-Exchange!
Commented:
This article is incredibly great. I encounter virus, especially the police pro type as well as TDSS infections frequently in my job as a network engineer. I have used your information many times and to see it all together in an article is so helpful. Recently, I used the Gparted software to eliminate an infection that created a little tiny 2 mb partition from which the PC was booting.
The client actually paid with credit card thinking it was a legitimate Microsoft thing. OMG, I could not believe that; but I've seen that happen before. Anyway, your help in the whole scheme of virus removal has made my job much easier. Keep up the good work!
John A
Author
Commented:Yes, those family of rogues/fake security programs are very convincing that some users actually get conned by them.
Fake security software and TDSS/TDL/ZeroAccess rootkits are now common, not so long ago a 64bit system is so secure that rootkits can't infect it but that's all in the past now. Makes me wonder what new variant these malware writers will come up next.
I'm glad you find this article helpful.
Thanks.
Commented:
Ken
View More