Tip and Tricks to Get Malware Removal Tools to Work - 2012

Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below.

1. Malware is blocking your specific application's name.

Since many of the common tools have fixed names - they may be blocked by the malware. Try renaming the applications executable name from (MalwareBytes example) 'mbam.exe' to 'virus.com'
Occasionally this will work and you can launch your executable as a malicious .com file type. Be sure to set it back when you are done

2. Malware is blocking all applications.

It is more common for malware to block all applications (and tell you that you are infected - while it itself is the infection). Try this: log off the current user. Now, log back in and press 'Ctrl'+'Alt'+'Del' repeatedly until you get the task manager. If you get it in time the malware will load after you have brought the task manager up. If you are familiar with the names that are non-malicious you should be able to easily identify the malware. Usually named with random numbers and letters from 8 – 14 characters long (fjh2efhn9.exe) You can end the process and search for the file – then delete it. While the primary infection may be gone I strongly recommend you download and run a tool like MalwareBytes to clean up the remnant files and registry entries.
You may be successful in bringing up the task manager, but as soon as the malware loads it may terminate the task manager. If that occurs I recommend pulling the hard drive out and cleaning up the infection with the hard drive attached in an external enclosure on another machine.

3. Malware has broken the .exe file type

If when you go to launch an executable file you receive the dialog box ‘open file type with’ that means the malware has removed or changed the registry entry the tells Windows how to open executable files. The following is a registry fix that will correct that. Please note that changing entries in the registry is dangerous and can potentially corrupt your Windows install (although I have never had a problem with this entry)

Open notepad and type, or copy and paste the following:

[HKEY_CLASSES_ROOT\.exe]
                      @="exefile"
                      "Content Type"="application/x-msdownload"
                      [HKEY_CLASSES_ROOT\.exe\PersistentHandler]
                      @="{098f2470-bae0-11cd-b579-08002b30bfeb}"
                      [HKEY_CLASSES_ROOT\exefile]
                      @="Application"
                      "EditFlags"=hex:38,07,00,00
                      "TileInfo"="prop:FileDescription;Company;FileVersion"
                      "InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
                      [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
                      @="%1"
                      [HKEY_CLASSES_ROOT\exefile\shell]
                      [HKEY_CLASSES_ROOT\exefile\shell\open]
                      "EditFlags"=hex:00,00,00,00
                      [HKEY_CLASSES_ROOT\exefile\shell\open\command]
                      @="\"%1\" %*"
                      [HKEY_CLASSES_ROOT\exefile\shell\runas]
                      [HKEY_CLASSES_ROOT\exefile\shell\runas\command]
                      @="\"%1\" %*"
                      [HKEY_CLASSES_ROOT\exefile\shellex]
                      [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
                      @="{86C86720-42A0-1069-A2E8-08002B30309D}"
                      [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
                      [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
                      @="{09A63660-16F9-11d0-B1DF-004F56001CA7}"
                      [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
                      @="{86F19A00-42A0-1069-A2E9-08002B30309D}"
                      [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
                      @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

Select all Open in new window

Save the file as ‘Exe-fix.reg’ and run the file. This will restore the executable files to working condition.

4. Current variants of malware may hide all of the files on your computer.

There is an easy command you can run to unhide these files. Open the command prompt: ‘Start’ > ‘Run’ > ‘CMD’ and hit ‘enter.  Now type in the following command: ‘attrib –h C:*.* /s /d’
This will unhide all files and folders on your C:\ drive. Repeat if necessary on other drive letters. Type attrib /? If you would like to see other options. The ‘*.*’ indicates all files as it is ‘wildcard file name . wildcard file type’.
We have found that the malware that hides the files on the computer also moves the ‘Start Menu’ items. The Start Menu items are typically moved to the user’s local temp folder. You can reach this by typing ‘%temp%’ in the title bar (where you usually see C:\Users\User Name\). Most often the files are in a folder  beginning with the letters ‘S’ or ‘SE’. Search those few folders and you should be able to find and restore them.

Conclusion

Malware is constantly evolving and finding new ways to block people from being able to remove them. I am positive I will be adding to this in the future or writing more articles with new tips and tricks regarding the future variants of malware. I am always open to input as to what others have found works as well! If you have any input, commnets, or suggestions, please leave them in the comment section below!