Solved

Can't run .exe .lnk or .com files

Posted on 2004-09-13
9
2,564 Views
Last Modified: 2012-05-05
Here a challange that has been left to linger before. Six months have passed. Are we wiser today?...

I have exactly the same problem as seen before in the question with almost the identical title (this text is from the former e-mail):

" Booted PC and all shortcuts and program menu items have icons changed to default icons and names changed to *.lnk, etc.  Double clicking shortcut or .exe or .com file invokes the windows dialog box 'Windows cannot open this file' and invites an association to be defined.

PC seems OK otherwise.  Some program (e.g. Outlook) shortcuts not modified.  Can run some programs by 'backdoor'; e.g. can run IE6 by clicking on the 'web' option in the 'cannot open file' dialog box."

This question was never answered with a working solution!

Seems to be the result of a serious virus attack. BOOM! Black screen... (not blue). Autoreboot. And suddenly almost nothing works. Antivirus and Firewall was in place and working when it happend ?!?

There are worms that do this kind of thing. But I have never seen anything as bad as this:

cannot run exe-files
cannot run com-files
cannot run reg-files
cannot run .lnk-files (they are pointing in the wrong "direction"..)

Will not boot to ANY of the safe modes (restarts automatically) - not even command promt.

I tried the solutions to the sirc-worm, but they cannot be used because renaming exe-files to com does not work.

There are no system... sam... hives... files that I trust to be in working condition.

The upside: I can make dual boot to WIN98. And I can boot to WIN98 floppy. And I am NOT using the NSFT-file system. I can log-on as a user or administrator and I can go to the internet with iExpl. or Mozilla.

For now I have moved the harddrive to another machine and made sure there is no (longer? any) virus present (checked, double cheked, 3x, 4x...).

What I need is to be able to edit the registry from a working machine or disk setup and somehow reset the registry to its "default" settings. Just getting to edit the registry would be a great first move!

Would really, really, really hate to have to do a clean reinstal on this machine.

Right now downloading a Linux iso.-file so I can at least save the data.

0
Comment
Question by:maiaibing
  • 5
  • 4
9 Comments
 
LVL 59

Expert Comment

by:LeeTutor
ID: 12050027
Too bad you don't have WinXP as the other system; it is possible to do "offline" registry editing in WinXP directly with Regedit, but I don't believe it is possible in Win98  (however, I am away from a Win98 machine right now so cannot say for sure...) Anyway, try this:

http://www.mitec.cz/regtools.htm#RFV
Windows Registry File Viewer 2.0  
 
 
 Description
 Viewer for standalone files containing Windows registry hives (e.g. NTUSER.DAT, SYSTEM.1ST, SAM, etc.).
It features extended registry searching, registry dumping and exporting to REGEDIT4 format and detailed key information including security (NT) and hash values.
For NT registry value of type REG_RESOURCE_LIST here's Resource information in Data View.
 
 
 
 Target platforms
 MS Windows 9x, MS Windows ME, MS Windows NT 4.x, MS Windows 2000, MS Windows XP, MS Windows Server 2003
 
 
 
 Status
 Freeware
 
 
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 12050045
What you download is a program called wrf_trial.exe.  I haven't yet had a  chance to try it.  Don't know if you can do editing; from the name alone, it seems you can only view, export, etc.  However, if you can export, then you can edit the exported registry file in a regular text editor like Notepad, then try importing back into the affected registry...
0
 
LVL 1

Author Comment

by:maiaibing
ID: 12058417
OK-I can reach out and feel those bytes crawling - thank you very much for the tip.

I am now looking at the different system files.

I can export the different file info fro the viewer by sending it to a a "dump"-file that reflects the information in the system file. But I only get this ".dmp"-file, that I can ave and read in Notebook - but which is a txt-only file.

1) How do I transform the txt-info to a new registry system file?
2) Which are the files I need to make sure to "clean out" (that is: what are ALL the names of the files that make up the info I see in RegEdit? I have covered the SYSTEM and SAM files so far.
0
 
LVL 1

Author Comment

by:maiaibing
ID: 12058496
IMPORTANT! also says I can export to REGEDIT4 file format. Maybe that can help out in creating a useable file for editing in Notebbok inorder to make new XP system files?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Author Comment

by:maiaibing
ID: 12058740
Suddenly thought time this could be my solution:

"Accepted Answer from CrazyOne
Date: 10/04/2003 09:55PM PDT

Open regedit
Click on the HKEY_LOCAL_MACHINE hive
Go to menu File > Load Hive
And look for and load all or selected hives from the...
If they are XP hives TheDrive\WINDOWS\system32\config
If they are Win2000 hives TheDrive\WINNT\system32\config

and these are the hives
default
SAM
SECURITY
software
system"

---

I also  have the dead system HHD mounted on another XP machine now and can read the disks files. But the solution above does not seem to work for me, because when I try to access the SYSTEM hive in G:\windows\system32\config\ I get an "access denied" error message.

I am missing something?
0
 
LVL 59

Accepted Solution

by:
LeeTutor earned 500 total points
ID: 12060571
All right, now that you are editing the offline registry on an XP machine, I will quote below what I copied and edited from several answers by an XPert named OBdA:

Boot up in a parallel copy of XP.

Open REGEDIT

If the information you want to access was in HKEY_CURRENT_USER: Highlight HKEY_USERS, choose "Load hive" from the File menu, open

C:\Documents and settings\<UserProfileName>\ntuser.dat.

When asked for a name, choose "OldProfile" (or whatever other easily remembered name you choose).  Access/backup the keys you're interested in. Once you're done, highlight the "OldProfile" key, choose "Unload hive" from the file menu.

If the information you want to access was in HKEY_LOCAL_MACHINE\System or in HKEY_LOCAL_MACHINE\Software: Highlight HKEY_LOCAL_MACHINE, choose "Load hive" from the File menu, open

C:\Windows\system32\config\system

or

C:\Windows\system32\config\software

(no extension). When asked for a name, choose "OldSystem" or "OldSoftware" (or whatever). Access/backup the keys you're interested in. Once you're done, highlight the "OldSystem" or "OldSoftware" key, choose "Unload hive" from the file menu.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 12060581
If you are getting access denied, you may have to try this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
HOW TO: Set, View, Change, or Remove File and Folder Permissions in Windows XP
0
 
LVL 1

Author Comment

by:maiaibing
ID: 12068494
Thanks - I'm at it just now.

Now sure it was a virus. The default exefile key has been changed (and then some).

Maybe something new? It defeats all worn/trojan tools I have found on the net so far, like Symantecs reset registry default tool.

It has even removed the right click option of installing non-exe/com-files!

0
 
LVL 1

Author Comment

by:maiaibing
ID: 12097346
I am closing this question now. Allthough it was not solved I give LeeTutor 500 pts. for getting me almost accross the finishing line. In the end I could not evaluate wheather or not I had cleaned out all posible changes made by the virus in the various registry files. So I went for a complete reinstall.

The only way I could get all the way into the registry file was through a bootable Linux disk called - and made by - "Knoppix". Great tool!

On 16 September (about a week after the attack) Microsoft set out a security update that should take care of the problem for now. However I have still to see any anti-virus site post a tool that can handle this kind of attack...
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now