Solved

Can't run .exe .lnk or .com files

Posted on 2004-09-13
9
2,576 Views
Last Modified: 2012-05-05
Here a challange that has been left to linger before. Six months have passed. Are we wiser today?...

I have exactly the same problem as seen before in the question with almost the identical title (this text is from the former e-mail):

" Booted PC and all shortcuts and program menu items have icons changed to default icons and names changed to *.lnk, etc.  Double clicking shortcut or .exe or .com file invokes the windows dialog box 'Windows cannot open this file' and invites an association to be defined.

PC seems OK otherwise.  Some program (e.g. Outlook) shortcuts not modified.  Can run some programs by 'backdoor'; e.g. can run IE6 by clicking on the 'web' option in the 'cannot open file' dialog box."

This question was never answered with a working solution!

Seems to be the result of a serious virus attack. BOOM! Black screen... (not blue). Autoreboot. And suddenly almost nothing works. Antivirus and Firewall was in place and working when it happend ?!?

There are worms that do this kind of thing. But I have never seen anything as bad as this:

cannot run exe-files
cannot run com-files
cannot run reg-files
cannot run .lnk-files (they are pointing in the wrong "direction"..)

Will not boot to ANY of the safe modes (restarts automatically) - not even command promt.

I tried the solutions to the sirc-worm, but they cannot be used because renaming exe-files to com does not work.

There are no system... sam... hives... files that I trust to be in working condition.

The upside: I can make dual boot to WIN98. And I can boot to WIN98 floppy. And I am NOT using the NSFT-file system. I can log-on as a user or administrator and I can go to the internet with iExpl. or Mozilla.

For now I have moved the harddrive to another machine and made sure there is no (longer? any) virus present (checked, double cheked, 3x, 4x...).

What I need is to be able to edit the registry from a working machine or disk setup and somehow reset the registry to its "default" settings. Just getting to edit the registry would be a great first move!

Would really, really, really hate to have to do a clean reinstal on this machine.

Right now downloading a Linux iso.-file so I can at least save the data.

0
Comment
Question by:maiaibing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 59

Expert Comment

by:LeeTutor
ID: 12050027
Too bad you don't have WinXP as the other system; it is possible to do "offline" registry editing in WinXP directly with Regedit, but I don't believe it is possible in Win98  (however, I am away from a Win98 machine right now so cannot say for sure...) Anyway, try this:

http://www.mitec.cz/regtools.htm#RFV
Windows Registry File Viewer 2.0  
 
 
 Description
 Viewer for standalone files containing Windows registry hives (e.g. NTUSER.DAT, SYSTEM.1ST, SAM, etc.).
It features extended registry searching, registry dumping and exporting to REGEDIT4 format and detailed key information including security (NT) and hash values.
For NT registry value of type REG_RESOURCE_LIST here's Resource information in Data View.
 
 
 
 Target platforms
 MS Windows 9x, MS Windows ME, MS Windows NT 4.x, MS Windows 2000, MS Windows XP, MS Windows Server 2003
 
 
 
 Status
 Freeware
 
 
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 12050045
What you download is a program called wrf_trial.exe.  I haven't yet had a  chance to try it.  Don't know if you can do editing; from the name alone, it seems you can only view, export, etc.  However, if you can export, then you can edit the exported registry file in a regular text editor like Notepad, then try importing back into the affected registry...
0
 
LVL 1

Author Comment

by:maiaibing
ID: 12058417
OK-I can reach out and feel those bytes crawling - thank you very much for the tip.

I am now looking at the different system files.

I can export the different file info fro the viewer by sending it to a a "dump"-file that reflects the information in the system file. But I only get this ".dmp"-file, that I can ave and read in Notebook - but which is a txt-only file.

1) How do I transform the txt-info to a new registry system file?
2) Which are the files I need to make sure to "clean out" (that is: what are ALL the names of the files that make up the info I see in RegEdit? I have covered the SYSTEM and SAM files so far.
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 1

Author Comment

by:maiaibing
ID: 12058496
IMPORTANT! also says I can export to REGEDIT4 file format. Maybe that can help out in creating a useable file for editing in Notebbok inorder to make new XP system files?
0
 
LVL 1

Author Comment

by:maiaibing
ID: 12058740
Suddenly thought time this could be my solution:

"Accepted Answer from CrazyOne
Date: 10/04/2003 09:55PM PDT

Open regedit
Click on the HKEY_LOCAL_MACHINE hive
Go to menu File > Load Hive
And look for and load all or selected hives from the...
If they are XP hives TheDrive\WINDOWS\system32\config
If they are Win2000 hives TheDrive\WINNT\system32\config

and these are the hives
default
SAM
SECURITY
software
system"

---

I also  have the dead system HHD mounted on another XP machine now and can read the disks files. But the solution above does not seem to work for me, because when I try to access the SYSTEM hive in G:\windows\system32\config\ I get an "access denied" error message.

I am missing something?
0
 
LVL 59

Accepted Solution

by:
LeeTutor earned 500 total points
ID: 12060571
All right, now that you are editing the offline registry on an XP machine, I will quote below what I copied and edited from several answers by an XPert named OBdA:

Boot up in a parallel copy of XP.

Open REGEDIT

If the information you want to access was in HKEY_CURRENT_USER: Highlight HKEY_USERS, choose "Load hive" from the File menu, open

C:\Documents and settings\<UserProfileName>\ntuser.dat.

When asked for a name, choose "OldProfile" (or whatever other easily remembered name you choose).  Access/backup the keys you're interested in. Once you're done, highlight the "OldProfile" key, choose "Unload hive" from the file menu.

If the information you want to access was in HKEY_LOCAL_MACHINE\System or in HKEY_LOCAL_MACHINE\Software: Highlight HKEY_LOCAL_MACHINE, choose "Load hive" from the File menu, open

C:\Windows\system32\config\system

or

C:\Windows\system32\config\software

(no extension). When asked for a name, choose "OldSystem" or "OldSoftware" (or whatever). Access/backup the keys you're interested in. Once you're done, highlight the "OldSystem" or "OldSoftware" key, choose "Unload hive" from the file menu.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 12060581
If you are getting access denied, you may have to try this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
HOW TO: Set, View, Change, or Remove File and Folder Permissions in Windows XP
0
 
LVL 1

Author Comment

by:maiaibing
ID: 12068494
Thanks - I'm at it just now.

Now sure it was a virus. The default exefile key has been changed (and then some).

Maybe something new? It defeats all worn/trojan tools I have found on the net so far, like Symantecs reset registry default tool.

It has even removed the right click option of installing non-exe/com-files!

0
 
LVL 1

Author Comment

by:maiaibing
ID: 12097346
I am closing this question now. Allthough it was not solved I give LeeTutor 500 pts. for getting me almost accross the finishing line. In the end I could not evaluate wheather or not I had cleaned out all posible changes made by the virus in the various registry files. So I went for a complete reinstall.

The only way I could get all the way into the registry file was through a bootable Linux disk called - and made by - "Knoppix". Great tool!

On 16 September (about a week after the attack) Microsoft set out a security update that should take care of the problem for now. However I have still to see any anti-virus site post a tool that can handle this kind of attack...
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question