• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2584
  • Last Modified:

Can't run .exe .lnk or .com files

Here a challange that has been left to linger before. Six months have passed. Are we wiser today?...

I have exactly the same problem as seen before in the question with almost the identical title (this text is from the former e-mail):

" Booted PC and all shortcuts and program menu items have icons changed to default icons and names changed to *.lnk, etc.  Double clicking shortcut or .exe or .com file invokes the windows dialog box 'Windows cannot open this file' and invites an association to be defined.

PC seems OK otherwise.  Some program (e.g. Outlook) shortcuts not modified.  Can run some programs by 'backdoor'; e.g. can run IE6 by clicking on the 'web' option in the 'cannot open file' dialog box."

This question was never answered with a working solution!

Seems to be the result of a serious virus attack. BOOM! Black screen... (not blue). Autoreboot. And suddenly almost nothing works. Antivirus and Firewall was in place and working when it happend ?!?

There are worms that do this kind of thing. But I have never seen anything as bad as this:

cannot run exe-files
cannot run com-files
cannot run reg-files
cannot run .lnk-files (they are pointing in the wrong "direction"..)

Will not boot to ANY of the safe modes (restarts automatically) - not even command promt.

I tried the solutions to the sirc-worm, but they cannot be used because renaming exe-files to com does not work.

There are no system... sam... hives... files that I trust to be in working condition.

The upside: I can make dual boot to WIN98. And I can boot to WIN98 floppy. And I am NOT using the NSFT-file system. I can log-on as a user or administrator and I can go to the internet with iExpl. or Mozilla.

For now I have moved the harddrive to another machine and made sure there is no (longer? any) virus present (checked, double cheked, 3x, 4x...).

What I need is to be able to edit the registry from a working machine or disk setup and somehow reset the registry to its "default" settings. Just getting to edit the registry would be a great first move!

Would really, really, really hate to have to do a clean reinstal on this machine.

Right now downloading a Linux iso.-file so I can at least save the data.

  • 5
  • 4
1 Solution
Too bad you don't have WinXP as the other system; it is possible to do "offline" registry editing in WinXP directly with Regedit, but I don't believe it is possible in Win98  (however, I am away from a Win98 machine right now so cannot say for sure...) Anyway, try this:

Windows Registry File Viewer 2.0  
 Viewer for standalone files containing Windows registry hives (e.g. NTUSER.DAT, SYSTEM.1ST, SAM, etc.).
It features extended registry searching, registry dumping and exporting to REGEDIT4 format and detailed key information including security (NT) and hash values.
For NT registry value of type REG_RESOURCE_LIST here's Resource information in Data View.
 Target platforms
 MS Windows 9x, MS Windows ME, MS Windows NT 4.x, MS Windows 2000, MS Windows XP, MS Windows Server 2003
What you download is a program called wrf_trial.exe.  I haven't yet had a  chance to try it.  Don't know if you can do editing; from the name alone, it seems you can only view, export, etc.  However, if you can export, then you can edit the exported registry file in a regular text editor like Notepad, then try importing back into the affected registry...
maiaibingAuthor Commented:
OK-I can reach out and feel those bytes crawling - thank you very much for the tip.

I am now looking at the different system files.

I can export the different file info fro the viewer by sending it to a a "dump"-file that reflects the information in the system file. But I only get this ".dmp"-file, that I can ave and read in Notebook - but which is a txt-only file.

1) How do I transform the txt-info to a new registry system file?
2) Which are the files I need to make sure to "clean out" (that is: what are ALL the names of the files that make up the info I see in RegEdit? I have covered the SYSTEM and SAM files so far.
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

maiaibingAuthor Commented:
IMPORTANT! also says I can export to REGEDIT4 file format. Maybe that can help out in creating a useable file for editing in Notebbok inorder to make new XP system files?
maiaibingAuthor Commented:
Suddenly thought time this could be my solution:

"Accepted Answer from CrazyOne
Date: 10/04/2003 09:55PM PDT

Open regedit
Click on the HKEY_LOCAL_MACHINE hive
Go to menu File > Load Hive
And look for and load all or selected hives from the...
If they are XP hives TheDrive\WINDOWS\system32\config
If they are Win2000 hives TheDrive\WINNT\system32\config

and these are the hives


I also  have the dead system HHD mounted on another XP machine now and can read the disks files. But the solution above does not seem to work for me, because when I try to access the SYSTEM hive in G:\windows\system32\config\ I get an "access denied" error message.

I am missing something?
All right, now that you are editing the offline registry on an XP machine, I will quote below what I copied and edited from several answers by an XPert named OBdA:

Boot up in a parallel copy of XP.


If the information you want to access was in HKEY_CURRENT_USER: Highlight HKEY_USERS, choose "Load hive" from the File menu, open

C:\Documents and settings\<UserProfileName>\ntuser.dat.

When asked for a name, choose "OldProfile" (or whatever other easily remembered name you choose).  Access/backup the keys you're interested in. Once you're done, highlight the "OldProfile" key, choose "Unload hive" from the file menu.

If the information you want to access was in HKEY_LOCAL_MACHINE\System or in HKEY_LOCAL_MACHINE\Software: Highlight HKEY_LOCAL_MACHINE, choose "Load hive" from the File menu, open




(no extension). When asked for a name, choose "OldSystem" or "OldSoftware" (or whatever). Access/backup the keys you're interested in. Once you're done, highlight the "OldSystem" or "OldSoftware" key, choose "Unload hive" from the file menu.
If you are getting access denied, you may have to try this:

HOW TO: Set, View, Change, or Remove File and Folder Permissions in Windows XP
maiaibingAuthor Commented:
Thanks - I'm at it just now.

Now sure it was a virus. The default exefile key has been changed (and then some).

Maybe something new? It defeats all worn/trojan tools I have found on the net so far, like Symantecs reset registry default tool.

It has even removed the right click option of installing non-exe/com-files!

maiaibingAuthor Commented:
I am closing this question now. Allthough it was not solved I give LeeTutor 500 pts. for getting me almost accross the finishing line. In the end I could not evaluate wheather or not I had cleaned out all posible changes made by the virus in the various registry files. So I went for a complete reinstall.

The only way I could get all the way into the registry file was through a bootable Linux disk called - and made by - "Knoppix". Great tool!

On 16 September (about a week after the attack) Microsoft set out a security update that should take care of the problem for now. However I have still to see any anti-virus site post a tool that can handle this kind of attack...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now