This is a common problem seen after removing some viruses.
The virus inserts itself into the registry as the default file handler
for .exe files.
Some people may recommend using system restore to revert
the registry to a date before the infection happened, but
you may not have a restore point that works, and you may
not know when you got infected (some malware will infect
then wait before becoming active).
I usually try to remove the problem manually first.
This usually requires some registry editing, but the default
registry editor is also an .exe file.
The work around I use is to open a command prompt using
command.com (instead of cmd.exe), then changing to the
windows directory, copying regedit.exe to regedit.com,
then running regedit.com.
I prefer to do this in "safe mode" as it prevents some other
annoyances associated with some malware that is not fully
removed. (press f8 when starting up, choose "safe mode" from
the menu that appears, and if the login screen appears choose
the infected user profile).
So in XP goto the start button, choose run, then type
command.com.
In vista/7 the start orb (usually the bottom left corner
of your screen), and type command.com.
In the black window that opens type the following:
cd /
cd windows
copy regedit.exe regedit.com
regedit.com
This should open the regedit program.
Search for the infected file name that was removed and
fix the registry keys that were modified. If you dont know
what the file name is, you can check the following key
and try to get the file name from it:
HKEY_CLASSES_ROOT\exefile\shell\open\command
The value should be:
"%1\" %*
but the virus may change it to be:
virusname.exe "%1\" %*
so you can search for the virusname.exe (or whatever
the virus was calling itself).
You can also try to download the .reg fix and import it.
The fix will be a text file with a .reg file extension
and the XP version looks like this if you open it in notepad:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
You can cut and paste the above code and save it as XP_exe_fix.reg and use that
by going to file then import in the regedit program.
Another method (for XP) is to recreate the file type using windows explorer.
Open the File Types dialog box from Windows Explorer, My Documents or My
Computer by selecting Tools -> Folder Options -> File Types.
Click on the New button and the Create New Extension window will open up
Next, click on the Advanced button.
Type in EXE for the extension and select Application from the drop down
list if it doesn’t appear automatically.
Click OK and reboot the machine.
No comments:
Post a Comment