+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Registry Corrupt EXE in Technical; OK. Had a laptop that had XP Total Security 2011 spyware. I read removal instructions and deleted the following reg ...
  1. #1

    Join Date
    Apr 2007
    Location
    York
    Posts
    548
    Thank Post
    8
    Thanked 4 Times in 4 Posts
    Rep Power
    19

    Registry Corrupt EXE

    OK.
    Had a laptop that had XP Total Security 2011 spyware.
    I read removal instructions and deleted the following reg keys
    HKEY_CURRENT_USER\Software\Classes\.exe\shell\runa s\command
    HKEY_CURRENT_USER\Software\Classes\exefile
    HKEY_CURRENT_USER\Software\Classes\exefile\Default Icon
    HKEY_CURRENT_USER\Software\Classes\exefile\shell
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\o pen
    HKEY_CURRENT_USER\Software\Classes\.exe
    HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIco n
    HKEY_CURRENT_USER\Software\Classes\.exe\shell
    HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
    HKEY_CURRENT_USER\Software\Classes\.exe\shell\open \command
    HKEY_CURRENT_USER\Software\Classes\.exe\shell\runa s
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\o pen\command
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\r unas
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\r unas\command


    I think I did it wrong though Got rid of the virus a different way but now no exe's will run. I can't even get into regedit to put the keys back.

    Any ideas appreciated.. Will a repair windows work ? Don't really want to do a full re install as its a clients laptop

    Thanks

    Karl

  2. #2


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,110
    Thank Post
    203
    Thanked 2,385 Times in 1,765 Posts
    Rep Power
    703
    If you can get to Task Manager, the method described below should restore the EXE association.

    http://www.raymond.cc/blog/archives/...used-by-virus/

  3. #3

    tech_guy's Avatar
    Join Date
    May 2007
    Location
    That little bit in the middle of Little Old England
    Posts
    8,106
    Thank Post
    1,901
    Thanked 1,340 Times in 739 Posts
    Blog Entries
    3
    Rep Power
    394
    You haven't damaged your registry - it's the virus / malware that has done this. Yes, this and the carp like System Tool variants mess up your file associations to stop you running programs in attempt to remove them.

    PITA

    I've had three PCs this week where the file associations have been borked. Two I fixed using the site listed above and a batch file I found on another site. One had to be a Windows re-install as it was so jiggered.

    I hate the people who are producing these nasties.
    Last edited by tech_guy; 6th March 2011 at 12:07 PM.

  4. #4


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,110
    Thank Post
    203
    Thanked 2,385 Times in 1,765 Posts
    Rep Power
    703
    You may also want to try the attached screensaver I made in AutoIt a few minutes ago.

    Just run 'FixEXE.scr' on the affected machine and it will fix the default EXE file association by restoring the correct keys to the registry.

    FixEXE.au3
    Code:
    #Region ;**** Directives created by AutoIt3Wrapper_GUI ****
    #AutoIt3Wrapper_outfile=FixEXE.scr
    #AutoIt3Wrapper_icon=RegEdit.ico
    #AutoIt3Wrapper_UseUpx=n
    #AutoIt3Wrapper_Res_Description=Restore default association for EXE files
    #AutoIt3Wrapper_Res_Fileversion=1.0.0.0
    #AutoIt3Wrapper_Res_SaveSource=y
    #AutoIt3Wrapper_Run_After=upx.exe --best --compress-resources=0 "%out%"
    #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
    
    ; http://www.autoitscript.com/forum/topic/68216-screensaver-udf/
    #include <_SS_UDF.au3>
    
    ; Restore EXE file association
    Select
    	Case @OSVersion = "WIN_XP"
    
    		; Create screensaver GUI
    		_SS_GUICreate()
    
    		; http://www.dougknox.com/xp/file_assoc.htm
    		RegWrite("HKLM\SOFTWARE\Classes\.exe", "", "REG_SZ", "exefile")
    		RegWrite("HKLM\SOFTWARE\Classes\.exe", "Content Type", "REG_SZ", "application/x-msdownload")
    		RegWrite("HKLM\SOFTWARE\Classes\.exe\PersistentHandler", "", "REG_SZ", "{098f2470-bae0-11cd-b579-08002b30bfeb}")
    		RegWrite("HKLM\SOFTWARE\Classes\exefile", "", "REG_SZ", "Application")
    		RegWrite("HKLM\SOFTWARE\Classes\exefile", "EditFlags", "REG_BINARY", Binary("0x38070000"))
    		RegWrite("HKLM\SOFTWARE\Classes\exefile", "TileInfo", "REG_SZ", "prop:FileDescription;Company;FileVersion")
    		RegWrite("HKLM\SOFTWARE\Classes\exefile", "InfoTip", "REG_SZ", "prop:FileDescription;Company;FileVersion;Create;Size")
    		RegWrite("HKLM\SOFTWARE\Classes\exefile\DefaultIcon", "", "REG_SZ", "%1")
    		RegWrite("HKLM\SOFTWARE\Classes\exefile\shell\open", "EditFlags", "REG_BINARY", Binary("0x00000000"))
    		RegWrite("HKLM\SOFTWARE\Classes\exefile\shell\open\command", "", "REG_SZ", """%1"" %*")
    		RegWrite("HKLM\SOFTWARE\Classes\exefile\shell\runas\command", "", "REG_SZ", """%1"" %*")
    		RegWrite("HKLM\SOFTWARE\Classes\exefile\shellex\DropHandler", "", "REG_SZ", "{86C86720-42A0-1069-A2E8-08002B30309D}")
    		RegWrite("HKLM\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\PEAnalyser", "", "REG_SZ", "{09A63660-16F9-11d0-B1DF-004F56001CA7}")
    		RegWrite("HKLM\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\PifProps", "", "REG_SZ", "{86F19A00-42A0-1069-A2E9-08002B30309D}")
    		RegWrite("HKLM\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page", "", "REG_SZ", "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}")
    
    		; Screensaver text
    		GUICtrlCreateLabel("Done!",5,5,100,20)
    		GUICtrlSetColor(-1,0xFFFFFF)
    
    		; Start screensaver
    		_SS_Start()
    
    	Case Else
    		MsgBox(48, "Unsupported OS", "This screensaver is not designed to run on this operating system.")
    		Exit
    EndSelect
    Attached Files Attached Files
    Last edited by Arthur; 6th March 2011 at 02:18 PM.

  5. Thanks to Arthur from:

    tech_guy (6th March 2011)

  6. #5

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    114
    I'll bite: Why a screen saver?

  7. #6

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,089
    Thank Post
    511
    Thanked 2,308 Times in 1,784 Posts
    Blog Entries
    24
    Rep Power
    803
    Quote Originally Posted by PiqueABoo View Post
    I'll bite: Why a screen saver?
    Because, if no exe's will run, a scr is executable and will still run.

  8. #7


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,110
    Thank Post
    203
    Thanked 2,385 Times in 1,765 Posts
    Rep Power
    703
    That's a very good question. There were a few reasons (localzuk mentioned the main one though)...
    1. The EXE file association is broken so EXEs won't work. I'm going to assume that the malware doesn't touch the SCR file association. Perhaps it uses it itself so that it can still run?
    2. RKill uses this trick so I thought I would do the same.
    3. I learnt how to create a screensaver in AutoIt.

  9. #8

    Join Date
    Mar 2009
    Location
    Ayrshire, Scotland
    Posts
    78
    Thank Post
    8
    Thanked 5 Times in 5 Posts
    Rep Power
    11
    Quote Originally Posted by localzuk View Post
    Because, if no exe's will run, a scr is executable and will still run.
    Wouldn't importing a reg file with the missing keys just work in the same way?

  10. #9


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,110
    Thank Post
    203
    Thanked 2,385 Times in 1,765 Posts
    Rep Power
    703
    .reg files are imported into the registry by regedit.exe.

  11. #10

    Join Date
    Apr 2007
    Location
    York
    Posts
    548
    Thank Post
    8
    Thanked 4 Times in 4 Posts
    Rep Power
    19
    Thanks guys.
    Got the reg file from Windows XP File Assocation Fixes in the end
    Import of .reg worked ok
    This virus's are really taking hold at the moment.

  12. #11

    Join Date
    Mar 2011
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thank you Thank you!!! I just used Windows XP File Association Fixes and it worked so great, I am able to open everything and get rid of this virus. I tried the SCR file first but it didn't work. thanks everyone!

  13. #12

    Join Date
    May 2011
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Help! i am a moron!

    Hi,

    i have been a bit of a donut. My PC contracted the virus XP Security Update 2011 and so i did a bit of research on the net and having found something i thought would work I deleted a few registry files, only really HKEY_current_user Software Classes .exe .....i rebooted my PC, it seems to have done half the job in that this virus hasn't appeared, and if i try to load anything off desktop/start menu it loads. however all the software that usually loads when i boot up doesn't boot up any more, and i can't get on the net. Even weirder if i go into that same registry there is nothing under .exe

    any ideas how to restore this? i am a real idiot for doing something i literally had no clue about...

  14. #13

    Join Date
    Mar 2009
    Location
    Ayrshire, Scotland
    Posts
    78
    Thank Post
    8
    Thanked 5 Times in 5 Posts
    Rep Power
    11
    Quote Originally Posted by zorvak View Post
    Hi,

    i have been a bit of a donut. My PC contracted the virus XP Security Update 2011 and so i did a bit of research on the net and having found something i thought would work I deleted a few registry files, only really HKEY_current_user Software Classes .exe .....i rebooted my PC, it seems to have done half the job in that this virus hasn't appeared, and if i try to load anything off desktop/start menu it loads. however all the software that usually loads when i boot up doesn't boot up any more, and i can't get on the net. Even weirder if i go into that same registry there is nothing under .exe

    any ideas how to restore this? i am a real idiot for doing something i literally had no clue about...

    I'd start by taking the hard drive out the machine and connect it to a working computer (with updated antivirus!) using a caddy or dock. Then run a Malware Anti-Malwarebytes scan on the infected drive (remember to update malwarebytes after installing)

    Once the scan has completed. Restart the computer. After the infections have been removed, plug the infected drive back into the original computer. Boot in safe mode, run another Malwarebytes (see HERE on how to install in safemode). You may need to change the mbam setup file from exe to com to install. Also, change the mbam.exe program file (located at C:\Program Files\Malwarebytes Anti-Malware\mbam.exe to mbam.com (as the virus has corrupted exe files.)

    Now, run the EXE file association fix found HERE


    And lastly, update and run a full system scan with your usual anti-virus.



    Hope this helps.

    Fraser

  15. #14

    Join Date
    May 2011
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Fraser-09 View Post
    I'd start by taking the hard drive out the machine and connect it to a working computer (with updated antivirus!) using a caddy or dock. Then run a Malware Anti-Malwarebytes scan on the infected drive (remember to update malwarebytes after installing)

    Once the scan has completed. Restart the computer. After the infections have been removed, plug the infected drive back into the original computer. Boot in safe mode, run another Malwarebytes (see HERE on how to install in safemode). You may need to change the mbam setup file from exe to com to install. Also, change the mbam.exe program file (located at C:\Program Files\Malwarebytes Anti-Malware\mbam.exe to mbam.com (as the virus has corrupted exe files.)

    Now, run the EXE file association fix found HERE


    And lastly, update and run a full system scan with your usual anti-virus.



    Hope this helps.

    Fraser
    Hi chaps,

    Okay being a bit backwards technologically I didn't take my hard drive out as in your first step but I did download malware onto another pc and got it onto mine via a USB memory stick. So I think I have got rid of this bit of spyware. I ran that and then also ran my McAfee so I'm hoping everything a bit smoother now - and I can at least get onto the net now.

    However a couple of things - first of all I haven't re-booted in safe mode and checked it. Second when I boot up now my PC says windows isn't checking for automatic updates - I can't change that either via control panel or the screen that pops up. And finally if I take all my data off this PC and onto a hard drive - music photos and a few docs - what chance is there that this virus comes with it?

    Thanks

SHARE:
+ Post New Thread

Similar Threads

  1. AVE.EXE Registry edits, what are the defaults?
    By L_Jenkins in forum Windows Vista
    Replies: 3
    Last Post: 29th April 2010, 03:12 PM
  2. Corrupt Registry
    By glennda in forum Windows 7
    Replies: 4
    Last Post: 2nd March 2010, 06:56 PM
  3. Replies: 6
    Last Post: 11th December 2009, 09:25 AM
  4. mobsync.exe in registry
    By Gibbo in forum Windows
    Replies: 4
    Last Post: 17th December 2008, 09:33 AM
  5. Ntoskrnl.exe Is Missing Or Corrupt
    By flashsnaps in forum Windows
    Replies: 14
    Last Post: 5th February 2008, 12:20 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •