Browse: Home / , / Post Virus Clean Up – .EXE Files Stop Working

Post Virus Clean Up – .EXE Files Stop Working

By Jason on February 5, 2010

After cleaning up a virus today for one of my users, I noticed an odd remaining side effect: No executables would successfully launch. This included Explorer.exe under the user’s account that got infected, so after they would login it would just sit there at a blank screen. You could press Ctrl+Alt+Del to launch the Task Manager, but trying to run any executable would result in a message like this:

Windows cannot open this file: File: notepad.exe

Fortunately, I was still able to log in under another account which would load Explorer.exe, though it still gave me the above problem of wanting to open an executable file with another application. This would happen for any file I tried to launch that had a .exe file extension. This clued me in that the file extensions had been changed.

This happened as a side effect of the malware changing some registry settings. They do this with the intent of making it harder to clean up after the infection. Here are the default values for \HKEY_CLASSES_ROOTexefileshellopencommand: (Default) name, REG_SZ type, and “%1″ %” for the data field.
The Registry key at HKEY_CLASSES_ROOT.exe will need to have its Data field for the (Default) value set to exefile.

From an article on an MVP site, I found the registry keys that needed fixed and quick fix in the form of a .com file. You can simply download the exefix_xp.zip file and extract the exefix_xp.com file to your desktop. Then just double-click the .com file and it will set the default registry settings. If you’d rather complete the fix manually, you can find the effected Registry keys and their values at the Windows XP MVP article.

You may also need to fix the problem under the Current User. Open up Regedit and delete the .exe key under HKEY_CURRENT_USER\Software\Classes if it exists. Getting into Regedit can be a little tricky. Copy C:\Windows\Regedit.exe and paste it into the same directory. Then rename the copy to Regedit.com. If you’re not seeing the extensions, refer to this previous article.

The above fix works for Windows XP. To resolve the same problem in Windows Vista, refer to this article as the locations in the Registry have changed.

Comment on this post in our forums

Related posts:

  1. Modify Internet Explorer Zone Security in the Registry
  2. Make Adobe Reader and Adobe Acrobat use "Print as Image" setting by default
  3. USB and TCP/IP printer ports not listed

Posted in , | Leave a response

Jason

Jason is a full-time system administrator and operates 404 Tech Support in his spare time from Central Illinois.

Comments are closed, but trackbacks and pingbacks are open.