Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

When a malware alters association to .exe files...


  • Please log in to reply
2 replies to this topic

#1 tcv

tcv

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 20 January 2010 - 05:56 PM

Hello,

I have removed lots and lots of malware over the years and I've seen something this year that's been interesting.

An example is from Monday night. The user had become infected with Windows Defender 2010. I couldn't actually find a direct removal tutorial, so I relied on some old methods.

One of the earliest things I found was that all (?) executables were triggering the Windows Defender. In essence, you'd open cmd.exe, Windows Defender 2010 launches and says, "Hey! You're infected! Pay us!"

I found the primary process, an alternate that mimicked the name of the Security Center executable, but whose name escapes me at the moment. I killed it. I tried to launch another executable, that primary process re-launched and blocked my executable from launching.

So, thinking I can break this chain, I killed the primary process again, renamed it, then deleted it.

Then when I tried to launch ANY executable, I received a warning that Windows didn't know how to open the file type.

I am past this particular infection. So, I don't care about this particular machine.

What I want to know is: What is the malware doing to seemingly filter ALL executables through it?

Thanks!!

m

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 PM

Posted 21 January 2010 - 08:25 AM

It is not uncommon for malware to target .exe files and alter associations, especially those related to anti-malware tools in order to block them from scanning your machine. Without repairing the file association the .exe files will lose functionality. There are various ways to repair the association but they may or may not work. To temporarily fix you can use command.com.

Press the Windows Key + R keys on your keyboard or go to Posted Image > Run..., and in the Open dialog box, type: command.com
Press Ok.
At the command prompt, type or copy/paste: ftype exefile="%1" %*
Press Enter.
Then type: Exit
to exit command.com.
This should restore the default association for .exe files but only temporarily if the virus is still active.

Other fixes include:Note: Some of these steps involve making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own. ERUNT is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

However, you are more likely to be successful if the malware has been removed first. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 tcv

tcv
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 24 January 2010 - 09:35 PM

So, is this, generally, what some malware do with the exe association?

It seems like the malware is somehow filtering the EXEs. I have seen that some malware swap out the explorer.exe as a shell and use their own executable. So, if a malware were to do that and I deleted the malware-executable designated as the shell, would that seem to break EXE associations?

m




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users