Windows Shell Problem ?

[Guest]

MAJOR WINXP Problem !
After starting up my PC yesterday, I have been unable to run any
applications or anything with an .exe extension. Icons have become standard
windows icons and when I click on them Windows says that it cannot identify
the program that the .lnk file was created by and invites me to search the
web or browse to identify the file. Neither of these options work. If I go
straight to the program folder and click the.exe file in question then the
same occurs. If however I double click on , say, an Office document the the
document and program will open and be usable.
I have tried the following
Running XP Restore and MSconfig- neither will run from fully loaded Windows
(the .exe problem)
Re-starting in Safe Mode and using Last Known Good Configuration with no
improvement
Re-starting in Safe Mode with command line and running Restore. Restore
appears to work until it restarts the PC and the says Rstrui.exe cannot be
found
Re-starting in Safe Mode with command line and running MS config.exe. This
runs but there is no obvious problem and so the situation doesn't change when
I start
Re-starting in Safe Mode with command line and running Windows Installation
Disk to re-install. This will not start when I select the "Install windows"
option.
I am able to connect to the internet using the network connections panel and
clicking "connect". Internet Explorer is fully functional and the icon is
correct on the desktop
I can see all folders and documents. All icons are correct except, I think,
for .exe and .dll files
I'd be really grateful if you could help me sort this mess out.

 

[John Smith]

I hope you get an answer to this, because I have the same problem on my
desktop. I posted to this group about it , but all I got was that I should
reinstall/repair XP - which, as you have found out, won't work. Other than
that, no one else has offered any kind of constructive advice.

 

[Guest]

Do you use Lavasoft "Ad Aware" ? I think that may be part of the cause- but
unfortunately not part of the solution. Let's hope we get an answer soon

 

[Dave Patrick]

Use method 2 in this article.

http://support.microsoft.com/kb/315341

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| MAJOR WINXP Problem !
| After starting up my PC yesterday, I have been unable to run any
| applications or anything with an .exe extension. Icons have become
standard
| windows icons and when I click on them Windows says that it cannot
identify
| the program that the .lnk file was created by and invites me to search the
| web or browse to identify the file. Neither of these options work. If I go
| straight to the program folder and click the.exe file in question then the
| same occurs. If however I double click on , say, an Office document the
the
| document and program will open and be usable.
| I have tried the following
| Running XP Restore and MSconfig- neither will run from fully loaded
Windows
| (the .exe problem)
| Re-starting in Safe Mode and using Last Known Good Configuration with no
| improvement
| Re-starting in Safe Mode with command line and running Restore. Restore
| appears to work until it restarts the PC and the says Rstrui.exe cannot be
| found
| Re-starting in Safe Mode with command line and running MS config.exe. This
| runs but there is no obvious problem and so the situation doesn't change
when
| I start
| Re-starting in Safe Mode with command line and running Windows
Installation
| Disk to re-install. This will not start when I select the "Install
windows"
| option.
| I am able to connect to the internet using the network connections panel
and
| clicking "connect". Internet Explorer is fully functional and the icon is
| correct on the desktop
| I can see all folders and documents. All icons are correct except, I
think,
| for .exe and .dll files
| I'd be really grateful if you could help me sort this mess out.
|
|
|
|

 

[Guest]

Thanks. Sounds hopeful. I did try to boot from CD earlier on but got no
reaction. In the Bios set-up I promoted the CD Drive ahead of the hard disk
but it still went to the hard disk. I couldn't see anything else, was that
all that was needed?
Thanks

 

[Dave Patrick]

Even though you set the boot order to CD-Rom first some bios (I know Dell
does this) requires you to hit F2 (or some other key) to boot from CD-Rom at
POST

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Thanks. Sounds hopeful. I did try to boot from CD earlier on but got no
| reaction. In the Bios set-up I promoted the CD Drive ahead of the hard
disk
| but it still went to the hard disk. I couldn't see anything else, was that
| all that was needed?
| Thanks

 

[cquirke (MVP Win9x)]

I hope you get an answer to this, because I have the same problem on my
desktop. I posted to this group about it , but all I got was that I should
reinstall/repair XP - which, as you have found out, won't work. Other than
that, no one else has offered any kind of constructive advice.

Do a formal virus scan - you may have an exefile association stealer
on your hands; a tactic popular when RATs were going large.

Within the registry are two branches that affect file associations
(what happens when files of various types are "opened"). These are
combined as HKEY_CLASSES_ROOT when viewed via RegEdit.

The linkage is usually in two parts. First there's the .ext (in this
case, .exe) that points to an aggregate file type (in this case,
should be exefile). Then the aggregate defines what program is to be
used to run that file. Now an .exe should run itself, via this line:

"%1" %*

That means, "run yourself and whatever parameters were thrown at you".

If you see something like this...

C:\eyykjq.exe "%1" %*

....then there's a hostile .EXE that's now patched in to run before any
..exe you try to run, which allows the malware to get "air superiority"
from which it can strike down attempts to clean it.

If the malware file's deleted, without cleaning up this registry
intrusion, you may find no .EXE run - because the program "needed" to
run them is no longer there.

If you opted for NTFS because it was "more secure", well, this is
where you get stuck with the booby prize. Off you go to...

http://cquirke.mvps.org/whatmos.htm

....where you will try to find something that can formally (i.e.
without running the malware first) scan and fix the PC. Trend have a
good free cleaner; it catches more than Stinger, and can be used from
"Safe Command Only" (which isn't safe enough for everything).

If you're on FAT32, then it's easier - you can at least boot from a
DOS mode diskette and run one/all of these free (F-Prot) or
free-for-evaluation DOS-based av:

www.f-prot.com
www.nod32.com
www.sophos.com

First, scan but don't clean and save the log of what is found.
Research what you find for caveats; there may be traps that the wrong
clean-up method could fall into. The clean as you can.

Once cleaned, you can turn to getting .exe files to work again. That
can be easy if the malware just grabbed .exe -> exefile (typically as
I described, via patch-in to exefile's action). Or it can be harder,
if the malware does things I won't elaborate on right now.

The usual fix is to manually repair the association via Regedit, and
if you can't run Regedit (it's an .EXE, right?) then you copy
Regedit.exe to SomeName.xxx, where xxx can be bat, com, cpl, pif etc.

If that doesn't work - and that can happen - then retry from other
user accounts (safe Mode is the first thing to try). If no joy, say
so in your reply and we'll se if we can out-medieval the beast.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[Ramesh [MVP]]

if you can't run Regedit (it's an .EXE, right?) then you copy Regedit.exe to SomeName.xxx, where xxx can be bat, com, cpl, pif etc.

Or, using RunAs from Command.

Example: "RUNAS /USER:Administrator C:\windows\regedit.exe"

Type-in the credentials.

--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org

I hope you get an answer to this, because I have the same problem on my
desktop. I posted to this group about it , but all I got was that I should
reinstall/repair XP - which, as you have found out, won't work. Other than
that, no one else has offered any kind of constructive advice.

Do a formal virus scan - you may have an exefile association stealer
on your hands; a tactic popular when RATs were going large.

Within the registry are two branches that affect file associations
(what happens when files of various types are "opened"). These are
combined as HKEY_CLASSES_ROOT when viewed via RegEdit.

The linkage is usually in two parts. First there's the .ext (in this
case, .exe) that points to an aggregate file type (in this case,
should be exefile). Then the aggregate defines what program is to be
used to run that file. Now an .exe should run itself, via this line:

"%1" %*

That means, "run yourself and whatever parameters were thrown at you".

If you see something like this...

C:\eyykjq.exe "%1" %*

....then there's a hostile .EXE that's now patched in to run before any
..exe you try to run, which allows the malware to get "air superiority"
from which it can strike down attempts to clean it.

If the malware file's deleted, without cleaning up this registry
intrusion, you may find no .EXE run - because the program "needed" to
run them is no longer there.

If you opted for NTFS because it was "more secure", well, this is
where you get stuck with the booby prize. Off you go to...

http://cquirke.mvps.org/whatmos.htm

....where you will try to find something that can formally (i.e.
without running the malware first) scan and fix the PC. Trend have a
good free cleaner; it catches more than Stinger, and can be used from
"Safe Command Only" (which isn't safe enough for everything).

If you're on FAT32, then it's easier - you can at least boot from a
DOS mode diskette and run one/all of these free (F-Prot) or
free-for-evaluation DOS-based av:

www.f-prot.com
www.nod32.com
www.sophos.com

First, scan but don't clean and save the log of what is found.
Research what you find for caveats; there may be traps that the wrong
clean-up method could fall into. The clean as you can.

Once cleaned, you can turn to getting .exe files to work again. That
can be easy if the malware just grabbed .exe -> exefile (typically as
I described, via patch-in to exefile's action). Or it can be harder,
if the malware does things I won't elaborate on right now.

The usual fix is to manually repair the association via Regedit, and
if you can't run Regedit (it's an .EXE, right?) then you copy
Regedit.exe to SomeName.xxx, where xxx can be bat, com, cpl, pif etc.

If that doesn't work - and that can happen - then retry from other
user accounts (safe Mode is the first thing to try). If no joy, say
so in your reply and we'll se if we can out-medieval the beast.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[Ramesh [MVP]]

Click Start, Run and type Command
Type the following and then press Enter after typing each one:

cd\windows
regedit

--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org



Or, using RunAs from Command.

Example: "RUNAS /USER:Administrator C:\windows\regedit.exe"

Type-in the credentials.

--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org


<snip>