Expert: Carolyn Meinel - 3/9/2004

Question
have you ever seen a virus that removes the .exe command from your "file types".  The result is you can't open/run and .exe files.  The error says "can't find" that file.


Answer
You are right, that is a trait of many computer viruses. Before your try to fix the problem, it's important to first get rid of the virus or it will keep on causing problems. Has your anivirus program advised you that it just got rid of a virus? If not, run an update and scan your system again. If that doesn't work, or if the problem recurs, at the end of this reply I describe what to do when your antivirus program fails to work.

According to the Symantec web site, at http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.shorm.b.html
here is how to get .exe files running again.

To delete the value that the worm added to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the key

     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, delete either of these values:

     Interet32 Interet32.exe

     Winint32 Winint32.exe
  5. Exit the Registry Editor.


To edit the registry so that you can run .exe files:
This is necessary only if you cannot run most programs. Because the worm modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with the .com extension, and then run that file.

To copy the Registry Editor:

  1. Do one of the following, depending on which version of Windows you are running:
         * Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt. A DOS window opens at the C:\Windows prompt. Proceed to step 2 of this section.
         * Windows Me users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt. A DOS window opens at the C:\Windows prompt. Proceed to step 2 of this section.
         * Windows NT/2000 users:
              1. Click Start, and click Run.
              2. Type the following and then press Enter:

                 command

                 A DOS window opens.
              3. Type the following, and then press Enter:

                 cd \winnt
              4. Proceed to step 2 of this section.
         * Windows XP:
              1. Click Start, and click Run.
              2. Type the following, and then press Enter:

                 command

                 A DOS window opens.
              3. Type the following, and then press Enter after typing each one:

                 cd                  cd \windows
              4. Proceed to step 2 of this section.
  2. Type the following, and then press Enter:

     copy regedit.exe regedit.com
  3. Type the following, and then press Enter:

     start regedit.com

     The Registry Editor will open in front of the DOS window. After you finish editing the registry, exit the Registry Editor, and then exit the DOS window, as well.

1. Proceed to the next section.

NOTE: The Registry Editor will open in front of the DOS window. After you finish editing the registry and have closed the Registry Editor, then close the DOS window, as well.

To edit the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

  1. Navigate to and select the following key:

     HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

     CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the \command subkey.

     Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command subkey that is shown in the following figure:
(Figure is at http://securityresponse.symantec.com/avcenter/graphics/w32.hllw.shorm.b.1.gif)
     (Modify the "command" key, shown open in this figure.)
  2. In the right pane, double-click the (Default) value.
  3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

     NOTES:
         * Under Windows 95/98/Me/NT, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this:

           ""%1" %*"  
         * Under Windows 2000/XP, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like this:

           "%1" %*
         * Make sure that you completely delete all value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." If this happens to you, start over at the beginning of this document, and make sure that you completely remove the current value data.
  4. Exit the Windows registry.

Once you are done with this, run your antivirus program's update function and scan your system again.

Now if this doesn't work, then the virus is still active and reset your .exe file associations again. Here is what will always get rid of a virus. It's painful, but it's what a computer repair shop would do: here is what a computer repair shop would do -- reformat your hard drive and start over from scratch. Be sure to back up all your data first!  Then  install your antivirus program. Don't do an automatic update until you do the next important thing: install a firewall.

Nowadays you absolutely need a firewall because Internet worms might break into your computer soon after you get online. You are much safer from these worms with Windows 98 than with XP or 2000, but why play Russian Roulette with the Internet? I prefer Zone Alarm from ZoneLabs.com, but the major antivirus companies, for example Norton, offer pretty good firewalls, too.

After installing the firewall, you can get online. Update your antivirus program and go to Windowsupdate.microsoft.com to update your operating system. After this, you can reinstall your applications and data. The antivirus program will now be able to catch the virus or worm if it is hiding in your backups.

After this, in order to stay safe, it's important to keep in mind that criminals often discover ways to evade antivirus programs and even firewalls.

Here's how to avoid attacks from these ingenious new worms, viruses, adware, spyware, back doors, and other attacks.

1) Don't use Internet Explorer. Despite security updates every few weeks, worm and virus writers keep on discovering new ways to use your IE browser to break into your computer. Mozilla, from Mozilla.org, is free, much safer and works better. Opera costs money (opera.com) but has an even better recordd than Mozilla. The only time you absolutely must use Internet Explorer is to use Windows Update. Microsoft absolutely refuses to let other brands of browsers use its update, despite the drastic dangers of running Internet Explorer.

2) Don't use Outlook or Outlook Express. Not ever. There have been many worms that attack your computer just by downloading email with these programs, even if you don't click on attachments. A good alternative is Eudora, free from eudora.com. The paid version filters spam better than the free version, but even the free version is pretty good.

3) Don't trust any email that claims to have a security update from Microsoft -- or anyone else. It is easy to forge email. So no company will ever send you a program or security fix attached to email.

4) Don't surf porn. Many porn web sites are run by criminals. Imagine that. Some of them cause your modem to hang up and redial an expensive 900 or long distance number. If you do get into trouble this way you can usually get the phone company to delete the bill as fraudulent. However, it is much harder to delete the malicious programs many porn web sites also deliver. Even Mozilla can be victimized this way.

5) Don't install free programs from web sites unless you are absolutely sure you know what they are. Many nice sounding free programs include what is known as adware or spyware. They feed you unwanted advertisements and feed information about your browsing habits to advertisers.

6) Don't use peer-to-peer file swapping programs. Besides trafficking in illegally copied music and movies, these programs are one of the biggest ways worms and viruses spread.

7) When using chat programs, don't download files your buddies offer. Some of these buddies are actually bots run by worms and viruses, and even real people don't always realize they are giving you a file infested with nasties.

8) Switch to Linux! According to Dr. Nic Peeling and Dr Julian Satchell's "Analysis of the Impact of Open Source Software":

"There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux. Most of the Windows viruses are not important, but many hundreds have caused widespread damage. Two or three of the Macintosh viruses were widespread enough to be of importance. None of the Unix or Linux viruses became widespread - most were confined to the laboratory."