After cleaning up a virus today for one of my users, I noticed an odd remaining side effect: No executables would successfully launch. This included Explorer.exe under the user’s account that got infected, so after they would login it would just sit there at a blank screen. You could press Ctrl+Alt+Del to launch the Task Manager, but trying to run any executable would result in a message like this:
Windows cannot open this file: File: notepad.exe
Fortunately, I was still able to log in under another account which would load Explorer.exe, though it still gave me the above problem of wanting to open an executable file with another application. This would happen for any file I tried to launch that had a .exe file extension. This clued me in that the file extensions had been changed.
This happened as a side effect of the malware changing some registry settings. They do this with the intent of making it harder to clean up after the infection. Here are the default values for HKEY_CLASSES_ROOTexefileshellopencommand: (Default) name, REG_SZ type, and “%1″ %” for the data field.
The Registry key at HKEY_CLASSES_ROOT.exe will need to have its Data field for the (Default) value set to exefile.
From an article on an MVP site, I found the registry keys that needed fixed and quick fix in the form of a .com file. You can simply download the exefix_xp.zip file and extract the exefix_xp.com file to your desktop. Then just double-click the .com file and it will set the default registry settings. If you’d rather complete the fix manually, you can find the effected Registry keys and their values at the Windows XP MVP article.
You may also need to fix the problem under the Current User. Open up Regedit and delete the .exe key under HKEY_CURRENT_USERSoftwareClasses if it exists. Getting into Regedit can be a little tricky. Copy C:\Windows\Regedit.exe and paste it into the same directory. Then rename the copy to Regedit.com. If you’re not seeing the extensions, refer to this previous article.
The above fix works for Windows XP. To resolve the same problem in Windows Vista, refer to this article as the locations in the Registry have changed.