Nerd Tips – Broken Execution Association

Here’s a quick tip for those of you out there that might find yourself fighting off an offending virus or malware program that keeps coming back no matter what you try, such as Win 7 Antivirus 2011.  This particular program does have a little trick that it likes to pull in order to keep itself in memory.  When an executable file (EXE) is launched in the system, usually a set of keys in the registry are consulted to find out what to do with the file.  Most often, the file itself is run with a command string like “%1”, which calls the file.  The malware program inserts itself in front of the execution string, so that every time you try to launch a program to fight off the crapware, like Malwarebyte AntiMalware for instance, the virus just launches instead and reinfects your system.

Should you find yourself in this quandry, unable to launch the programs needed to disinfect yourself, take heart.  An old DOS trick can be used to get yourself right as rain.  In the old days, executable files came in a format other that EXE.  DOS used a file format of COM to execute simple little programs like COMMAND.COM or DOSSHELL.COM.  COM files were orginally simple, with very little code and no metadata in the header.  Likewise, when Windows 3.x was just a program executing on top of DOS, it preserved the executable format of the COM programs.  Fast forward to Windows 7, and you will see that this convention is still honored.  If you find yourself unable to launch REGEDIT.EXE or MBAM.EXE and instead keep launching the virus, do the following:

1.  Launch a command prompt (CMD.EXE or COMMAND.COM if necessary).  You might have to launch it as an administrator to make some changes to system files.

2.  Find the file you need to execute, like REGEDIT.EXE.

3.  Use the follwing command to rename the file: ren REGEDIT.EXE REGEDIT.COM

Sounds simple, eh?  You’ll find that when the file is displayed, it won’t have the neat icon it used to.  Instead, it will look like a generic DOS executable file.  That’s perfectly fine.  When you double-click the file to launch it, it will fire right up.   This is because the COM file association as an executable file format is usually not changed by the malware writers, since very few COM files are still used on modern systems.  Following these steps, you can get Malwarebytes to load and disinfect your system, bypassing the EXE file lockout.  Malwarebytes will even repair the EXE association for you, so when you reboot you’ll be back to normal.  Just remember to go back and rename the file you change to a COM file back to an EXE file.

As a disclaimer, this process doesn’t work 100% of the time, and if the malware writer was smart enough to screw up the COM file association, you’re doubly screwed.  Don’t go mucking around in your system registry changing things unless you know what your doing, since a screwed registry will really kill your system fast.  Use caution, logic, and if all else fails, find a systems rock star to help you out.

Note, I reference Malwarebytes as a removal tool not because of any consideration on their part, but instead because it just works.  I’ve installed the trial on many computers for people that tend to get infected over and over, and it really helps cut down on their infection rates.  Try it out, and don’t forget to buy it if you find it useful.  Every penny they get goes to help cut down on the amount of crap out there trying to infect your system over and over again.

2 thoughts on “Nerd Tips – Broken Execution Association

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s