.exe file (specifically Wireshark) will not launch anymore on Windows 8.1

2

2

I use Wireshark x64 daily in my work. Suddenly today, it refuses to open.

  • When I doubleclick a pcap (or pcapng) file, Windows tells me the file I tried to click was not found.
  • When I try to start Wireshark through the start screen, nothing happens.
  • When I try to start Wireshark through Launchy, nothing happens.
  • When I try to double click the Wireshark.exe in the Program Files\Wireshark folder, it claims that the file can not be found...(!)
  • When I open a cmd prompt, go to the same folder and type in wireshark or Wireshark.exe, I get this:

    D:\Program Files\Wireshark>wireshark The system cannot find the file D:\Program Files\Wireshark\Wireshark.exe.

I have tried to run process monitor to see if anything related happens, but I have not been able to see anything. At least nothing that contains the path of Wireshark, the process name etc.

I have checked the registry according to several KB articles - there is nothing non-default handling .exe files.

The other .exe-files in the same folder work as expected.

I have tried uninstalling and reinstalling Wireshark (latest version) on the system - this changed nothing.

I have tried "running as admin" - same results as before.

This freaks me out and I start worrying about viruses etc. I did an update of Windows Defender and then a full scan. It found nothing, so in theory I am clean.

Does anyone have any ideas how to troubleshoot this? I use Wireshark quite a bit so it would be great to figure it out - it worked perfectly for the past year or so before this started happening suddenly today.

EDIT: After tons of installing and uninstalling (to same place, to different places), I have made a simple yet strange discovery:

If I rename or make a copy of Wireshark.exe, called anything but Wireshark, it runs!

So there is no reason to think there is anything wrong with Wireshark itself.

So is something sitting in mah' Windows looking at the file names of executables that are to be run, and causing an error? I like that I can start Wireshark, but I am horrified at what this might actually mean.

EDIT 2: As per Ramhound's suggestion, I tried running in safe mode. Same thing happens then - when I try starting the .exe file by double clicking it, it claims it can't be found. If I copy it to another name and run it, it works.

Also, I have gotten updated versions of both SpyBot and Kaspersky online to do full scans on the system, and they have discovered nothing.

Rune Jacobsen

Posted 2014-04-22T10:53:10.140

Reputation: 243

This the only program that cannot run? Try running it in Safe Mode see what happens. – Ramhound – 2014-04-22T10:58:26.927

This is the only program I've discovered so far. I am not aware of anything else going wrong on the system. I will try safe mode once I escape from work, and see if that makes a difference, thank you. :) – Rune Jacobsen – 2014-04-22T11:00:36.743

Answers

3

I have found the concrete reason why Wireshark.exe would not run, while for instance Wireshark2.exe (a copy I made in the same folder) ran just fine. There must be some malware installed somehow, that the mentioned killers did not find.

My detective work eventually led me to a tool called RogueKiller. It discovered several interesting things, such as a registry key like this:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe

Specifically, under this key there was a Debugger setting, referring to "nqij.exe" - not a file I have on my system. When Wireshark tried to run, Windows apparently tried to "debug" it with nqij.exe, which it couldn't find, and the process stopped.

So this solves my problem. Of course now I have to find out how this got on my PC and get rid of it.

By the way, this was an obvious attempt from something to avoid detection - there were bunches of these keys, not just for Wireshark, but for other .exe files that makes me think they were antivirus/antimalvware programs. A non-exhaustive list of examples:

spybotsd.exe zlclient.exe hijackthis.exe keyscrambler.exe SDFiles.exe SDMain.exe SDWinSec.exe avscan.exe avp.exe avgwdsvc.exe AvastSvc.exe AvastUI.exe avcenter.exe

etc., etc., etc.

So today I learned of these registry keys that can stop an .exe file from running. This was the core of my question. Hope this can help someone else as well.

Rune Jacobsen

Posted 2014-04-22T10:53:10.140

Reputation: 243

So did you actually have malware? Turns out I have a similar debugger entry too – pratnala – 2015-02-12T12:58:04.733

I ran lots of stuff like SpyBot, newer versions of RogueKiller etc., and never found anything - so I suspect that whatever left that stuff in the registry has since left my system. – Rune Jacobsen – 2015-02-21T10:56:00.473

1I ran malwarebytes and it cleaned the virus up. Maybe you should try too. RogueKiller failed to find anything for me too. – pratnala – 2015-02-21T11:01:35.330

Asked: 2014-04-22T10:53:10.140

Viewed: 2 481 times

Active: 2014-07-05T17:56:42.797