9 replies to this topic

[ATechGuy]

A combination of malware running around in the past few days has infected several of my client's PCs. One of the files that gets removed is C:\Program Files\Microsoft Common\*.* (typically the file contained in this folder is svchost.exe)

However, there is still a reference to this file and as a result, whenever Explorer.exe is attempted to be run, the following key is executed, the file isn't found, and the program won't run. With no shell, you get, well, you know. If you try running explorer.exe from the Task Manager, you get "file not found", even though it's there on the disk. What's isn't immediately obvious is the "file not found" isn't explorer.exe, it's the file in the registry key that was removed by anti-spyware programs.

The key is:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger"="C:\\Program Files\\Microsoft Common\\svchost.exe"

It would be great if you could add this to your WONDERFUL program and detect if this registry key exists and if so, add it to the list of items detected. (It might be worth check to see if the file it's pointing to still exists too, as it would make sense to detect it at the same time.)

Thanks again for making such a great program as your available.

[GT500]

That key probably should have been changed back to the default. Something could have been protecting it. You can actually hit Ctrl+Shift+Esc to open the task manager, and manually launch explorer.exe with the 'Run' function. That allows you to go about fixing the issue, assuming you don't prefer using a BartPE CD to edit the registry.

[ATechGuy]

GT500, on Jul 13 2009, 01:18 PM, said:

That key probably should have been changed back to the default. Something could have been protecting it. You can actually hit Ctrl+Shift+Esc to open the task manager, and manually launch explorer.exe with the 'Run' function. That allows you to go about fixing the issue, assuming you don't prefer using a BartPE CD to edit the registry.

Actually, when this key is in existence, which it normally is not, you CANNOT run explored if the file referenced in the key no longer exists. Trust me. Try it for yourself.

[AdvancedSetup]

Thank you for the feedback. I will forward the link to the developers so they're aware.

[nosirrah]

http://74.125.95.132/search?q=cache:zmkJhd...=clnk&gl=us

We did this once already and there were FPs .

We are trying again a slightly different way , hope this works with no FPs this time .

[ATechGuy]

nosirrah, on Jul 13 2009, 05:20 PM, said:

http://74.125.95.132/search?q=cache:zmkJhd...=clnk&gl=us

We did this once already and there were FPs .

We are trying again a slightly different way , hope this works with no FPs this time .

Thanks Bruce. While I'm not suggesting how to do this, I can say that if you find ANY references to non-existing files within this whole key (Image File Options), you aren't going to hit an FP. While most of the executables in this key are minor, the Explorer.exe key is clearly a VERY special case, and one that wouldn't expect to be listed here unless your a *shell* developer and in that case, you wouldn't be running MBAM...:-)

Thanks for looking into this. I ran into this problem a month or so ago, and now more than four times in the past week. I can't say for sure which Anti-Malware program is actually removing the malware file in \Microsoft Common\, as I typically run several while in PE mode and then flip back to safe mode to finish off the job. With MBAM not working in UBCD4Win right now, I can be certain that it wasn't MBAM that removed the referenced file. However, Had MBAM (or if done properly, the other programs that removed the malware) caught this dead-ended file reference in the registry, it would have made life a bit easier. Since a couple of months had passed, I had forgotten about this key so it took me a bit to track it down when explorer appeared to stop working due to "Cannot be found"...

[ATechGuy]

And, from your link, it's quite possible that the key is there by default, but it's also blank, by default, which is also fine. It's the dead-end reference that's the problem. Sorry if that wasn't made obvious before.

-Ken

[nosirrah]

MBAM links from file to Image File Execution Options so if we hit the file we also clear the hijack , I am unsure how the initial case came to be as I cannot replicate it .

[GT500]

ATechGuy said:

Actually, when this key is in existence, which it normally is not, you CANNOT run explored if the file referenced in the key no longer exists. Trust me. Try it for yourself.

Sorry, you're right. I must have been half asleep when I read this earlier.

[ATechGuy]

nosirrah, on Jul 13 2009, 05:54 PM, said:

MBAM links from file to Image File Execution Options so if we hit the file we also clear the hijack , I am unsure how the initial case came to be as I cannot replicate it .

I believe the initial case happened due to SuperAnti-Spyware removing the svchost.exe program and the phoney "Microsoft Common" folder. But it FAILED to also remove the registry key and thusly caused the problem. So, no knocks against MBAM there. However, I was just hoping that if you happened to FIND the registry key, AND it had a reference to a non-existent file, you would REMOVE the reference (who cares if you leave the key if it's empty...). At least that way, you could FIX the "File not found" problem. Of course, one might also say, and, HOW might you actually RUN MBAM if you don't have the shell? Well, just like running any other program at that point--from Task Manager. Clearly, not your average run-of-the-mill user, but between you and me, everything ounce of heuristic you can deploy can help in this fight.

Cheers,
-Ken