Author Topic: Windows Repair suggestion  (Read 8487 times)

0 Members and 1 Guest are viewing this topic.

Offline ChrisE

  • Newbie
  • *
  • Join Date: Jun 2012
  • Posts: 8
  • Karma: 1
    • View Profile
Windows Repair suggestion
« on: June 20, 2012, 12:20:02 PM »
Greetings, I apologize in advance if this is the wrong section to post this in, it seemed the appropriate one.

The suggestion is along the lines of 'repair policies set by infections' that is already there.

Essentially I have helped a few people now who have been infected by malware along the lines of the 'Windows Secure Web Patch' variety that uses Image File Execution options in the registry to prevent opening of programs such as Antivirus, Task Manager or Regedit including when booted into safe mode.

The suggestion that I don't know if it would be deemed appropriate or not would be if an option new or the repair policies might have that as part of the fixes.

The exact path of an example registry value would be HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/regedit.exe (or other program), and usually has the key values of default or debugger set to redirect to svchost.exe, though some redirect to the virus itself.

It might but I don't believe it's already checked as part of the repair as after I had helped some with this issue and had finished cleaning off the computer and ran windows repair the registry values were still there and just needed to be removed manually as the scans didn't remove them either (though they were detected by some).

That's my two cent request anyhow.

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9280
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Windows Repair suggestion
« Reply #1 on: June 20, 2012, 12:25:28 PM »
I have seen malwarebyes.org detect files located in the Image File Execution Options reg section.

Can you post an example of how it is set, I see that Windows has some things in there normally. So I need to see what is different when the virus adds it so the program would know which to remove. :wink:

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline ChrisE

  • Newbie
  • *
  • Join Date: Jun 2012
  • Posts: 8
  • Karma: 1
    • View Profile
Re: Windows Repair suggestion
« Reply #2 on: June 20, 2012, 12:36:27 PM »
Yeah I've had them found by Vipre Rescue and Malwarebytes, Vipre Rescue apparently isn't common enough to be targetted by the redirect so far, where Malwarebytes was (so couldn't be opened without removing the registry redirect via command prompt since regedit was already redirected); but neither were able to remove the registry values with no error or stated reason why not.

And I have not dealt with image file execution section extensively, but normally it would have the default value as reg_sz with no value set, and the second value can be a dword, sz or binary (with names depending on the key, such as CheckAppHelp, ApplicationGoo (two most common) or DisableHeapLookAside, and either be set to a hex value such as 0x00000001 (1) or 1, or a binary value (58 02 00 00 54 etc..).

With these virus issues it's almost always default with no value, and 'Debugger' as a SZ type with svchost.exe set, I haven't seen a program or dll listed in that section in normal operation.

Edit: haven't seen a program or dll listed as the data value for a key that is, programs or dll's for the key itself such as 'Cleanup.dll' yes, but a key value of Clean.dll would never be a program

Edit2: Another note, with one of these's malware it also usually modifies every entry in Image Execution Options in addition to adding the values it does to prevent opening of Antivirus products and other tools such as task manager and regedit, in the cases I've worked on every key in there had been changed to point to svchost
« Last Edit: June 20, 2012, 12:43:21 PM by ChrisE »

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9280
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Windows Repair suggestion
« Reply #3 on: June 20, 2012, 12:59:26 PM »
And was the fix to simply delete the key for each process that was listed there?

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline ChrisE

  • Newbie
  • *
  • Join Date: Jun 2012
  • Posts: 8
  • Karma: 1
    • View Profile
Re: Windows Repair suggestion
« Reply #4 on: June 20, 2012, 01:15:41 PM »
Yeah, usually started by deleting the regedit key, and after that regedit could be opened to remove the other keys, or start with Malwarebytes so that can start and run the scan to remove the rest itself.

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9280
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Windows Repair suggestion
« Reply #5 on: June 20, 2012, 01:29:59 PM »
I noticed that the sub keys will be the file name.

So just need a list of files names to remove and that should do the trick :wink:

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline ChrisE

  • Newbie
  • *
  • Join Date: Jun 2012
  • Posts: 8
  • Karma: 1
    • View Profile
Re: Windows Repair suggestion
« Reply #6 on: June 20, 2012, 02:19:10 PM »
That part I might need a little bit to get back to you with, I only have a partial list left from the one I am currently working with right now (original list is much, much longer and has most any antivirus option they might use), but I'll see if I can get the rest and either post another reply or edit this post.  If I get a complete list I'll probably attach it as a text file as that would be better then one huge list in the post itself unless you'd prefer it that way

Edit: all with a sz value pointing to svchost.exe or in some cases the virus file which is also a .exe

Partial list:
avastSvc.exe
avastUI.exe
avguard.exe
avShadow.exe
guardxkickoff.exe
init32.exe
mbam.exe
mbamgui.exe
mbamservice.exe
mcmpeng.exe
mrt.exe
msseces.exe
ntvdm.exe
regedit.exe
taskmgr.exe
virusutilities.exe
« Last Edit: June 20, 2012, 02:21:00 PM by ChrisE »

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9280
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Windows Repair suggestion
« Reply #7 on: June 20, 2012, 02:23:53 PM »
Go ahead and get me a list.

Have the full reg path if you can that will be deleted.

The program creates a reg file to remove them. But I can have the process first go and delete the regedit one if it is there before running the reg file for the rest :wink:

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline ChrisE

  • Newbie
  • *
  • Join Date: Jun 2012
  • Posts: 8
  • Karma: 1
    • View Profile
Re: Windows Repair suggestion
« Reply #8 on: July 11, 2012, 12:26:16 PM »
Sorry for the delay hadn't gotten another of the image spyware calls for a little while, but I do have the list now, it is missing the regedit, task manager and malware bytes key values as those were removed manually before this log.

The attachment is the final Malware Bytes log (as you said it usually does clean these out fine on their own, but usually they will not able to run Malware Bytes since it and everything else are redirected), only things I changed was any possible identity reference (their name to persons_name, their account to user_account).

I figured this might be easiest since it lists all 757 Image Object Execution changes it made along with the full reg path for each, though it doesn't list the inside values I mentioned before (Debugger value that always points to svchost.exe or possibly the virus .exe itself)

Lastly I left the files detected part of the log (with the above user_account change) so you can see some common file names used by this kind of malware.
« Last Edit: July 11, 2012, 12:30:02 PM by ChrisE »

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9280
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Windows Repair suggestion
« Reply #9 on: July 11, 2012, 09:36:41 PM »
Nice, I can just add all those reg paths to the remove policies repair and just it set to remove them :-)

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com