1. Lyndi

    This is scary stuff. If I am understanding correctly it means that anti-virus software is not sufficient. We also need something like this to to keep tabs on the registry.

    The Net is not fair. The ‘good’ guys have to spend hours keeping their equipment as safe as they can while the ‘bad’ guys just do as they please.

  2. Rarst


    If specific virus is known by antivirus software used – it will be killed without chance to do harm (which is the point).

    However if virus is fresh and not detectable yet – sadly antivirus doesn’t stand a chance.

    Some security software offers registry protection functions, I think Comodo firewall (I posted about) has such.

  3. TechZoomIn

    Rarst i have got new problem with my system dude..Virus hijacked my exe files.After having the new Operating system on my machine,am scanning the system and its not finding anything.

    But when i try to double click on any exe file the virus firing up and causing the same problems.

    I suspect virus hacked my exe files and firing when i click on any exe.

    Any suggestions for Rarst or guys here :(

  4. MK

    Autoruns is great for removing startup entries left by virii. It just take some time to tell my friends which one is good, and which one is bad. svchost is not the same as svch0st. Sigh~

  5. TechZoomIn

    I’m using McAfee latest version which they gave free one year subscription for the new year.
    I will try curelt which you said..Thanks Rarst.

  6. Madmouse Blog

    Security is very important and most people aren’t prepared for it at all. Even with antivirus, spyware, software and hardware firewalls you still can have issues.
    I thought That I was on top of this, but even running Avast Pro, Webroot Spy Sweeper, Out Post Firewall Pro and a hardware firewall. Updating my definitions as often as the software would left me, I still got hit somehow.

    After seeing that someone was charging up a storm on one of my credit cards and it was all porn related. dealing with the credit card company was very easy and everything is fixed and charges reversed now.

    However, this made me think it is time to go back to a Linux based system using Ubuntu for surfing the web, emails and my electronic banking.

    I believe that a Windows based system just won’t cut the cake for security.

  7. Rarst


    Well my best security app is Process Explorer constantly running on second monitor so I can simply see if something acts weird. :)

    That’s quiate a setup btw, you sure it was computer related? Could leak from 3rd party or offline altogether.

    And I agree that most people aren’t prepared. Not much can be done about that.

  8. Madmouse Blog


    It is very confusing because I also run Mailwasher Pro which gets rid of almost 99% of the trash before it hits Thunderbird. I am the only one who uses my system, so it kinda points it back to something I did. I wonder sometimes about Firefox plugins if they could cause an issue like this.

  9. Nihar

    Never heard of this. Anyways thanks for the post. Now i know how to clean it up.

  10. Altiris_Grunt

    Like most, I have my favorite anti-virus product (Avira AntiVir Personal – freeware version), firewall (ZoneAlarm Free) and on-demand spyware tools (Malwarebytes and SuperAntiSpyware). I use these products on all of my home’s ‘Net-facing PCs.

    But the best tool I use: default LUAs (Limited User Accounts).
    No Power-User accounts and the single Administrator account has a strong password. The Admin account is strictly used for system maintenance, patching and software installations, only. No casual surfing permitted with this account.

    I can’t believe the number of folks who still surf and play on the ‘Net with full Administrator rights. Most folks seem to believe it’s too much trouble to lock it down and stick to it.

  11. Altiris_Grunt

    Here’s a related article regarding LUAs and Windows 7:

  12. Marvin

    As of today, Autoruns does not even show all the items that are being hijacked in the image file execution part of the registry.

    I have 100′s of items that I just can’t delete one by one. Although Autoruns seems like a helpful program, it doesn’t do what you say it does. At least not for me.

    Thanks anyways.

  13. Marvin


    I disagree. 100′s of anti-virus and other executables are hijacked and pointing to Svchost.exe

    What I have been doing to get around this is just deleting the entries that were necessary for me to install MSE. (MsMpEng.exe and msseces.exe) There are too many entries for me to delete them all. I can’t select more than one at a time. So I scan down the list and get the obvious executables that stand out.

    That tool you recommend above does not list ANY of these hijacked .exe I was hoping that tool would allow me to delete multiple registry entries quickly and in larger multiples than just 1 at a time.

    A large percentage of the virus ridden computers I repair have this exact problem I mentioned.

  14. Marvin


    The last time I experienced this was yesterday on a system with XP. I really do see this problem every other day.

    I need to find a quicker way of deleting 100′s of registry entries. Since I’m the one setting up my customers Anti-virus, I can go find the appropriate .exe and find them under the image file execution registry entry. I delete it and everything is good to go . The only problem is, if they change anti-viruses in the future, odds are there will be an .exe entry that will still exist for the new antivirus they choose. I just can’t sit there and delete 100′s of entried 1 by 1. The only thing I can do is attack the appropriate entries that will let the anti-virus I want to use work. (Most the time I’m putting MSE on machines. As I said before there are only 2 .exe I usually have to clear from this list to get MSE to work.)

  15. Altiris_Grunt

    Heroic Rescue measure. Sometimes, its worth the effort. Sometimes, you (or your customer) don’t have all of the original software installation disks for a complete rebuild.

    I hate to say this, because I love a technical challenge, but there’s a practical limit when dealing with malware-infected systems!

    I mean, if this is a home system (maybe yours!), you might be comfortable spending several days in a heroic rescue attempt.

    In a business environment (where time equals money), anything over a couple of hours would merit a complete format and rebuild. To lessen the impact, one would use a bootable rescue CD/DVD and backup the C:\User (or Document and Settings) folders first.

  16. Jonny Vee

    @Madmouse Blog

    I haven’t seen mailwasher pro for years – It used to have a feature where you could FORCe the spam right back to the person who sent it. But since it was being forced back into too many machines that had been hijacked, the took the feature out. If i get ,alicious emails, i send them through my free “spamcop.net’ account. which usually shows you who is responsible for it.

    i’ve got a client’s machine that has the infected ExpLORer.exe and winlogon files. This is driving me crazy, i replaced the files with the originals, and they are still tetting infected. TDsskiller has not found the agent which is corrupting the files yet. very frustrating

2 pingbacks

  1. [...] Only thing that could be better if app offered at least basic editing capabilities on top of pure search. Relying on native editor can bite in some situations, like when malware blocks it with executable hijack. [...]

  2. [...] that splits into multiply threads or runs periodically. One way to work around that might be using Image File Execution options to set RegFromApp as debugger for executable.Common way to monitor for registry changes is [...]

Leave a Reply

You must be logged in to post a comment.

Subscribe to followup comments via RSS