26 Comments

  • This is scary stuff. If I am understanding correctly it means that anti-virus software is not sufficient. We also need something like this to to keep tabs on the registry.

    The Net is not fair. The ‘good’ guys have to spend hours keeping their equipment as safe as they can while the ‘bad’ guys just do as they please.

  • @Lyndi

    If specific virus is known by antivirus software used – it will be killed without chance to do harm (which is the point).

    However if virus is fresh and not detectable yet – sadly antivirus doesn’t stand a chance.

    Some security software offers registry protection functions, I think Comodo firewall (I posted about) has such.

  • Rarst i have got new problem with my system dude..Virus hijacked my exe files.After having the new Operating system on my machine,am scanning the system and its not finding anything.

    But when i try to double click on any exe file the virus firing up and causing the same problems.

    I suspect virus hacked my exe files and firing when i click on any exe.

    Any suggestions for Rarst or guys here :(

  • Autoruns is great for removing startup entries left by virii. It just take some time to tell my friends which one is good, and which one is bad. svchost is not the same as svch0st. Sigh~

  • I’m using McAfee latest version which they gave free one year subscription for the new year.
    I will try curelt which you said..Thanks Rarst.

  • Security is very important and most people aren’t prepared for it at all. Even with antivirus, spyware, software and hardware firewalls you still can have issues.
    I thought That I was on top of this, but even running Avast Pro, Webroot Spy Sweeper, Out Post Firewall Pro and a hardware firewall. Updating my definitions as often as the software would left me, I still got hit somehow.

    After seeing that someone was charging up a storm on one of my credit cards and it was all porn related. dealing with the credit card company was very easy and everything is fixed and charges reversed now.

    However, this made me think it is time to go back to a Linux based system using Ubuntu for surfing the web, emails and my electronic banking.

    I believe that a Windows based system just won’t cut the cake for security.

  • @Madmouse

    Well my best security app is Process Explorer constantly running on second monitor so I can simply see if something acts weird. :)

    That’s quiate a setup btw, you sure it was computer related? Could leak from 3rd party or offline altogether.

    And I agree that most people aren’t prepared. Not much can be done about that.

  • @Rarst

    It is very confusing because I also run Mailwasher Pro which gets rid of almost 99% of the trash before it hits Thunderbird. I am the only one who uses my system, so it kinda points it back to something I did. I wonder sometimes about Firefox plugins if they could cause an issue like this.

  • @Madmouse

    Yeah, strange indeed. :(

  • Never heard of this. Anyways thanks for the post. Now i know how to clean it up.

  • Altiris_Grunt

    Like most, I have my favorite anti-virus product (Avira AntiVir Personal – freeware version), firewall (ZoneAlarm Free) and on-demand spyware tools (Malwarebytes and SuperAntiSpyware). I use these products on all of my home’s ‘Net-facing PCs.

    But the best tool I use: default LUAs (Limited User Accounts).
    No Power-User accounts and the single Administrator account has a strong password. The Admin account is strictly used for system maintenance, patching and software installations, only. No casual surfing permitted with this account.

    I can’t believe the number of folks who still surf and play on the ‘Net with full Administrator rights. Most folks seem to believe it’s too much trouble to lock it down and stick to it.

  • @Altiris_Grunt

    Heh, guilty of running under admin. :) At work I kinda have no say about that. At home running under user would makes me miserable in about three hours (yes, I tried).

    On security online I stick to opinion that most threats either need you to do something stupid or use holes and don’t care about what you do at all.

    Brain handles former, decent browser (I use Opera) and security software/patches latter.

  • […] Only thing that could be better if app offered at least basic editing capabilities on top of pure search. Relying on native editor can bite in some situations, like when malware blocks it with executable hijack. […]

  • […] that splits into multiply threads or runs periodically. One way to work around that might be using Image File Execution options to set RegFromApp as debugger for executable.Common way to monitor for registry changes is […]

  • As of today, Autoruns does not even show all the items that are being hijacked in the image file execution part of the registry.

    I have 100’s of items that I just can’t delete one by one. Although Autoruns seems like a helpful program, it doesn’t do what you say it does. At least not for me.

    Thanks anyways.

  • @Marvin

    Not all entries in that registry branch are image hijacks. Actually in practice very few (if any at all) of those hundreds of entries have anything to do with it.

    Autoruns only shows those entries that matter – the ones with debugger parameter set, which is only case when executable or library is actually hijacked.

  • @Rarst

    I disagree. 100’s of anti-virus and other executables are hijacked and pointing to Svchost.exe

    What I have been doing to get around this is just deleting the entries that were necessary for me to install MSE. (MsMpEng.exe and msseces.exe) There are too many entries for me to delete them all. I can’t select more than one at a time. So I scan down the list and get the obvious executables that stand out.

    That tool you recommend above does not list ANY of these hijacked .exe I was hoping that tool would allow me to delete multiple registry entries quickly and in larger multiples than just 1 at a time.

    A large percentage of the virus ridden computers I repair have this exact problem I mentioned.

  • @Marvin

    Sorry, I had never encountered such situation (and I used Autoruns on countless computers).

    I’d check if there is correct profile set in Autoruns and if it runs with admin permissions. Other than that my only guess is that registry might have corrupted security settings (nastiest malware does that) which prevent access.

  • @Rarst

    The last time I experienced this was yesterday on a system with XP. I really do see this problem every other day.

    I need to find a quicker way of deleting 100’s of registry entries. Since I’m the one setting up my customers Anti-virus, I can go find the appropriate .exe and find them under the image file execution registry entry. I delete it and everything is good to go . The only problem is, if they change anti-viruses in the future, odds are there will be an .exe entry that will still exist for the new antivirus they choose. I just can’t sit there and delete 100’s of entried 1 by 1. The only thing I can do is attack the appropriate entries that will let the anti-virus I want to use work. (Most the time I’m putting MSE on machines. As I said before there are only 2 .exe I usually have to clear from this list to get MSE to work.)

  • @Marvin

    I am out of any more ideas without encountering such for myself and having hands on experience with the case.

    Personally and in general I’d try to find anti-malware scanner that handles it or wrote something in AutoIt to loop through registry branch and nuke hijacks.

  • Altiris_Grunt

    Heroic Rescue measure. Sometimes, its worth the effort. Sometimes, you (or your customer) don’t have all of the original software installation disks for a complete rebuild.

    I hate to say this, because I love a technical challenge, but there’s a practical limit when dealing with malware-infected systems!

    I mean, if this is a home system (maybe yours!), you might be comfortable spending several days in a heroic rescue attempt.

    In a business environment (where time equals money), anything over a couple of hours would merit a complete format and rebuild. To lessen the impact, one would use a bootable rescue CD/DVD and backup the C:\User (or Document and Settings) folders first.

  • @Altiris_Grunt

    As for me there is simple practical test if it’s worth cleaning up – does computer survive initial antivirus scan.

    If it does – there isn’t likely to be issues that registry cleanup and such won’t fix.

    If it doesn’t – likely system was harmed beyond simple fix (but there are typical exceptions that are easy to recognize and fix like blank desktop).

  • @Madmouse Blog

    I haven’t seen mailwasher pro for years – It used to have a feature where you could FORCe the spam right back to the person who sent it. But since it was being forced back into too many machines that had been hijacked, the took the feature out. If i get ,alicious emails, i send them through my free “spamcop.net’ account. which usually shows you who is responsible for it.

    i’ve got a client’s machine that has the infected ExpLORer.exe and winlogon files. This is driving me crazy, i replaced the files with the originals, and they are still tetting infected. TDsskiller has not found the agent which is corrupting the files yet. very frustrating

Comments are closed.