#StandWithUkraine
Andrey “Rarst” Savchenko —  — Software — antivirus, autoruns, registry, sysinternals, virus

How to cleanup viruses hijacking executables

autoruns_icon Windows has interesting registry key called Image File Execution Options. It is rarely useful to users but is total bliss for viruses. Worst part – modifications viruses make there often cripple system for good even after virus itself is removed.

So if system behaves strangely after virus attack was cleaned then remaining harmful registry entries must be destroyed.

What it does

Registry key provides perfectly legitimate function – attaching debuggers to executable files. In human language – it allows to create entries that say if application A is launched then start application B instead.

How viruses use it

  1. Attach to common system executables (like explorer.exe) to secure running virus always and in a manner harder to detect than common autorun entries. When virus is removed this may prevent system files from running at all.
  2. Prevent antivirus software from running by attaching executables that may not even exist. If antivirus utility can’t start it is worth to try renaming its executable file.

Cleanup

Manual registry editing is always an option but far from comfortable. Much easier is using Autoruns which has Image Hijacks tab.

autoruns_image_hijacks

On screenshot there is example how Process Explorer replaces Windows task manager. If there are entries here – it is often sign of virus infection. Right-click > Delete (or Ctrl+D or Del) to remove entries, right-click > Jump to… to open entry in registry editor..

Related Posts

26 Comments

  • Lyndi #

    This is scary stuff. If I am understanding correctly it means that anti-virus software is not sufficient. We also need something like this to to keep tabs on the registry. The Net is not fair. The 'good' guys have to spend hours keeping their equipment as safe as they can while the 'bad' guys just do as they please.

  • Rarst #

    @Lyndi If specific virus is known by antivirus software used - it will be killed without chance to do harm (which is the point). However if virus is fresh and not detectable yet - sadly antivirus doesn't stand a chance. Some security software offers registry protection functions, I think Comodo firewall (I posted about) has such.

  • TechZoomIn #

    Rarst i have got new problem with my system dude..Virus hijacked my exe files.After having the new Operating system on my machine,am scanning the system and its not finding anything. But when i try to double click on any exe file the virus firing up and causing the same problems. I suspect virus hacked my exe files and firing when i click on any exe. Any suggestions for Rarst or guys here :(

  • Rarst #

    @Lax What antivirus are you using? Try portable CureIt, it's good. My post: https://www.rarst.net/software/choosing-portable-antivirus-clamwin-vs-cureit/ Direct download: http://ftp.drweb.com/pub/drweb/cureit/cureit.exe Either your antivirus is missing actual virus and you need clean with another one or system is damaged by past infection.

  • MK #

    Autoruns is great for removing startup entries left by virii. It just take some time to tell my friends which one is good, and which one is bad. svchost is not the same as svch0st. Sigh~

  • Rarst #

    @MK Yeah, exactly. :) That's why I run everything remotely suspicious through VirusTotal https://www.rarst.net/web/virustotalcom-thorough-online-antivirus-scanner/ However viruses are not likeliy to mask names lately. If it's in and active - antivirus is most probably dead by then. If antivirus is faster - blending name won't help much.

  • TechZoomIn #

    I'm using McAfee latest version which they gave free one year subscription for the new year. I will try curelt which you said..Thanks Rarst.

  • Madmouse Blog #

    Security is very important and most people aren't prepared for it at all. Even with antivirus, spyware, software and hardware firewalls you still can have issues. I thought That I was on top of this, but even running Avast Pro, Webroot Spy Sweeper, Out Post Firewall Pro and a hardware firewall. Updating my definitions as often as the software would left me, I still got hit somehow. After seeing that someone was charging up a storm on one of my credit cards and it was all porn related. dealing with the credit card company was very easy and everything is fixed and charges reversed now. However, this made me think it is time to go back to a Linux based system using Ubuntu for surfing the web, emails and my electronic banking. I believe that a Windows based system just won't cut the cake for security.

  • Rarst #

    @Madmouse Well my best security app is Process Explorer constantly running on second monitor so I can simply see if something acts weird. :) That's quiate a setup btw, you sure it was computer related? Could leak from 3rd party or offline altogether. And I agree that most people aren't prepared. Not much can be done about that.

  • Madmouse Blog #

    @Rarst It is very confusing because I also run Mailwasher Pro which gets rid of almost 99% of the trash before it hits Thunderbird. I am the only one who uses my system, so it kinda points it back to something I did. I wonder sometimes about Firefox plugins if they could cause an issue like this.

  • Rarst #

    @Madmouse Yeah, strange indeed. :(

  • Nihar #

    Never heard of this. Anyways thanks for the post. Now i know how to clean it up.

  • Altiris_Grunt #

    Like most, I have my favorite anti-virus product (Avira AntiVir Personal - freeware version), firewall (ZoneAlarm Free) and on-demand spyware tools (Malwarebytes and SuperAntiSpyware). I use these products on all of my home's 'Net-facing PCs. But the best tool I use: default LUAs (Limited User Accounts). No Power-User accounts and the single Administrator account has a strong password. The Admin account is strictly used for system maintenance, patching and software installations, only. No casual surfing permitted with this account. I can't believe the number of folks who still surf and play on the 'Net with full Administrator rights. Most folks seem to believe it's too much trouble to lock it down and stick to it.

  • Rarst #

    @Altiris_Grunt Heh, guilty of running under admin. :) At work I kinda have no say about that. At home running under user would makes me miserable in about three hours (yes, I tried). On security online I stick to opinion that most threats either need you to do something stupid or use holes and don't care about what you do at all. Brain handles former, decent browser (I use Opera) and security software/patches latter.

  • Altiris_Grunt #

    Here's a related article regarding LUAs and Windows 7: http://blogs.zdnet.com/hardware/?p=4627

  • RegScanner – search app for Windows registry | Rarst.net #

    [...] Only thing that could be better if app offered at least basic editing capabilities on top of pure search. Relying on native editor can bite in some situations, like when malware blocks it with executable hijack. [...]

  • RegFromApp – simple registry monitor | Rarst.net #

    [...] that splits into multiply threads or runs periodically. One way to work around that might be using Image File Execution options to set RegFromApp as debugger for executable.Common way to monitor for registry changes is [...]

  • Marvin #

    As of today, Autoruns does not even show all the items that are being hijacked in the image file execution part of the registry. I have 100's of items that I just can't delete one by one. Although Autoruns seems like a helpful program, it doesn't do what you say it does. At least not for me. Thanks anyways.

  • Rarst #

    @Marvin Not all entries in that registry branch are image hijacks. Actually in practice very few (if any at all) of those hundreds of entries have anything to do with it. Autoruns only shows those entries that matter - the ones with debugger parameter set, which is only case when executable or library is actually hijacked.

  • Marvin #

    @Rarst I disagree. 100's of anti-virus and other executables are hijacked and pointing to Svchost.exe What I have been doing to get around this is just deleting the entries that were necessary for me to install MSE. (MsMpEng.exe and msseces.exe) There are too many entries for me to delete them all. I can't select more than one at a time. So I scan down the list and get the obvious executables that stand out. That tool you recommend above does not list ANY of these hijacked .exe I was hoping that tool would allow me to delete multiple registry entries quickly and in larger multiples than just 1 at a time. A large percentage of the virus ridden computers I repair have this exact problem I mentioned.

  • Rarst #

    @Marvin Sorry, I had never encountered such situation (and I used Autoruns on countless computers). I'd check if there is correct profile set in Autoruns and if it runs with admin permissions. Other than that my only guess is that registry might have corrupted security settings (nastiest malware does that) which prevent access.

  • Marvin #

    @Rarst The last time I experienced this was yesterday on a system with XP. I really do see this problem every other day. I need to find a quicker way of deleting 100's of registry entries. Since I'm the one setting up my customers Anti-virus, I can go find the appropriate .exe and find them under the image file execution registry entry. I delete it and everything is good to go . The only problem is, if they change anti-viruses in the future, odds are there will be an .exe entry that will still exist for the new antivirus they choose. I just can't sit there and delete 100's of entried 1 by 1. The only thing I can do is attack the appropriate entries that will let the anti-virus I want to use work. (Most the time I'm putting MSE on machines. As I said before there are only 2 .exe I usually have to clear from this list to get MSE to work.)

  • Rarst #

    @Marvin I am out of any more ideas without encountering such for myself and having hands on experience with the case. Personally and in general I'd try to find anti-malware scanner that handles it or wrote something in AutoIt to loop through registry branch and nuke hijacks.

  • Altiris_Grunt #

    Heroic Rescue measure. Sometimes, its worth the effort. Sometimes, you (or your customer) don't have all of the original software installation disks for a complete rebuild. I hate to say this, because I love a technical challenge, but there's a practical limit when dealing with malware-infected systems! I mean, if this is a home system (maybe yours!), you might be comfortable spending several days in a heroic rescue attempt. In a business environment (where time equals money), anything over a couple of hours would merit a complete format and rebuild. To lessen the impact, one would use a bootable rescue CD/DVD and backup the C:\User (or Document and Settings) folders first.

  • Rarst #

    @Altiris_Grunt As for me there is simple practical test if it's worth cleaning up - does computer survive initial antivirus scan. If it does - there isn't likely to be issues that registry cleanup and such won't fix. If it doesn't - likely system was harmed beyond simple fix (but there are typical exceptions that are easy to recognize and fix like blank desktop).

  • Jonny Vee #

    @Madmouse Blog I haven't seen mailwasher pro for years - It used to have a feature where you could FORCe the spam right back to the person who sent it. But since it was being forced back into too many machines that had been hijacked, the took the feature out. If i get ,alicious emails, i send them through my free "spamcop.net' account. which usually shows you who is responsible for it. i've got a client's machine that has the infected ExpLORer.exe and winlogon files. This is driving me crazy, i replaced the files with the originals, and they are still tetting infected. TDsskiller has not found the agent which is corrupting the files yet. very frustrating