Windows Security Tutorials - Herong's Tutorial Examples - v3.01, by Dr. Herong Yang
regedit.exe Not Working
This section describes why regedit.exe stopped working - the PWS Trojan attached the kernel debugger to the regedit.exe using the Image File Execution Options registry key.
Another symptom of this PWS Trojan was that the regedit.exe stopped to work. When entering "regedit" at the command line prompt, it returned right away.
I found the answer, in the Spybot scan report:
Hupigon13 25 entries Trojans ... HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe ...
Using the "reg export" command, I got details about this registry setting:
[HKEY_LOCAL_MACHINE\software\microsoft\windows NT\currentversion \Image File Execution Options\regedit.exe] "debugger"="ntsd -d"
Based on Microsoft documentation, this "Image File Execution Options" registry key value attaches the kernel debugger, ntsd, to the regedit.exe program. The -d option passes control to the kernel debugger immediately, when regedit.exe is executed.
Apparently, the PWS Trojan uses this registry to prevent you using (disabled) some anti-virus related programs, like regedit.exe.
I looked at other registry values under "Image File Execution Options", and found about 132 many anti-virus related programs were disabled:
[HKEY_LOCAL_MACHINE\software\microsoft\windows NT\currentversion \Image File Execution Options\xxxxxxxx.xxx] "debugger"="ntsd -d" where xxxxxxxx.xxx are: 360rpt.exe 360Safe.exe 360tray.exe adam.exe AgentSvr.exe AntiArp.exe AppSvc32.exe autoruns.exe avconsol.exe avgrssvc.exe AvMonitor.exe avp.com avp.exe CCenter.exe ccSvcHst.exe conime.exe DrvAnti.exe drwadins.exe drwebscd.exe drwebupw.exe EGHOST.exe FileDsty.exe filemon.exe FTCleanerShell.exe FYFireWall.exe GFRing3.exe GFUpd.exe GuardField.exe HijackThis.exe IceSword.exe iparmo.exe Iparmor.exe kabaload.exe KaScrScn.SCR KASMain.exe KASTask.exe KAV32.exe KAVDX.exe KAVPF.exe KAVPFW.exe KAVSetup.exe KAVStart.exe KISLnchr.exe KMailMon.exe KMFilter.exe KPFW32.exe KPFW32X.exe KPfwSvc.exe KRegEx.exe KRepair.com KsLoader.exe KVCenter.kxp KvDetect.exe KvfwMcl.exe KVMonXP.kxp KVMonXP_1.kxp kvol.exe kvolself.exe KvReport.kxp KVScan.kxp KVSrvXP.exe KVStub.kxp kvupload.exe kvwsc.exe KvXP.kxp KvXP_1.kxp KWatch.exe KWatch9x.exe KWatchX.exe MagicSet.exe mcconsol.exe mmqczj.exe mmsk.exe Navapsvc.exe Navapw32.exe nod32.exe nod32krn.exe nod32kui.exe NPFMntor.exe OllyDBG.EXE OllyICE.EXE PFW.exe PFWLiveUpdate.exe procexp.exe QHSET.exe QQDoctor.exe QQKav.exe Ras.exe RavCopy.exe RavMon.exe RavMonD.exe RavStub.exe RavTask.exe RavXP.exe RawCopy.exe RegClean.exe regedit.exe regmon.exe RegTool.exe rfwcfg.exe rfwmain.exe rfwProxy.exe rfwsrv.exe rfwstub.exe RsAgent.exe Rsaupd.exe runiep.exe safelive.exe scan32.exe shcfg32.exe SmartUp.exe spiderml.exe spidernt.exe spiderui.exe spml_set.exe SREng.EXE symlcsvc.exe SysSafe.exe taskmgar.exe TrojanDetector.exe Trojanwall.exe TrojDie.kxp UIHost.exe UmxAgent.exe UmxAttachment.exe UmxCfg.exe UmxFwHlp.exe UmxPol.exe UpLive.exe vsstat.exe webscanx.exe WoptiClean.exe
If you see a program stops working after a Virus/Trojan infection, you should check this registry key.
Should I remove all registry keys that attaches the kernel debugger, "debugger"="ntsd -d", to application programs? I think so.
Table of Contents
About This Windows Security Book
Windows 8: System Security Review
Windows 8: System Security Protection
Windows 8 Defender for Real-Time Protection
Windows 7: System Security Review
Windows 7: System Security Protection
Windows 7 Forefront Client Security
Norton Power Eraser - Anti-Virus Scan Tool
McAfee Virus and Malware Protection Tools
Spybot - Spyware Blocker, Detection and Removal
Keeping IE (Internet Explorer) Secure
Malware (Adware, Spyware, Trojan, Worm, and Virus)
HijackThis - Browser Hijacker Diagnosis Tool
IE Add-on Program Listing and Removal
"Conduit Search" - Malware Detection and Removal
"Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware
Malware Manual Removal Experience
Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
►PWS (Password Stealer) Trojan Infection Removal
What Is PWS (Password Stealer) Trojan?
JS/Downloader.gen - JavaScript Downloader Malware
PWS-Mmorpg.gen - A Password Stealer Trojan
heb.exe - The Trojan Installer Program
.exe and .dll Files Installed by the Trojan
my.exe - A Second PWS Trojan Infection
.exe and .dll Files of the Second Trojan
Explorer.EXE Trying to Install a Trojan
AccessProtectionLog.txt Log File Records
ATF-Cleaner.exe - Temporary File Remover
Trajon Files Left in the System Folder
Removing PWS Trojan Startup Entries
Command Processor AutoRun - Registry Value
UserInit - Winlogon Registry Key
js.users.51.la - hosts File Entries
Image File Execution Options - Registry Key