Windows Security Tutorials - Herong's Tutorial Examples

∟PWS (Password Stealer) Trojan Infection Removal

∟regedit.exe Not Working

This section describes why regedit.exe stopped working - the PWS Trojan attached the kernel debugger to the regedit.exe using the Image File Execution Options registry key.

Another symptom of this PWS Trojan was that the regedit.exe stopped to work. When entering "regedit" at the command line prompt, it returned right away.

I found the answer, in the Spybot scan report:

Hupigon13   25 entries Trojans
   ...
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File 
      Execution Options\regedit.exe
   ...

Using the "reg export" command, I got details about this registry setting:

[HKEY_LOCAL_MACHINE\software\microsoft\windows NT\currentversion
   \Image File Execution Options\regedit.exe]
   "debugger"="ntsd -d"

Based on Microsoft documentation, this "Image File Execution Options" registry key value attaches the kernel debugger, ntsd, to the regedit.exe program. The -d option passes control to the kernel debugger immediately, when regedit.exe is executed.

Apparently, the PWS Trojan uses this registry to prevent you using (disabled) some anti-virus related programs, like regedit.exe.

I looked at other registry values under "Image File Execution Options", and found about 132 many anti-virus related programs were disabled:

[HKEY_LOCAL_MACHINE\software\microsoft\windows NT\currentversion
   \Image File Execution Options\xxxxxxxx.xxx]
   "debugger"="ntsd -d"

where xxxxxxxx.xxx are:
360rpt.exe
360Safe.exe
360tray.exe
adam.exe
AgentSvr.exe
AntiArp.exe
AppSvc32.exe
autoruns.exe
avconsol.exe
avgrssvc.exe
AvMonitor.exe
avp.com
avp.exe
CCenter.exe
ccSvcHst.exe
conime.exe
DrvAnti.exe
drwadins.exe
drwebscd.exe
drwebupw.exe
EGHOST.exe
FileDsty.exe
filemon.exe
FTCleanerShell.exe
FYFireWall.exe
GFRing3.exe
GFUpd.exe
GuardField.exe
HijackThis.exe
IceSword.exe
iparmo.exe
Iparmor.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPF.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32.exe
KPFW32X.exe
KPfwSvc.exe
KRegEx.exe
KRepair.com
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
mmsk.exe
Navapsvc.exe
Navapw32.exe
nod32.exe
nod32krn.exe
nod32kui.exe
NPFMntor.exe
OllyDBG.EXE
OllyICE.EXE
PFW.exe
PFWLiveUpdate.exe
procexp.exe
QHSET.exe
QQDoctor.exe
QQKav.exe
Ras.exe
RavCopy.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
RavXP.exe
RawCopy.exe
RegClean.exe
regedit.exe
regmon.exe
RegTool.exe
rfwcfg.exe
rfwmain.exe
rfwProxy.exe
rfwsrv.exe
rfwstub.exe
RsAgent.exe
Rsaupd.exe
runiep.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
spiderml.exe
spidernt.exe
spiderui.exe
spml_set.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
taskmgar.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
vsstat.exe
webscanx.exe
WoptiClean.exe

If you see a program stops working after a Virus/Trojan infection, you should check this registry key.

Should I remove all registry keys that attaches the kernel debugger, "debugger"="ntsd -d", to application programs? I think so.

Table of Contents

 About This Windows Security Book

 Windows 8: System Security Review

 Windows 8: System Security Protection

 Windows 8 System Recovery

 Windows 8 Defender for Real-Time Protection

 Windows 7: System Security Review

 Windows 7: System Security Protection

 Windows 7 System Recovery

 Windows 7 Forefront Client Security

 Norton Power Eraser - Anti-Virus Scan Tool

 McAfee Virus and Malware Protection Tools

 Spybot - Spyware Blocker, Detection and Removal

 Keeping Firefox Secure

 Keeping IE (Internet Explorer) Secure

 Malware (Adware, Spyware, Trojan, Worm, and Virus)

 HijackThis - Browser Hijacker Diagnosis Tool

 IE Add-on Program Listing and Removal

 "Conduit Search" - Malware Detection and Removal

 "Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware

 Malware Manual Removal Experience

 Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

 Trojan and Malware "Puper" Description and Removal

 VSToolbar (VSAdd-in.dll) - Description and Removal

►PWS (Password Stealer) Trojan Infection Removal

 What Is PWS (Password Stealer) Trojan?

 JS/Downloader.gen - JavaScript Downloader Malware

 PWS-Mmorpg.gen - A Password Stealer Trojan

 heb.exe - The Trojan Installer Program

 .exe and .dll Files Installed by the Trojan

 my.exe - A Second PWS Trojan Infection

 .exe and .dll Files of the Second Trojan

 Explorer.EXE Trying to Install a Trojan

 AccessProtectionLog.txt Log File Records

 ATF-Cleaner.exe - Temporary File Remover

 Trajon Files Left in the System Folder

 Removing PWS Trojan Files

 Removing PWS Trojan Startup Entries

 Command Processor AutoRun - Registry Value

 UserInit - Winlogon Registry Key

 js.users.51.la - hosts File Entries

 Image File Execution Options - Registry Key

►regedit.exe Not Working

 MS08-001 Vulnerability on Windows Systems

 Antivirus System PRO

 References

 Full Version in PDF/ePUB

regedit.exe Not Working - Updated in 2021, by Dr. Herong Yang