Tuesday, November 24, 2009

11/24/09

The Windows System Defender malware/virus has an interesting new trick to stop/disable the Task Manager, as well as other programs like Trend antivirus.

It adds hundreds of entries in the
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] registry key.

The added entries will have the name of a particular program (image file) with a debugger setting to svchost.exe, like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
"Debugger"="svchost.exe"

This starts svchost.exe as the debugger whenever the program starts. Since I haven't done any debugging, I don't know if using an invalid debugging program (svchost.exe in this example) will cause the program to fail on startup - essentially stopping it from starting - or if it will run hidden from the user. Either way, it stops you from being able to see the Task Manager. It also will disable the Trend Micro OfficeScan client, as well as others.

There are hundreds of programs that are disabled by Windows System Defender using these registry entries. I didn't look at all of them, but many look like a lot of the usual malware suspects. So, it disables all of the competing malware products that might be on your machine so that it can have exclusive use of your CPU. How nice.

I cleaned them manually (tedious), but I believe Malware Bytes is now aware of this trick & can be used to clean up the registry once you've cleaned up the main stuff. I used Malware Bytes to clean up the rest of files first by pulling the harddrive and using a USB adapter to connect the drive to another machine. MB lets you choose which drive(s) to scan, so you can scan an external drive. You may have to add write permissions back to the hosts file for your user so that you can clean that up (or to delete it & create a new one).



BTW, the following registry entry is a standard Windows registry value & does not need to be removed:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path]
"Debugger"="ntsd -d"
"GlobalFlag"="0x000010F0"