Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > alt.comp.os.windows-10 > #184037

Re: SOLVED

From VanguardLH <V@nguard.LH>
Newsgroups alt.comp.os.windows-10
Subject Re: SOLVED
Date 2025-04-25 22:19 -0500
Organization Usenet Elder
Message-ID <nvz3w5un8rup$.dlg@v.nguard.lh> (permalink)
References <vufl3g$3mbqe$1@dont-email.me> <vugdul$d5kg$1@dont-email.me>

Show all headers | View raw


Ed Cryer <ed@somewhere.in.the.uk> wrote:

> reg delete "HKCU\Console" /f

You wiped the default command shells.  Under there, I have the following
subkeys:

[HKEY_CURRENT_USER\Console]
  several data items for config of command shells
[HKEY_CURRENT_USER\Console\%%Startup]
[HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe]
  data items to define config for cmd.exe
[HKEY_CURRENT_USER\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe]
  data items to define config for PS
[HKEY_CURRENT_USER\Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe]
  data items to define config for PS (alt location)

I did not see anything there that would prevent loading cmd.exe;
however, the key names themselves contain paths to the executable.
Since the Console key is now gone, no way to know if those subkeys were
named properly.

> reg delete "HKCU\Software\Microsoft\Command Processor" /v "AutoRun" /f
> reg delete "HKLM\Software\Microsoft\Command Processor" /v "AutoRun" /f

The Command Processor key is not defined in my Windows 10 setup.  From
what I found, it was used in the past in older versions of Windows.  It
was where the properties were stored for the command shell configs, but
are now under the Console key for Windows 10.  The Command Processor
keys are not needed in Windows 10, and no longer supported hence
ignored.  Are the Windows running on your computer fresh installs, or
are they upgrades?  This carry-over of pollution or no-longer-supported
registry entries along with all other orphaned entries in the registry,
like from dirty uninstalls, is why I always do fresh installs of the OS.

You said you ran DISM, but gave no details on just what arguments you
used.  Did you run:

dism /Online /Cleanup-Image /CheckHealth  (general checkup)
or
dism /Online /Cleanup-Image /ScanHealth   (more detailed checkup)

dism /Online /Cleanup-Image /RestoreHealth
  Connects to MS update servers to download and replace damaged files.  
  If it cannot replace damaged files, or you don't have an Internet 
  connection, you can specify a source image for reference.  You can use 
  an install.wim or install.esd file from another computer, install 
  media, or ISO file; however, the source must match the version, 
  edition, and language of the instance of Windows you are trying to 
  repair.  If you need to use a source other than the one included in   
  the current instance of Windows, use:
dism /Online /Cleanup-Image /RestoreHealth /Image:<offlineimagefile>
        I've seen /Source used instead ____|____|

Optionally you could follow-up with:

dism /Online /Cleanup-Image /AnalyzeComponentStore        
dism /Online /Cleanup-image /Startcomponentcleanup [/ResetBase]
  Can take 1 to 2 hours to complete.  The optional /ResetBase will 
  cleanout the C:\Windows\WinSxS folder by removing all superseded 
  versions of every component.

And lastly run:

sfc /scannow 

All of this is doing brain surgery on the OS, so first save an image
backup.  All this repairing could make things worse, so you may need to
restore from the image backup to, at least, get back to the prior state
of the OS even if it resumes whatever problem you are trying to resolve.

> reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe" /f

Since you deleted this subkey without looking at what data items were
defined under it, no way to tell if there was a cmd.exe named subkey,
and if it specified some untoward behavior -- but if it did then likely
you are infected.  I'll bow to Paul on what this key is used for.  I did
find:

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/image-file-execution-options

This key exists in my Windows 10 setup, and with 53 subkeys named for an
executable file.  However, I do not have subkeys named cmd.exe or
command.com under there.  Maybe you did.  *IF* there was a subkey named
cmd.exe then you deleted it.  If there was not, there was nothing to
delete, and the 'reg delete' command was worthless.

https://securityblueteam.medium.com/utilizing-image-file-execution-options-ifeo-for-stealthy-persistence-331bc972554e

That touches on what Paul mentioned regarding persistence of malware.
IFEO (Image File Executions Options) lets developers attach a debugger
to an application or process.  Allows running the debugger at the time
the application is running.  More info at:

https://hejelylab.github.io/blog/IRC/Persistence-IFEO

With Windows Defender not catching anything in a manual scan, I'd
suggest getting a 2nd-opinion AV scanner.  I've used Malwarebytes
Anti-Malware (MBAM) in the past.  You only want ONE on-access (realtime)
AV scanner running at a time, so after installing MBAM you configure it
to NOT use its on-access scanner.  You only want to use it as an
on-demand (manual) scanner to get a 2nd-opinion.  I believe MBAM will
look at IEFO entries in the registry since they mention IEFO at:

https://www.malwarebytes.com/blog/news/2015/12/an-introduction-to-image-file-execution-options

Since IEFO has legitimate use for debugging, the only way I can think
that MBAM would detect a bad subkey here is if it pointed to some
malware, but then MBAM should find that source in a scan.  The problem
in removing malware is that you chop the legs off of it, but remnants
left behind can cause problem.  A cmd.exe named subkey with a data item
pointing to an executable that no longer exists can cause problems
trying to run the program for which the subkey is named.

I could not find a search at https://forums.malwarebytes.com/ to see if
IEFO was discussed, and if MBAM covers looking at those subkeys.
Apparently you need a forum account to login to then do a search.  I did
an external search using:

https://www.google.com/search?q=image%20file%20execution%20options%20iefo%20site%3Aforums.malwarebytes.com&sei=SFAMaMPIE-TnwN4P2Y2L0AE

and IEFO is discussed there.  Perhaps MBAM looks at to where those IEFO
subkeys point, but more likely it detects the malware source to
eradicate which could then leave those IEFO subkeys pointing at
no-longer-existing [debugger] executables.  Disinfecting your computer
can leave behind scars.

Back to alt.comp.os.windows-10 | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 10:36 +0100
  Re: No CMD Paul <nospam@needed.invalid> - 2025-04-25 06:31 -0400
  Re: No CMD VanguardLH <V@nguard.LH> - 2025-04-25 06:05 -0500
    Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 14:42 +0100
      Re: No CMD MikeS <MikeS@fred.com> - 2025-04-25 15:47 +0100
      Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 16:16 +0100
        Re: No CMD VanguardLH <V@nguard.LH> - 2025-04-25 12:53 -0500
          Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 20:05 +0100
            Re: No CMD VanguardLH <V@nguard.LH> - 2025-04-25 20:53 -0500
              Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-26 12:00 +0100
                Re: No CMD Frank Slootweg <this@ddress.is.invalid> - 2025-04-26 15:01 +0000
                Change of Subject (was: No CMD) VanguardLH <V@nguard.LH> - 2025-04-26 18:50 -0500
                Re: Change of Subject Hank Rogers <Hank@nospam.invalid> - 2025-04-26 19:13 -0500
                Re: Change of Subject VanguardLH <V@nguard.LH> - 2025-04-26 19:40 -0500
                Re: Change of Subject Daniel70 <daniel47@eternal-september.org> - 2025-05-03 22:58 +1000
                Re: Change of Subject VanguardLH <V@nguard.LH> - 2025-05-03 09:47 -0500
                Re: No CMD Stan Brown <the_stan_brown@fastmail.fm> - 2025-04-26 15:48 -0700
    Re: No CMD "...winston" <winstonmvp@gmail.com> - 2025-04-25 11:12 -0400
      Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 17:19 +0100
  SOLVED Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 17:40 +0100
    Re: SOLVED Paul <nospam@needed.invalid> - 2025-04-25 16:19 -0400
    Re: SOLVED VanguardLH <V@nguard.LH> - 2025-04-25 22:19 -0500
    Re: SOLVED Ed Cryer <ed@somewhere.in.the.uk> - 2025-05-13 18:47 +0100
  Re: No CMD Stan Brown <the_stan_brown@fastmail.fm> - 2025-04-25 13:14 -0700
    Re: No CMD Char Jackson <none@none.invalid> - 2025-04-26 00:14 -0500
      Re: No CMD "R.Wieser" <address@is.invalid> - 2025-04-26 11:02 +0200
        Re: No CMD Char Jackson <none@none.invalid> - 2025-04-26 20:48 -0500
          Re: No CMD "R.Wieser" <address@is.invalid> - 2025-04-27 08:45 +0200
      Re: No CMD Stan Brown <the_stan_brown@fastmail.fm> - 2025-04-26 15:52 -0700
      Re: No CMD VanguardLH <V@nguard.LH> - 2025-04-26 19:36 -0500
        Re: No CMD "R.Wieser" <address@is.invalid> - 2025-04-27 13:12 +0200
          Re: No CMD John <Man@the.keyboard> - 2025-04-28 20:11 +0100
            Re: No CMD "R.Wieser" <address@is.invalid> - 2025-04-28 23:15 +0200

csiph-web