Jump to content
Ant Dude

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe?

Recommended Posts

Hi.

I haven't scanned my old updated, Windows XP Pro. SP3 box for like a month or so, but it found Security.Hijack with HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe.

Is this legit? It never reported this before as well.

Log showed:

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe (Security.Hijack) -> No action taken. [EE9C7B6A5059ED6C94F35BE836EE9043]

SuperAntiSpyware v4.40.1002 with the latest definitions say my system was clean.

Thank you in advance. :)

Share this post


Link to post
Share on other sites

That would prevent cmd from running and instead send commands bound for cmd to a different exe.

This could be by design so if you can, get me a full export of that key.

Share this post


Link to post
Share on other sites
That would prevent cmd from running and instead send commands bound for cmd to a different exe.

This could be by design so if you can, get me a full export of that key.

There was not in this registry key. :)

FYI the manually saved log with mbam.exe /developer:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4271

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

7/3/2010 9:24:36 AM

mbam-log-2010-07-03 (09-24-36).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 256022

Time elapsed: 52 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe (Security.Hijack) -> No action taken. [EE9C7B6A5059ED6C94F35BE836EE9043]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites
There was not in this registry key...
Oops, I meant to say "There was notHING in this registry key...

Share this post


Link to post
Share on other sites

Start cmd.exe (click start, run, type cmd and press enter). If command prompt is functioning normally then removing this will not affect anything. If nothing happens (and this is not desired) removing this will fix the problem. If something other than a command prompt opens (and this is desired) then set this to ignore.

IMO the most likely case here is that something was infected in the past and another scanner removed all but this trace.

Share this post


Link to post
Share on other sites
Start cmd.exe (click start, run, type cmd and press enter). If command prompt is functioning normally then removing this will not affect anything. If nothing happens (and this is not desired) removing this will fix the problem. If something other than a command prompt opens (and this is desired) then set this to ignore.

IMO the most likely case here is that something was infected in the past and another scanner removed all but this trace.

I quarantined it and tested it. It seems OK. I will keep it quaratined.

I did have an infection many years ago. I had AntiMalware (free) and used many times for scanning for a year or so? Shortcut says it was created on 10/1/2009. I cannot remember if I had older versions before it too (did upgrades make uninstall and reinstall to make new shortcuts?). Did MBAM add something new for this specific left over infection or something?

Share this post


Link to post
Share on other sites

We have many hundreds of these actually. This key can be used to block (divert) any executable with a static file name and execute a different executable instead. Malware uses these keys to block antimalware tools from running.

The other trick is to use this key to trigger reinfection whenever certain executables are run.

Share this post


Link to post
Share on other sites
We have many hundreds of these actually. This key can be used to block (divert) any executable with a static file name and execute a different executable instead. Malware uses these keys to block antimalware tools from running.

The other trick is to use this key to trigger reinfection whenever certain executables are run.

Interesting. What was the default on a clean XP Pro. SP3 system? Was that registry non-existent?

Share this post


Link to post
Share on other sites

It is not default. If it was we would have many millions of FP reports for this :P.

Share this post


Link to post
Share on other sites
It is not default. If it was we would have many millions of FP reports for this :P.
Thanks all! :) Just wanted to be sure it was legit or FP. :P

Share this post


Link to post
Share on other sites

Strange, this came back again when I did a full scan in the latest MBAM (with its program updates). I need to figure out what is making this registry key return. I still use some old Windows programs from the late 1990s and early 2000s.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.