Keywords: VanguardLH,VLH
Ed Cryer <
ed@somewhere.in.the.uk> wrote:
reg delete "HKCU\Console" /f
You wiped the default command shells. Under there, I have the following subkeys:
[HKEY_CURRENT_USER\Console]
several data items for config of command shells [HKEY_CURRENT_USER\Console\%%Startup] [HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe]
data items to define config for cmd.exe [HKEY_CURRENT_USER\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe]
data items to define config for PS [HKEY_CURRENT_USER\Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe]
data items to define config for PS (alt location)
I did not see anything there that would prevent loading cmd.exe;
however, the key names themselves contain paths to the executable.
Since the Console key is now gone, no way to know if those subkeys were
named properly.
reg delete "HKCU\Software\Microsoft\Command Processor" /v "AutoRun" /f
reg delete "HKLM\Software\Microsoft\Command Processor" /v "AutoRun" /f
The Command Processor key is not defined in my Windows 10 setup. From
what I found, it was used in the past in older versions of Windows. It
was where the properties were stored for the command shell configs, but
are now under the Console key for Windows 10. The Command Processor
keys are not needed in Windows 10, and no longer supported hence
ignored. Are the Windows running on your computer fresh installs, or
are they upgrades? This carry-over of pollution or no-longer-supported registry entries along with all other orphaned entries in the registry,
like from dirty uninstalls, is why I always do fresh installs of the OS.
You said you ran DISM, but gave no details on just what arguments you
used. Did you run:
dism /Online /Cleanup-Image /CheckHealth (general checkup)
or
dism /Online /Cleanup-Image /ScanHealth (more detailed checkup)
dism /Online /Cleanup-Image /RestoreHealth
Connects to MS update servers to download and replace damaged files.
If it cannot replace damaged files, or you don't have an Internet
connection, you can specify a source image for reference. You can use
an install.wim or install.esd file from another computer, install
media, or ISO file; however, the source must match the version,
edition, and language of the instance of Windows you are trying to
repair. If you need to use a source other than the one included in
the current instance of Windows, use:
dism /Online /Cleanup-Image /RestoreHealth /Image:<offlineimagefile>
I've seen /Source used instead ____|____|
Optionally you could follow-up with:
dism /Online /Cleanup-Image /AnalyzeComponentStore
dism /Online /Cleanup-image /Startcomponentcleanup [/ResetBase]
Can take 1 to 2 hours to complete. The optional /ResetBase will
cleanout the C:\Windows\WinSxS folder by removing all superseded
versions of every component.
And lastly run:
sfc /scannow
All of this is doing brain surgery on the OS, so first save an image
backup. All this repairing could make things worse, so you may need to
restore from the image backup to, at least, get back to the prior state
of the OS even if it resumes whatever problem you are trying to resolve.
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe" /f
Since you deleted this subkey without looking at what data items were
defined under it, no way to tell if there was a cmd.exe named subkey,
and if it specified some untoward behavior -- but if it did then likely
you are infected. I'll bow to Paul on what this key is used for. I did
find:
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/image-file-execution-options
This key exists in my Windows 10 setup, and with 53 subkeys named for an executable file. However, I do not have subkeys named cmd.exe or
command.com under there. Maybe you did. *IF* there was a subkey named
cmd.exe then you deleted it. If there was not, there was nothing to
delete, and the 'reg delete' command was worthless.
https://securityblueteam.medium.com/utilizing-image-file-execution-options-ifeo-for-stealthy-persistence-331bc972554e
That touches on what Paul mentioned regarding persistence of malware.
IFEO (Image File Executions Options) lets developers attach a debugger
to an application or process. Allows running the debugger at the time
the application is running. More info at:
https://hejelylab.github.io/blog/IRC/Persistence-IFEO
With Windows Defender not catching anything in a manual scan, I'd
suggest getting a 2nd-opinion AV scanner. I've used Malwarebytes
Anti-Malware (MBAM) in the past. You only want ONE on-access (realtime)
AV scanner running at a time, so after installing MBAM you configure it
to NOT use its on-access scanner. You only want to use it as an
on-demand (manual) scanner to get a 2nd-opinion. I believe MBAM will
look at IEFO entries in the registry since they mention IEFO at:
https://www.malwarebytes.com/blog/news/2015/12/an-introduction-to-image-file-execution-options
Since IEFO has legitimate use for debugging, the only way I can think
that MBAM would detect a bad subkey here is if it pointed to some
malware, but then MBAM should find that source in a scan. The problem
in removing malware is that you chop the legs off of it, but remnants
left behind can cause problem. A cmd.exe named subkey with a data item pointing to an executable that no longer exists can cause problems
trying to run the program for which the subkey is named.
I could not find a search at
https://forums.malwarebytes.com/ to see if
IEFO was discussed, and if MBAM covers looking at those subkeys.
Apparently you need a forum account to login to then do a search. I did
an external search using:
https://www.google.com/search?q=image%20file%20execution%20options%20iefo%20site%3Aforums.malwarebytes.com&sei=SFAMaMPIE-TnwN4P2Y2L0AE
and IEFO is discussed there. Perhaps MBAM looks at to where those IEFO
subkeys point, but more likely it detects the malware source to
eradicate which could then leave those IEFO subkeys pointing at no-longer-existing [debugger] executables. Disinfecting your computer
can leave behind scars.
--- MBSE BBS v1.1.1 (Linux-x86_64)
* Origin: Usenet Elder (3:633/280.2@fidonet)