Weird virus / anti-virus behaviour – Tales from the Crypto

Weird virus / anti-virus behaviour

My wife and I pent a while this weekend trying to figure out how to rescue a Media Center that seemed to be going a little loopy.

The Windows Media Center application itself worked fine, as did Windows Media Player, Calc, etc.

Only Internet Explorer was failing.

SNAGHTML11188b4

If you press Ctrl-C from most Windows dialog boxes like the one above, it will copy the text of the dialog into the clipboard.

Here’s what I get if I do that (this is mostly aimed at people using search engines):

[Window Title]
C:\Program Files (x86)\Internet Explorer\iexplore.exe

[Content]
C:\Program Files (x86)\Internet Explorer\iexplore.exe

The parameter is incorrect.

[OK]

[Had the Media Center been on 32-bit Windows, those paths would simply be “C:\Program Files\Internet Explorer\iexplore.exe” – the error message would still be “The parameter is incorrect”]

So, what on earth does this mean?

It seems bizarre, partly because there isn’t a parameter I’m supplying to Internet Explorer, but mostly because it gives me chills whenever Internet Explorer dies so quickly – I’ve seen so many viruses that disable Internet Explorer (so you can’t download a fix), that an IE issue like this sends a shiver down my spine.

My wife had the first go at fixing this, trying not only removing and re-adding IE as a Windows Feature (in “Turn Windows Features On or Off”), but also reinstalling Windows 7 on top of itself, as a repair. No fix.

Meanwhile, I downloaded Mozilla Firefox and Google Chrome on a different computer, moved them over to this one, and installed them each.

Both of them, when I tried to run, came up with the same “The parameter is incorrect” message. Worrisome.

I fire up Regedit, which is almost always also disabled by viruses that want you not to fix them. Strangely enough, that works – but I’m not done with my virus theory.

I updated Microsoft’s Security Essentials – which is already running on this system. A Quick Scan finds nothing. Trend Micro’s HouseCall is another “download and run this” virus scanner, much like the Microsoft Malicious Software Removal Tool, which arrives monthly with your Windows Updates.

Still nothing detected.

I get by with a little help from my friends

Fortunately, my friend and fellow MVP, Susan Bradley, is online, and although I don’t think she has the bandwidth to answer everyone’s questions, I think I’m rather special, so I call on her time to see if she has any suggestions.

“try malwarebytes.org?” she asks.

Sure enough, I hadn’t, and I know that several of the Consumer Security MVPs swear by it. So I download it and run it.

It finds four infections (I never get excited about the number of infections these tools find, because some of them are really aggressive as to what they think are “infections” – I’m one of those strange people that thinks tracking cookies are “mostly harmless”).

Reviewing what they are, I can see exactly how the behaviour comes about, but I’m still at a little of a loss as to how that happened.

The four entries it finds are under Registry settings, in the registry tree HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options, and under keys called “iexplore.exe”, “chrome.exe”, “firefox.exe” and “opera.exe” (Opera is another browser you can download).

The value, in each case, is as follows (using RegEdit to see):

SNAGHTML12019ad

The value name is “Debugger”, and although you can’t see it clearly there, the value is “ -sb” – that is a single space, followed, by a hyphen, and the two letters “sb”.

This is a variation on a classic method for killing Internet Explorer – or rather, for sidelining it, or prepending it with your own code. The functionality has a good purpose – for developers who want to run their debugger every time they open an application. I use it a lot myself.

I haven’t seen anyone do exactly this, though – it seems like they screwed up somehow.

The Fix

Fixing this is really simple. You just have to remove the value named “Debugger” from that key. Watch that you don’t make other changes, in case those cause other behaviours you don’t want. Oh, and do this as an administrator, or you won’t actually make any changes.

In my case, since this was the only value in the key for Internet Explorer, Firefox, Chrome and Opera, I deleted the keys themselves, just to be safe.

No reboot required – suddenly, I can start up my browsers – all of them. Thank you, Susan, and thank you, MalwareBytes!

The cause?

I’m always keen to find the cause of issues like this – especially since this could still be a virus that caused this, and if it is, I think the Microsoft Security Essentials team would like to know about it.

Searching leads repeatedly to the same possible target – a ROGUE antivirus program, which calls itself “AVG Antivirus 2011”, but which actually has nothing to do with the real AVG Antivirus. I’ve heard of this before, and I’ve seen it at a couple of sites I’ve visited for “research purposes”, but each time I’ve simply closed down IE before it had a chance to run its alleged scan.

[Hint: no web site should be scanning your computer and finding viruses. If a web site says it’s found a virus, it’s referring to the one it’s about to install on your system.]

So, it could have been me, it could have been a family member – but no real harm done. My guess is that it started to install itself, and Microsoft Security Essentials started to remove it, but didn’t quite manage to complete the job. That’s just a guess. I don’t have nearly the resources or the interest to try and re-stage the incident to test! I’m putting this blog entry out in the hope that it’ll be a search engine hit when someone else runs into the same issues.

One Response to Weird virus / anti-virus behaviour

Leave a Reply

Your email address will not be published. Required fields are marked *