My wife and I pent a while this weekend trying to figure out how to rescue a Media Center that seemed to be going a little loopy.
The Windows Media Center application itself worked fine, as did Windows Media Player, Calc, etc.
Only Internet Explorer was failing.
If you press Ctrl-C from most Windows dialog boxes like the one above, it will copy the text of the dialog into the clipboard.
Hereâ€™s what I get if I do that (this is mostly aimed at people using search engines):
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
The parameter is incorrect.
[Had the Media Center been on 32-bit Windows, those paths would simply be â€śC:\Program Files\Internet Explorer\iexplore.exeâ€ť â€“ the error message would still be â€śThe parameter is incorrectâ€ť]
So, what on earth does this mean?
It seems bizarre, partly because there isnâ€™t a parameter Iâ€™m supplying to Internet Explorer, but mostly because it gives me chills whenever Internet Explorer dies so quickly â€“ Iâ€™ve seen so many viruses that disable Internet Explorer (so you canâ€™t download a fix), that an IE issue like this sends a shiver down my spine.
My wife had the first go at fixing this, trying not only removing and re-adding IE as a Windows Feature (in â€śTurn Windows Features On or Offâ€ť), but also reinstalling Windows 7 on top of itself, as a repair. No fix.
Both of them, when I tried to run, came up with the same â€śThe parameter is incorrectâ€ť message. Worrisome.
I fire up Regedit, which is almost always also disabled by viruses that want you not to fix them. Strangely enough, that works â€“ but Iâ€™m not done with my virus theory.
I updated Microsoftâ€™s Security Essentials â€“ which is already running on this system. A Quick Scan finds nothing. Trend Microâ€™s HouseCall is another â€śdownload and run thisâ€ť virus scanner, much like the Microsoft Malicious Software Removal Tool, which arrives monthly with your Windows Updates.
Still nothing detected.
Fortunately, my friend and fellow MVP, Susan Bradley, is online, and although I donâ€™t think she has the bandwidth to answer everyoneâ€™s questions, I think Iâ€™m rather special, so I call on her time to see if she has any suggestions.
â€śtry malwarebytes.org?â€ť she asks.
Sure enough, I hadnâ€™t, and I know that several of the Consumer Security MVPs swear by it. So I download it and run it.
It finds four infections (I never get excited about the number of infections these tools find, because some of them are really aggressive as to what they think are â€śinfectionsâ€ť â€“ Iâ€™m one of those strange people that thinks tracking cookies are â€śmostly harmlessâ€ť).
Reviewing what they are, I can see exactly how the behaviour comes about, but Iâ€™m still at a little of a loss as to how that happened.
The four entries it finds are under Registry settings, in the registry tree HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options, and under keys called â€śiexplore.exeâ€ť, â€śchrome.exeâ€ť, â€śfirefox.exeâ€ť and â€śopera.exeâ€ť (Opera is another browser you can download).
The value, in each case, is as follows (using RegEdit to see):
The value name is â€śDebuggerâ€ť, and although you canâ€™t see it clearly there, the value is â€ś -sbâ€ť â€“ that is a single space, followed, by a hyphen, and the two letters â€śsbâ€ť.
This is a variation on a classic method for killing Internet Explorer â€“ or rather, for sidelining it, or prepending it with your own code. The functionality has a good purpose â€“ for developers who want to run their debugger every time they open an application. I use it a lot myself.
I havenâ€™t seen anyone do exactly this, though â€“ it seems like they screwed up somehow.
Fixing this is really simple. You just have to remove the value named â€śDebuggerâ€ť from that key. Watch that you donâ€™t make other changes, in case those cause other behaviours you donâ€™t want. Oh, and do this as an administrator, or you wonâ€™t actually make any changes.
In my case, since this was the only value in the key for Internet Explorer, Firefox, Chrome and Opera, I deleted the keys themselves, just to be safe.
No reboot required â€“ suddenly, I can start up my browsers â€“ all of them. Thank you, Susan, and thank you, MalwareBytes!
Iâ€™m always keen to find the cause of issues like this â€“ especially since this could still be a virus that caused this, and if it is, I think the Microsoft Security Essentials team would like to know about it.
Searching leads repeatedly to the same possible target â€“ a ROGUE antivirus program, which calls itself â€śAVG Antivirus 2011â€ť, but which actually has nothing to do with the real AVG Antivirus. Iâ€™ve heard of this before, and Iâ€™ve seen it at a couple of sites Iâ€™ve visited for â€śresearch purposesâ€ť, but each time Iâ€™ve simply closed down IE before it had a chance to run its alleged scan.
[Hint: no web site should be scanning your computer and finding viruses. If a web site says itâ€™s found a virus, itâ€™s referring to the one itâ€™s about to install on your system.]
So, it could have been me, it could have been a family member â€“ but no real harm done. My guess is that it started to install itself, and Microsoft Security Essentials started to remove it, but didnâ€™t quite manage to complete the job. Thatâ€™s just a guess. I donâ€™t have nearly the resources or the interest to try and re-stage the incident to test! Iâ€™m putting this blog entry out in the hope that itâ€™ll be a search engine hit when someone else runs into the same issues.