tag:blogger.com,1999:blog-20977280.post113755474711625260..comments2023-05-12T04:45:20.579-05:00Comments on My Green Paste, Inc.: Image File Execution Options: Good, Evil, Fun.«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-20977280.post-58419887318590666872011-03-09T16:15:29.233-06:002011-03-09T16:15:29.233-06:006 years after the fact, and this blog post saves m...6 years after the fact, and this blog post saves my bacon. I do tech support for a place and a virus had crippled Task Manager, and it didn't show up in ANY of the usual places. After searching the registry for anything involving "taskm" I found this registry key branch and had no idea what it did, but was suspicious that the infected PC had tons of applications and mine had almost none. Sure enough, your post comes up on the list and not only explains what it does, but helps me figure out new ways to exploit it to kill malware. Great post, Mazeltov!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-20977280.post-8305239127379203512009-09-20T20:58:27.678-05:002009-09-20T20:58:27.678-05:00thank god i found this post. i've been trying...thank god i found this post. i've been trying to clean my MIL's pc. She installed Windows PC Defender and a lot of other JUNK! Anyway...task manager would not work. I found this registry entry and the debugger was pointed to svchost.exe!! Now...to see how many svchost processes I've spawned trying to fix this!Lhttps://www.blogger.com/profile/09828505314368748315noreply@blogger.comtag:blogger.com,1999:blog-20977280.post-26458592031333350472009-01-19T10:34:00.000-06:002009-01-19T10:34:00.000-06:00For what it's worth, doing a virus/malware cleanup...For what it's worth, doing a virus/malware cleanup on a PC and found beau coupe entries in Image File Execution Options designed to keep a long list of detectors, cleaners, etc. from running.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-20977280.post-41548316568341714742008-10-21T22:05:00.000-05:002008-10-21T22:05:00.000-05:00Hi James,>> The cool thing is that it works ...Hi James,<BR/><BR/>>> The cool thing is that it works for all versions of Visual Studio, hahaha. <<<BR/>Except the Express versions, of course...«/\/\Ø|ö±ò\/»®©https://www.blogger.com/profile/04886149439479604072noreply@blogger.comtag:blogger.com,1999:blog-20977280.post-63786403054691265512008-10-21T21:55:00.000-05:002008-10-21T21:55:00.000-05:00It's fun to mess with a developer who doesn't know...It's fun to mess with a developer who doesn't know about it.<BR/><BR/>We confused the hell out of a developer colleague making devenv.exe spawn Notepad instead.<BR/><BR/>The cool thing is that it works for all versions of Visual Studio, hahaha.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-20977280.post-69335513302068421412008-09-16T05:39:00.000-05:002008-09-16T05:39:00.000-05:00Thanks for the comment, anonymous! :-)You may also...Thanks for the comment, anonymous! :-)<BR/><BR/>You may also like to know that there are other ways to turn off ctfmon.exe...<BR/><BR/>Also, utils such as Process Monitor and Regmon can watch registry changes made by an application, and will show the manipulation of the Image File Execution Options for taskmgr.exe, by Process Explorer.«/\/\Ø|ö±ò\/»®©https://www.blogger.com/profile/04886149439479604072noreply@blogger.comtag:blogger.com,1999:blog-20977280.post-83687842847066236752008-09-16T04:59:00.000-05:002008-09-16T04:59:00.000-05:00I use it to kill ctfmon.exe, I set the "Debugger" ...I use it to kill ctfmon.exe, I set the "Debugger" value to the name of a .vbs script, with a comment in it :) nothing happens, ctfmon is never run :),<BR/>I too found this thanks to sysinternals Process Explorer, i had to use a batch file involving the "REG EXPORT" commands piped to files before change made, after change made, then a FC command on the resulting files - hope that helps someone ;)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-20977280.post-42403000318726377542007-04-18T02:02:00.000-05:002007-04-18T02:02:00.000-05:00I know this key before. but only used to debug. th...I know this key before. but only used to debug. the idea to kill malware this way is genius.<BR/><BR/>nicoster (at) gmail.comnickxhttps://www.blogger.com/profile/17814789017735538763noreply@blogger.com