Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

'Image File Execution Options: File not found' ?


  • Please log in to reply

#1
flat-erica

flat-erica

    Member

  • Member
  • PipPip
  • 86 posts
I believe this is a Windows issue, hi-lited by Autoruns (system internals).

Based on the dates of my posts on geekstogo, my pc was 'cleansed' of a major problem around 25 September 2010.
The Autoruns report showed this under 'Image Hijacks':-


September 2010

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "" "" ""
+ "Your Image File Name Here without a path" "Symbolic Debugger for Windows 2000" "Microsoft Corporation" "c:\windows\system32\ntsd.exe"


..which I believe was ok. Not sure what happened afterwards, but it changed to:-


9 November 2010

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "" "" ""
+ "Your Image File Name Here without a path" "" "" "File not found: kOw8Oww"

When pasted into Google, it looked like this: kOw
A list of sites did appear, all with weird symbols (including my one) in their listings!
Here's another example:-

11 November 2010

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "" "" ""
+ "Your Image File Name Here without a path" "" "" "File not found: ƕ器ƕ愈ƕ粐Ȩ粑￿

Google's response was: 'Your search - ƕ器ƕ愈ƕ ȩ粑￿ - did not match any documents.'

This Autorun entry still haunts me!
Today when I ran AR, there was '1/4' (a quarter symbol) at the end (wish I had taken a screenshot :) ), but it didn't show up in the text file here:-


17 July 2011 (today)

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "" "" ""
+ "Your Image File Name Here without a path" "" "" "File not found: Ɨ器Ɨ愈Ɨ粐Ȩ粑￿

The strange thing is, when I used the Autoruns compare option, the entry showed in green: I believe this means that the entry had changed somehow, but I can't see where or how! (Sadly, I often forget to save as both .arn AND .txt files so April was my last saved text report to compare!)

I'm baffled.
I have Googled it a few times, but discovered very little - maybe perl language or something (doh?) If so, why?

On my pc, everything seems to be running fine so I'm not overly worried - yet!
I just know it's not quite right and it's niggling away at me! (Hmm.. had that feeling before did I not.. just before I joined geekstogo in fact! hmmm)
Ahem. Paranoia aside, what do you think? Should I worry?
Thanks in advance.
  • 0

Advertisements


#2
Macboatmaster

Macboatmaster

    7k

  • Member
  • PipPipPipPipPipPipPipPip
  • 7,237 posts
You will notice that you had similar entries when your computer was examined by the Malware expert..

[2010/02/27 22:16:37 | 000,000,000 | ---D | M](C:\Documents and Settings\2harts\Application Data\???????sAppData) -- C:\Documents and Settings\2harts\Application Data\敎潲䍄敔灭慬整sAppData


You will probably be aware that this in autoruns means that the registry entry exists

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "" "" ""
+ "Your Image File Name Here without a path" "" "" "File not found: Ɨ器Ɨ愈Ɨ粐Ȩ粑￿


But that the actual file cannot be found.

To be safe I suggest you go back to the Malware forum, following the procedure that you adopted when you posted there in September last year.
I notice that the advisor who helped you then kindly extended the invitation to PM him, if you did post again.

You could simply use autoruns to delete that registry key, but it is NOT the course of action that I think is the best.
I hope you are NOT still running that P2P program.
Good luck with it.

Edited by Macboatmaster, 18 July 2011 - 09:12 AM.

  • 0

#3
flat-erica

flat-erica

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
Thanks Macboatmaster. I think I get it - it's not a 'bad thing'.
And you are right - I shall do nothing for now.
I have pm'd my friend and await his valued response also.
As for the p2p thing, absolutely NOT! Got rid of that with the 'cleansing' :)

All is well! I just want to understand the above issue.
Cheers the noo.

Edited by flat-erica, 18 July 2011 - 03:39 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP