Friday, 29 December 2017

windows xp - Applications are being opened by IE instead of running normally


I rewrote the Question to add everything that i tried so far.



  • Many of my applications are being opened by Internet Explorer. (not all)


  • For example when I run Firefox.exe (from shortcut) I get IE run instead, with the following URL


    http: // %22d/ Browser/firefox.exe%22 (I added spaces to prevent link creation)




    1. the shortcut target is: "D:\Browser\firefox.exe"




    2. when I attempted to open firefox.exe from it's folder the results were the same as the previous one




    3. I attempted to open it by cmd, so i navigated with cmd to the FF path then wrote: firefox.exe




    4. the was the same except that the URL was:


      http: // Firefox.exe/




    5. when i jsut write firefox the result URL was:




    http: // Firefox/ (is it some kind of parameter or something??)




    1. trying the same with chrome resulted the same results as the previous tests.




    2. I tried creating a new user (adminstartor) but the problem still there.




    3. I tried every registry key with exe on it (not sure if i tried them all) no change




    4. I tried removing IE but came back by itself somehow, meanwhile IE is removed, FF and its fellow apps gave me open with window




    5. I tried reinstalling the applications but it just no use.






Time Line: (as requested from @Daredev)




  1. I don't know when it happened because the computer is for the company i work for and it was like that since i got it. (The IT there gave up on the problem lon time ago!).




  2. applications were installed already are "firefox" and "XPS viewer" .




  3. applications were working after the problem everything except what uses browsing (MS help viewer, XPS viewer, firefox-even I've re installed it-, opera, chrome)




  4. that what I thought but after installing Maxthon , comodoDragon this theory was blown away.




system info:
1- windows xp professional service pack 3
2- system fully patched: Yes
3- anti-virus up to date: Yes
4- same behavior when booting into safe mode: Yes



Answer



Armed with addtional information you've given me via chat:
Unfortunately it does seem that your PC may get somehow infected with malware. As an example, This thread does look very similar to your problems


Malware or not, root cause of your problems probably lay in this little known registry gem - originally thought to allow easy debbuging: (source)


To setup an application to launch the debugger automatically

Start the Registry Editor (regedit).
In the Registry Editor, open the HKEY_LOCAL_MACHINE folder.
Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options.
Under the Image File Execution Options folder, locate the name of the application you want to debug (myapp.exe, for example). If you cannot find the application you want to debug:
Right-click the Image File Execution Options folder and choose New Key from the shortcut menu.
Right-click the new key and choose Rename from the shortcut menu.
Edit the key name to the name of your application, for example, myapp.exe.
Right-click the myapp.exe folder and choose New String Value from the shortcut menu.
Right-click the new string value and choose Rename from the shortcut menu.
Change the name to debugger.
Right-click the new string value and choose Modify from the shortcut menu.

The Edit String dialog box appears.
In the Value data box, type devenv /debugexe.
Click OK.
From the Registry menu, choose Exit.

Problem being you could (and malware does) put any executable as debugger, effectively running program of your choice instead of original target.
I was able to replicate your PC behavior adding Firefox.exe key with a debugger target of Iexplore.exe
To check if that's what affect you, open registry editor, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options and look for Firefox.exe and similar entries for programs exhibiting this behavior. Rename any suspicious keys to something else (eg. Firefox.exe bad) and re-run the app.


Last but not least - analyze those keys - maybe it will give you a hint of what was the source - and run a thorough scan of your system with a different tool than the one you have installed (if possible - with windows offline)


Edit: Sysinternals Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) comes in handy in checking image hijacks (among many other nice features). Download the tool, run it and unselect Hide Windows Entries in Filter options, then select Image Hijacks:


Autoruns screen


You may then either simply delete the entry or analyze it further using several options.
There is also a command line version, autorunsc. autorunsc -h prints image hijacks. Use autorunsc -? to see all options.


No comments:

Post a Comment

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...