Log in

View Full Version : Every Exe starts with OllyDebug- You canrt start any program except some like Explorer


Anonymous
December 17th, 2004, 14:05
Hi,
i think it is a Virus, every exe File i want to start(include rundll32.exe) starts in OllyDBg and not like normal in Windows, it lokks like OllyDbg has overtake Windows. It is very strange, but i need to execute my programs, i think some major environment variable of Windows are changed, but i cant get through to the Registry because evrythime i start Regedit it starts in Ollydbg and if you cancel it in Ollydg also the Prcess is killed completly.

Pleas halp me.

Whiskey

Teerayoot
December 17th, 2004, 14:23
Seem your system corrupt.
U run program then exception raised then olly will fired .

try remove ollydbg from your system or reinstall new windows

Anonymous
December 17th, 2004, 16:14
i cant uninstall ollydbg, because if i try to run the deinstallation, onllyd will start and not the deinstallation program....

blabberer
December 18th, 2004, 04:55
as far as i know ollydbg does not need either installation or
uninstallation
it is just plain and simple unzipping into a new folder that is all
are you sure you are talking about real ollydbg
or some program which is masquerading as ollydbg

olly dbg if you want creates only two registry entry
viz
ust-in-time debugging is controlled by two entries in the system Registry:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger - contains command that invokes debugger;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Auto - specifies whether to ask user before attaching.

if you want go to registry and try deleting this values if they are present
other wis ollydbg does not have any other registry entries

but if it is viral program masquerading as ollydbg
then probably it has hijacked your hkcr/exefile/shell open command

check your entry
REGEDIT4

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

it should be like this if it has any other extra values instead of %1%
then it is a hijacked values

you may try running an antivirus program online like trend micro,bitdefender,panda etc

or you can visit some of the antispyware forums like
tomcoyote.org,spywareinfo.com and post a hijackthis log of your computer for review and help

1bitshort
December 19th, 2004, 04:43
Ive experienced this behaviour as well. Its not virus related, it is an issue with Ollydbg. I don't experience it very often (maybe 1 in 50 programs that i analyze), but often i find that deleting the associated .udd file and restarting Ollydbg helps. Also make sure that "Options | Events | Make First Pause At" is set to Entry Point Of Main Module, because I think the problem might only be occurring when its set to "Winmain (if location is known)" but im not 100% sure about that

blabberer
December 19th, 2004, 06:39
i have succesfully operated with the entrypoint set on all three locations
i have never faced ollydbg overtaking and opening everything under its own only some virus have done that (i remember some bc5 blah.exe]

if regedit.exe cant be opened you can open copypaste regedit.exe to somewhere and rename it as regedit.com and doubleclick it
regedit works as .com also

1bitshort do you posses an application that happens to behave like this
if yes i would like totake a look
thanks

1bitshort
December 22nd, 2004, 09:03
oh me anon: it has happened with many different applications which would tend to imply that it is a problem with Ollydbg. It's hard to isolate exactly what the problem is because sometimes the program is loaded and suspended as youd expected, but sometimes it would execute straight away, almost as if Ollydbg had forgotten to set a breakpoint at the entrypoint. But even if it was a malicious program such as a virus-infected file it still shouldn't be able to run, and unfortunately that isn't always happening ...

Some could consider it a minor bug, but for those of us who analyse potentially-malicious code it is a real problem because you're essentially taking a gamble loading a program into Ollydbg - it may or may not run straight away. Hopefully this wont be a problem with Ollydbg v2

blabberer
December 22nd, 2004, 12:03
ah 1bitshort i see you talking about ollydbg executing right away
yes it happens if the peheader is modified and image base is relocated
and some dll is already sitting on the preferred imagebase

but if iam anlysing potentially malicious code then i would
prefer to 0xeb 0xfe the entrypoint and then let it loop and hit f12 and modify it and henceforth would not trust even a bugless debugger

yeah it also executes dlls that way without stopping in ModuleEntryPoint
but directly executing it i learnt the hard way when one of the
cws crap (that which used advanced data stream) executed
that way and it had littered craps like pigs sty in my box