Today, I received an email from my colleague – Vikas and it has been reproduced as below with minor modifications.
Today we came across one problem that would not allow us running regedit.exe specifically from %systemroot% folder (\windows), whenever this kind of problem is faced, the first place to check is the Event Viewer.
In event viewer:
regedit.com and regedit.exe file was crashing with Error Code 0x00000ba Event ID : 26 . The next obvious step, was to utilize the services of google, However, the results were non-conclusive and non-constructive. Using Process monitor on the problematic system, was the next choice, as it allows us to dig deeper into the system’s internals.
Process Monitor was setup with the following options:
1: Include path contains regedit.exe and regedit.com;
2: Exclude explorer.exe and svchost.exe – this was done so that I can figure out the exact cause.
Started Process monitor,however it did not return any positives. After, a lot of thinking and tweaking of process explorer without any result, I decided to execute sfc /scannow, even that too didn’t work. Regedit, just wouldnt start.
Then, I decided to compare the same with the working system. Executed Process Monitor and with above settings, on both the systems and exported the log in csv format. Then used Windiff tool to compare both the files but still wasn’t able to find out the exact details.
Then I thought of using data filter function in excel. Opened both the files in excel and turned on the Data filter. When I clicked on the “Result” field I found one odd thing, which had missed my earlier observations
When you compare this “Result” field you will find that, one extra filter is added in with results of the problematic system ie. “IS DIRECTORY”. Is regedit trying to find something in a directory called clb.dll or clb.dll is a file?
Then I removed all the filters except IS DIRECTORY and found that whenever Regedit is executed on problematic system, it used to search for clb.dll
When clb.dll was searched in the problematic system, The returned result confirmed that regedit.exe was searching for clb.dll, which wasn’t a file, however it was a folder. When the clb.dll was searched on the working system, the file/folder was not present. I created a folder name clb.dll on working system and voila it was having same problem. Then I removed the directory and regedit started working.
On the problematic system clb.dll directory, was renamed and regedit started working.
So, the million $ question is – who creates clb.dll directory : Morto virus