F
FromTheRafters
Here's an experiment for some NT based OS users.
Situation:
After an incomplete removal of a malware file, you are
left with the problem that a file needed to run files of
type application is missing. Previously it has been
suggested that the registry key could be repaired by
a registry patch as follows:
+++++++++++++++++++++++
REGEDIT4
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
+++++++++++++++++++++++
Those five lines between the plus signs (+) can
be copied and pasted into notepad and saved as
a registry patch file with a .reg extension.
I'll call it exefix.reg
A problem arises when the malware interferes with
the regfile and comfile associations as well. The
comfile one prevents the renaming of regedit.exe to
regedit.com from being a way out of the dilemma
via manual editing of the registry.
Here is a possible solution, and I submit it for comment
to anyone willing to try it on an NT based OS (because
I don't have one to try it on):
When the error box appears write down the name of the file
that Windows is looking for. For this example I use the name
"wormfile.exe"
==============================
Program Not Found
This program is needed for opening files of
type 'Application'.
Location of wormfile.exe
[C:\ ]
==============================
Use the "find" utility to rename regedit.exe to
wormfile.exe.
Create the registry patch as above, only save it
as a .exe instead of a .reg file.
In this example I use notepad's 'save as' to save
the file as exefix.exe (I use a pre-existing, more
all inclusive registry patch I call regfix.reg and just
rename the extension to .exe)
Now, double clicking exefix.exe (exefix.reg) invokes
wormfile.exe (regedit.exe) because of the (corrupted)
exefile key association, and passes exefix.exe (exefix.reg)
to it as an argument and the data is interpreted as a patch.
When it asks "Are you sure you want to add the information
in [path]exefix.exe to the registry?" answer yes.
While the above may seem complicated to some,
it boils down to:
1) Rename regedit.exe to wormfile.exe.
2) Rename exefix.reg to exefix.exe.
3) Run exefix.exe.
4) Rename them both back.
Now you can run regedit to do any manual editing.
IIRC the regedit.exe on NT machines is a stub for
the regedit32.exe, so I'm thinking it should work,
if not maybe the patch file should be the regedit5
version and the regedit32.exe should be the one
renamed.
I shouldn't need to caution anyone trying this to
always back up the registry before mucking
around with it, but there it is...
I have the feeling that many new worms will be
throwing that particular wrench into the works
and many people will be asking for help with it.
Maybe this will help.
Situation:
After an incomplete removal of a malware file, you are
left with the problem that a file needed to run files of
type application is missing. Previously it has been
suggested that the registry key could be repaired by
a registry patch as follows:
+++++++++++++++++++++++
REGEDIT4
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
+++++++++++++++++++++++
Those five lines between the plus signs (+) can
be copied and pasted into notepad and saved as
a registry patch file with a .reg extension.
I'll call it exefix.reg
A problem arises when the malware interferes with
the regfile and comfile associations as well. The
comfile one prevents the renaming of regedit.exe to
regedit.com from being a way out of the dilemma
via manual editing of the registry.
Here is a possible solution, and I submit it for comment
to anyone willing to try it on an NT based OS (because
I don't have one to try it on):
When the error box appears write down the name of the file
that Windows is looking for. For this example I use the name
"wormfile.exe"
==============================
Program Not Found
This program is needed for opening files of
type 'Application'.
Location of wormfile.exe
[C:\ ]
==============================
Use the "find" utility to rename regedit.exe to
wormfile.exe.
Create the registry patch as above, only save it
as a .exe instead of a .reg file.
In this example I use notepad's 'save as' to save
the file as exefix.exe (I use a pre-existing, more
all inclusive registry patch I call regfix.reg and just
rename the extension to .exe)
Now, double clicking exefix.exe (exefix.reg) invokes
wormfile.exe (regedit.exe) because of the (corrupted)
exefile key association, and passes exefix.exe (exefix.reg)
to it as an argument and the data is interpreted as a patch.
When it asks "Are you sure you want to add the information
in [path]exefix.exe to the registry?" answer yes.
While the above may seem complicated to some,
it boils down to:
1) Rename regedit.exe to wormfile.exe.
2) Rename exefix.reg to exefix.exe.
3) Run exefix.exe.
4) Rename them both back.
Now you can run regedit to do any manual editing.
IIRC the regedit.exe on NT machines is a stub for
the regedit32.exe, so I'm thinking it should work,
if not maybe the patch file should be the regedit5
version and the regedit32.exe should be the one
renamed.
I shouldn't need to caution anyone trying this to
always back up the registry before mucking
around with it, but there it is...
I have the feeling that many new worms will be
throwing that particular wrench into the works
and many people will be asking for help with it.
Maybe this will help.