1. [OT]Regedit > Thanks everybody
- Posted by don cole <doncole at pacbell.net> Feb 05, 2005
- 459 views
The .com worked. I am now downloading reglite. I hope to have this problem fixed soon now that I have some tools to work with. Thanks again dON coLE sf
2. Re: [OT]Regedit > Thanks everybody
- Posted by Alexander Toresson <alexander.toresson at gmail.com> Feb 05, 2005
- 450 views
don cole wrote: > The .com worked. Then you've got a virus. The virus has set up a program that "runs" your exe files. Go to HKEY_CLASSES_ROOT\exefile\shell\open\command to see what program that is. Change the standard value to "%1" %*. If it's the same virus I once had, it will have replace every .exe you have run with a stub, which then runs the real program, which is copied into a file with the same filename and in the same directory, but with a .dat extension instead. Those stubs are all the same size, ~10k. If that's the case, it means that if you start a single affected program, that registry key will be changed back and the virus will begin to spread again. The thing you'd want to do is create a small program which deletes the .exe and renames the .dat to .exe, if the .exe is the right size. Regards, Alexander Toresson Assembly. Push 'till you pop.
3. Re: [OT]Regedit > Thanks everybody
- Posted by Greg Haberek <ghaberek at gmail.com> Feb 05, 2005
- 458 views
- Last edited Feb 06, 2005
> Then you've got a virus. The virus has set up a program that "runs" your exe > files. Go to HKEY_CLASSES_ROOT\exefile\shell\open\command to see what program > that is. Change the standard value to "%1" %*. If it's the same virus I once > had, it will have replace every .exe you have run with a stub, which then > runs the real program, which is copied into a file with the same filename > and in the same directory, but with a .dat extension instead. Those stubs are > all the same size, ~10k. If that's the case, it means that if you start a > single affected program, that registry key will be changed back and the virus > will begin to spread again. The thing you'd want to do is create a small > program which deletes the .exe and renames the .dat to .exe, if the .exe is > the right size. In my case, the virus linked all .exe files to a read-only executable in the Recycle Bin. Windows does not allow files to execute from the Recycle Bin, so no .exe files could be run at all. The only program that did run was explorer.exe, I assume because that was before file associations loaded (or maybe explorer.exe handles file associations). So I had to boot to DOS, rename (a copy of) regedit.exe to regedit.com, then boot back to Windows and manually remove all file associations for .exe files. ~Greg
4. Re: [OT]Regedit > Thanks everybody
- Posted by don cole <doncole at pacbell.net> Feb 05, 2005
- 457 views
- Last edited Feb 06, 2005
Alexander Toresson wrote: > > don cole wrote: > > The .com worked. > Then you've got a virus. The virus has set up a program that "runs" your exe > files. Go to HKEY_CLASSES_ROOT\exefile\shell\open\command to see what program > that is. Change the standard value to "%1" %*. If it's the same virus I once > had, it will have replace every .exe you have run with a stub, which then > runs the real program, which is copied into a file with the same filename > and in the same directory, but with a .dat extension instead. Those stubs are > all the same size, ~10k. If that's the case, it means that if you start a > single affected program, that registry key will be changed back and the virus > will begin to spread again. The thing you'd want to do is create a small > program which deletes the .exe and renames the .dat to .exe, if the .exe is > the right size. > I don't think I've got a virus (maybe I do). I screwed my registy up recently and replace it with an old backup I made in '99. (Maybe a virus was in that file?). Thats when the "Couldn't find cshook.vxd" problem started. Up to that time I don't know if regedit was working or not because I never used it. I'm not having trouble with any .exe files other than regedit.exe? Don Cole Sf > Regards, Alexander Toresson > > Assembly. Push 'till you pop. >