1. [OT]Regedit > Thanks everybody
The .com worked.
I am now downloading reglite.
I hope to have this problem fixed soon now that I have some tools to work with.
Thanks again
dON coLE
sf
2. Re: [OT]Regedit > Thanks everybody
don cole wrote:
> The .com worked.
Then you've got a virus. The virus has set up a program that "runs" your exe
files. Go to HKEY_CLASSES_ROOT\exefile\shell\open\command to see what program
that is. Change the standard value to "%1" %*. If it's the same virus I once
had, it will have replace every .exe you have run with a stub, which then
runs the real program, which is copied into a file with the same filename
and in the same directory, but with a .dat extension instead. Those stubs are
all the same size, ~10k. If that's the case, it means that if you start a
single affected program, that registry key will be changed back and the virus
will begin to spread again. The thing you'd want to do is create a small
program which deletes the .exe and renames the .dat to .exe, if the .exe is
the right size.
Regards, Alexander Toresson
Assembly. Push 'till you pop.
3. Re: [OT]Regedit > Thanks everybody
- Posted by Greg Haberek <ghaberek at gmail.com>
Feb 05, 2005
-
Last edited Feb 06, 2005
> Then you've got a virus. The virus has set up a program that "runs" your exe
> files. Go to HKEY_CLASSES_ROOT\exefile\shell\open\command to see what program
> that is. Change the standard value to "%1" %*. If it's the same virus I once
> had, it will have replace every .exe you have run with a stub, which then
> runs the real program, which is copied into a file with the same filename
> and in the same directory, but with a .dat extension instead. Those stubs are
> all the same size, ~10k. If that's the case, it means that if you start a
> single affected program, that registry key will be changed back and the virus
> will begin to spread again. The thing you'd want to do is create a small
> program which deletes the .exe and renames the .dat to .exe, if the .exe is
> the right size.
In my case, the virus linked all .exe files to a read-only executable
in the Recycle Bin. Windows does not allow files to execute from the
Recycle Bin, so no .exe files could be run at all. The only program
that did run was explorer.exe, I assume because that was before file
associations loaded (or maybe explorer.exe handles file associations).
So I had to boot to DOS, rename (a copy of) regedit.exe to
regedit.com, then boot back to Windows and manually remove all file
associations for .exe files.
~Greg
4. Re: [OT]Regedit > Thanks everybody
- Posted by don cole <doncole at pacbell.net>
Feb 05, 2005
-
Last edited Feb 06, 2005
Alexander Toresson wrote:
>
> don cole wrote:
> > The .com worked.
> Then you've got a virus. The virus has set up a program that "runs" your exe
> files. Go to HKEY_CLASSES_ROOT\exefile\shell\open\command to see what program
> that is. Change the standard value to "%1" %*. If it's the same virus I once
> had, it will have replace every .exe you have run with a stub, which then
> runs the real program, which is copied into a file with the same filename
> and in the same directory, but with a .dat extension instead. Those stubs are
> all the same size, ~10k. If that's the case, it means that if you start a
> single affected program, that registry key will be changed back and the virus
> will begin to spread again. The thing you'd want to do is create a small
> program which deletes the .exe and renames the .dat to .exe, if the .exe is
> the right size.
>
I don't think I've got a virus (maybe I do).
I screwed my registy up recently and replace it with an old backup I made
in '99. (Maybe a virus was in that file?).
Thats when the "Couldn't find cshook.vxd" problem started.
Up to that time I don't know if regedit was working or not because I never
used it.
I'm not having trouble with any .exe files other than regedit.exe?
Don Cole
Sf
> Regards, Alexander Toresson
>
> Assembly. Push 'till you pop.
>
