Fixing and understanding most commonly blocked windows function in registry.
HKLM, Software\CLASSES\[file extension]\shell\open\command [filename default: "%1" %*]
This is probably the most annoying block. The virus can attach a program that open every time that file extension is called.
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, [filename default:explorer.exe]
This will call the file every time we log on to windows.
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, [filename default:cmd.exe]
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, [filename default:cmd.exe]
This one will call the file even on safe mode.
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, type,0, [string default:checkbox]
Ever lost the “Hide Extensions for known file types” checkbox in folder option? This is the culprit.
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, Text,0, [string default:Hide Extensions for known file types]
The “Hide Extensions for known file types” was replaced by something weird? This is the string that changes it.
HKLM, Software\Microsoft\Windows NT\CurrentVersion, ProductId,0, [string ProductId]
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title,0, [string default:Microsoft Internet Explorer]
HKLM, Software\Microsoft\Windows NT\CurrentVersion, ProductName,0 [string ProductName]
HKLM, Software\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, [string RegisteredOrganization ]
HKLM, Software\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, [string RegisteredOwner ]
These string above change the text in computer system (inside the control panel)
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title,0, [string default:Microsoft Internet Explorer]
HKCU, Software\Policies\Microsoft\Internet Explorer\Control Panel, Homepage,1,0
These string change the name of internet explorer and the homepage.
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoRun
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFind
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoSaveSettings
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoControlPanel
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoFolderOptions
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoRun
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoFind
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoControlPanel
These string usually enable or disable something according to the value (usually 1 to activate and 0 to deactivate)
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[filename], Debugger
This string cause a file to be called for a (very) particular filename.
HKCU, Software\Yahoo\pager\View\YMSGR_buzz, "content url"
HKCU, Software\Yahoo\pager\View\YMSGR_Launchcast, "content url"
These strings are changed by yahoo related virus.
HKCU, Software\Microsoft\Windows\ShellNoRoam\MUICache,@shell32.dll,-30503,0, "Hide Extensions for known file types"
HKLM, Software\Microsoft\Windows\CurrentVersion\Run,renova
HKCU, Software\Microsoft\Windows\CurrentVersion\Run,Shell
I don’t exactly know what these strings are for, but some virus uses them. Usually I just delete them. If anybody know how to use them or know what they’re for please let me know.
When fixing things in registry when it’s blocked, you can still inject it from *.inf file. That is as long as your inffile is not also blocked. If it does, follow my instruction in playing with registry.
This is the string I found during my virus cleaning experience. I compile it into one big registry fixer from various source and a tedious trial and error (lots of them from vaksin.com). Copy this file into filename.inf, then right click and install. Or you can simply download this file.
Signature="$Chicago$"
Provider=Michelle
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\txtfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKCU, Software\Microsoft\Windows\ShellNoRoam\MUICache, "@shell32.dll,-30503",0, "Hide Extensions for known file types"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, type,0, "checkbox"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, Text,0, "@shell32.dll,-30503"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, Type, 0, "radio"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, Type, 0, "checkbox"
HKCU, Software\Microsoft\Windows\ShellNoRoam\MUICache, "@shell32.dll,-30503",0, "Hide Extensions for known file types"
HKCU, Software\Microsoft\Windows\ShellNoRoam\MUICache, "@shell32.dll,-30508",0, "Hide protected system files and folders (Recommended)"
HKLM, Software\Microsoft\Windows NT\CurrentVersion, ProductId,0, "Your Product ID"
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title,0, "Internet Explorer"
HKLM, Software\Microsoft\Windows NT\CurrentVersion, ProductName,0,"Your Product Name"
HKLM, Software\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0,"Your Organization"
HKLM, Software\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, "Your Registered Owner"
HKCU, Software\Policies\Microsoft\Internet Explorer\Control Panel, Homepage,1,0
[del]
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoRun
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFind
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoSaveSettings
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoControlPanel
HKLM, Software\Microsoft\Windows\CurrentVersion\Run,renova
HKCU, Software\Microsoft\Windows\CurrentVersion\Run,Shell
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoFolderOptions
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoRun
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoFind
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoControlPanel
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sol.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmine.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshearts.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freecell.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spider.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANSAV.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANSAV32.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winamp.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\URemovalCRC32.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcod.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcsched.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe, Debugger
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe, Debugger
HKCU, Software\Yahoo\pager\View\YMSGR_buzz, "content url"
HKCU, Software\Yahoo\pager\View\YMSGR_Launchcast, "content url"
In case you cannot install your inf file (there's no install command when you right click), perhaps you could insert install it using rundll32
Hope this will help
Reference: vaksin.com
1 comment:
If you want to fix registry problems that means you are so frustrated from your running slower PC. It also means that you are more disposed to computer errors, crashes, and even freezing moments. To use registry clean download facility, you can make your system free from errors.
Post a Comment