Many worms and trojans make changes to the registry to so that it can automatically start whenever you boot up your computer and also to avoid easy detection by disabling Windows Task Manager, Registry Editor and etc… You can easily restore all those tools by using Remove Restriction Tool (RRT).
I just recently found out that a virus can actually make some changes on your registry so that the virus will run automatically whenever you execute a file. Imagine, the virus will be loaded each time you run an executable (EXE) or a batch (BAT) file. Just last week I was cleaning a computer that was infected by Brontok. After finished scanning, cleaning the virus and restoring the changes made by virus, the Symantec Antivirus Corporate Edition still pops up notification stating that Brontok virus is found and automatically deleted. This happens EVERY TIME I run an executable file.
Now I found out how it works and also how to disable the virus from running automatically whenever I run any file.
This happens when a virus change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files.
For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this. They may also change a registry value so that you cannot run the Registry Editor at all.
I’ve done a test by adding Notepad.exe path in \exefile\shell\open\command key. Then I tried running any EXE file, it will launch the EXE file with notepad! For Brontok virus, it loads a backdoor file called “shell.exe”. You won’t even notice anything abnormal when you run an EXE file.
Thanks to Symantec Security Response for creating a script that is able to easily reset these registry values to their default settings.
What is inside the script:
[Version]
Signature=”$Chicago$”
Provider=Symantec[DefaultInstall]
AddReg=UnhookRegKey[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “”%1″”"
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0×00000020,0
Of all the shell\open\command keys, the exefile key is being used most frequently. When your computer starts, it loads a lot of EXE files. When you start a program, it also loads EXE file. The rest are seldom used unless you’re a power user. To be on the safe side, it’s better for Symantec to restore all of the shell\open\keys to default values.
Instructions to install the script:
1. Download the script at the end of this post by right-clicking on the link and save it to your desktop.
2. Right-click on the file and select “install”
A great tool to carry around with me all the time to combat against nasty virus such as Brontok.
[ Download Symantec Reset Shell Open Command Script ]
Related posts:
Hello, I have similar problem, the code injected is not a virus execution, but it will create a user with name ‘IWAM_NETASPS’ and add it to Admin group when I open a Command Prompt and execute any command in it.
I’ve tried the .inf file, but it didn’t work.
There was no option for me to click “install” when i right clicked the saved file.
if i want to creat a barriear between system and virus. what should i do. i tryed many things but i didn’t succed. can you do this. it’s a challenge for you. if you do this call me 9001805657. i am wating for your answer.
dheeraj
hi buddy..
having a big prob..
can\\\’t open orkut on my pc..
it say u dont have permission,orkut is banned -SAM-
u have any solution?
mail me at my address yaar!
plzz.
Nice.. thank u
Dear raymond i have an unknown virus in my pen drive , there is some folder called \\\”TunerSetup\\\” in my pen drive, i didn\\\’t create this virus and when i insert my pen drive into the system and double click on the drive suddenly this \\\”TunerSetup\\\” pops up and extracts something. iam using kaspersky antivirus but its not detecting any virus can u help me clean this virus and what is this virus, i got this virus from my college system now i dont want this to infect my home system. i have tried zonealarm and kaspersky to clean this but they didnt detect any virus plz help
Dear Raymond…Ghee Thanx a lot.. a good info there.. I too learn a lot of these nasty programme and i can restored the computer damaged at my office recently :)
Im proud of you…
hey everybody, This website is the best i have found ever. i am pankaj from Nepal (Never End Peace And Love)
Me ha servido la herramienta pero como logro que los dem
bueno me ha funcionado pero ahora no puedo ejecutar nada sin que me salga ese mensaje de abrir con, que puedo hacer?
thanks dear….. you save my pc…..
i see, thanks, by the way your a computer genius i learned a lot from you and but your not zerocool eh :):):)
gerry, I am from Malaysia.
i learned a lot from your blog by the way are you a Filipino your name sounds like?
hey ray i cant download it..when i click the link it just open a new window with the script on it..how can i download this?thanks
any one tried the regisrty change and see if notepad runs every time you run a exe\bat file ?
how can i test the notpad thing you did
i whana run Notpad every time i run a BAT file
but it dident happen for me
what do you write in the REG key ?
sorry `bout that ray, thank for the nice tools!
your the man!
Nice, Thanx Raymond
thanx raymond the great engineer…………mujhe bhi aise hi computer main pange lene ki aadat hai……………
Did you read the instructions webcadre?
sorry i`m too dumb…. thanks!!!
how can you download it?
Nice One TnX Raymond