sybe
asked on
RegEdit on files from another system
A friend of mine has his PC infected with a virus that prevents Regedit to run, in stead it asks for a location of a (deleted) worm.
I know more or less which registry keys should be deleted, but i can't run regedit on his PC.
I wonder if it is possible to copy the user.dat and system.dat to temporary directory on a clean system, and open those files with regedit (or maybe another registry editor) on the clean system, in order to remove the registry-keys that make the virus work, and then copy the cleaned user.dat and system.dat back to the original system.
I know more or less which registry keys should be deleted, but i can't run regedit on his PC.
I wonder if it is possible to copy the user.dat and system.dat to temporary directory on a clean system, and open those files with regedit (or maybe another registry editor) on the clean system, in order to remove the registry-keys that make the virus work, and then copy the cleaned user.dat and system.dat back to the original system.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@R_Rajesh
Thanks, yes, I learned that i can run regedit from the command prompt after starting up in DOS-mode. Then it functions as a DOS program. And it has the possibility to edit other registry file then the standard registry files.
I found out that it is possible to use dos-regedit to export (parts of) the registry to a text file, so that i can read the registry.
The export-file is too big to be read completely in the dos Edit command, but it helps a lot.
It is however not completely what i want, but it comes very close. If no better answer comes up, you get the points.
- - - - -
@war1
The problem is not that the registry file is locked, but that in the registry the [HKEY_CLASSES_ROOT\exefile \shell\ope n\command] (and also for other executables) has been changed to start up the virus in stead of the requested program. The problem caused by this is that no program will start, including regedit.exe.
I looked at the vbs approach a bit, that can also change registry values. The point is that I want to do it from a machine started up in DOS mode. I don't know if it is possible to run vbs from DOS-mode (not a DOS box).
- - - - -
@all
I decided this time to reinstall windows, because it took too much time to find and test the methods to read and edit the registry from DOS mode. I have come a lot closer, and next time i will be better prepared to solve such problems without reinstall. And there will be a next time i am quite sure, too many people still aren't carefull with emails containing virusses.
I will be delighted if someone points me to some methods to read and edit the registry from DOS mode in an easy way.
Maybe someone knows a website about this.
Thanks, yes, I learned that i can run regedit from the command prompt after starting up in DOS-mode. Then it functions as a DOS program. And it has the possibility to edit other registry file then the standard registry files.
I found out that it is possible to use dos-regedit to export (parts of) the registry to a text file, so that i can read the registry.
The export-file is too big to be read completely in the dos Edit command, but it helps a lot.
It is however not completely what i want, but it comes very close. If no better answer comes up, you get the points.
- - - - -
@war1
The problem is not that the registry file is locked, but that in the registry the [HKEY_CLASSES_ROOT\exefile
I looked at the vbs approach a bit, that can also change registry values. The point is that I want to do it from a machine started up in DOS mode. I don't know if it is possible to run vbs from DOS-mode (not a DOS box).
- - - - -
@all
I decided this time to reinstall windows, because it took too much time to find and test the methods to read and edit the registry from DOS mode. I have come a lot closer, and next time i will be better prepared to solve such problems without reinstall. And there will be a next time i am quite sure, too many people still aren't carefull with emails containing virusses.
I will be delighted if someone points me to some methods to read and edit the registry from DOS mode in an easy way.
Maybe someone knows a website about this.
hi sybe,
the reason i asked you to rename regedit was because sometime back i ran in to a similar problem because of a virus called sircam32 infact it modified the exact registrykey you mentioned. i wasn't able to execute any exe files on the computer and by remaming the the regedit.exe or regedit32.exe , i dont remember which, to a com extention, i was able to edit the registry under windows gui mode.
the reason i asked you to rename regedit was because sometime back i ran in to a similar problem because of a virus called sircam32 infact it modified the exact registrykey you mentioned. i wasn't able to execute any exe files on the computer and by remaming the the regedit.exe or regedit32.exe , i dont remember which, to a com extention, i was able to edit the registry under windows gui mode.
IRC/Stages.worm, Life_Stages Worm, VBS_Stages.A, Bloodhound.VBS.Worm
SARC has developed a free, downloadable tool to repair the damage done by the worm. Please go to:
http://www.symantec.com/avcenter/venc/data/fix.vbs.stages.html
SARC has developed a free, downloadable tool to repair the damage done by the worm. Please go to:
http://www.symantec.com/avcenter/venc/data/fix.vbs.stages.html
first renaming regedit.exe to regedit.com should work, but if not try resplendant registrar
http://www.resplendence.com/
http://www.resplendence.com/
Just for your information, sybe, Windows can run .vbs scripts or .wsh (windows script host) scripts in one of 2 ways:
Windows Mode: c:\windows\WScript.exe
DOS Mode: C:\windows\command\cscript .exe
Options are the same for both. If the Windows Scripting Host has been installed (not done by default in standard Windows setup), then Wscript.exe is the default and you need to use the appropriate switch to make Cscript.exe the default).
Usage: CScript scriptname.extension [option...] [arguments...]
usage: WScript scriptname.extension [option...] [arguments...]
Options:
//B Batch mode: Suppresses script errors & prompts
//D Enable Active Debugging
//E:engine Use engine for executing script
//H:CScript Changes the default script host to CScript.exe
//H:WScript Changes the default script host to WScript.exe
//I Interactive mode (default, opposite of //B)
//Job:xxxx Execute a WS job
//Logo Display logo (default)
//Nologo Prevent logo display at execution time
//S Save current command line options for this user
//T:nn Maximum time a script is permitted to run
//X Execute script in debugger
Windows Mode: c:\windows\WScript.exe
DOS Mode: C:\windows\command\cscript
Options are the same for both. If the Windows Scripting Host has been installed (not done by default in standard Windows setup), then Wscript.exe is the default and you need to use the appropriate switch to make Cscript.exe the default).
Usage: CScript scriptname.extension [option...] [arguments...]
usage: WScript scriptname.extension [option...] [arguments...]
Options:
//B Batch mode: Suppresses script errors & prompts
//D Enable Active Debugging
//E:engine Use engine for executing script
//H:CScript Changes the default script host to CScript.exe
//H:WScript Changes the default script host to WScript.exe
//I Interactive mode (default, opposite of //B)
//Job:xxxx Execute a WS job
//Logo Display logo (default)
//Nologo Prevent logo display at execution time
//S Save current command line options for this user
//T:nn Maximum time a script is permitted to run
//X Execute script in debugger
I'm not sure whether you are aware of how to delete keys or DataValues using a .reg file run from the command REGEDIT /S [Drive:\] [path\] [filename.reg]
To delete a key, in this case the final part after the last \ place a minus sign at the start of the "path" eg.
[-HKEY_CURRENT_USER\Softwa re\Microsh it\TextVie wer]
[-HKEY_CURRENT_USER\Softwa re\Microsh it]
deletes the sub-key "TextViewer" and then the "Microshit" key
(yes, I know, I edited the file's properties in a hex editor and it created that key :-)
To delete DataValues, place a minus sign after the = eg:
[HKEY_CURRENT_USER\Softwar e\Microshi t\TextView er]
"FileMask-
"Top"=-
"Left"=-
"Bottom"=-
"Right"=-
"ShowState"=-
Just an example, you understand.
To delete a key, in this case the final part after the last \ place a minus sign at the start of the "path" eg.
[-HKEY_CURRENT_USER\Softwa
[-HKEY_CURRENT_USER\Softwa
deletes the sub-key "TextViewer" and then the "Microshit" key
(yes, I know, I edited the file's properties in a hex editor and it created that key :-)
To delete DataValues, place a minus sign after the = eg:
[HKEY_CURRENT_USER\Softwar
"FileMask-
"Top"=-
"Left"=-
"Bottom"=-
"Right"=-
"ShowState"=-
Just an example, you understand.
The symptoms you describe are very similar to those displayed by a system infected with the swen virus.
The fix for this is to create a batch file and a regedit file on floppy on an uninfected machine and run them on the infected one.
Here are the details:-
Batch file - Regfix.bat
@Echo on
cd c:\windows
regedit /e backup.reg hkey_classes_root\exefile
regedit /d hkey_classes_root\exefile\ shell\open \command
regedit /d hkey_classes_root\regfile\ shell\open \command
regedit RegEd1.reg
Regedit file - RegEd1.reg
REGEDIT4
[HKEY_CLASSES_ROOT\exefile \shell\ope n\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\regfile \shell\ope n\command]
@="regedit.exe \%1\"
On your machine, use notepad or similar to copy the lines above to create the two files and put them on a floppy disk.
On your friends machine, startup with the command prompt only, insert the floppy, type A: <Enter> Regfix <Enter>
This will remove the problem of being unable to run executables and the registry editor.
When the process has finished, reboot the machine and run an anti-virus scan using up-to-date definitions. Take appropriate action to remove the virus and other unwanted effects.
Symantec have a removal tool for the swen virus, if that's what the problem is. (http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html)
Usual warnings about messing with the registry! Plus usual disclaimers.
John T
The fix for this is to create a batch file and a regedit file on floppy on an uninfected machine and run them on the infected one.
Here are the details:-
Batch file - Regfix.bat
@Echo on
cd c:\windows
regedit /e backup.reg hkey_classes_root\exefile
regedit /d hkey_classes_root\exefile\
regedit /d hkey_classes_root\regfile\
regedit RegEd1.reg
Regedit file - RegEd1.reg
REGEDIT4
[HKEY_CLASSES_ROOT\exefile
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\regfile
@="regedit.exe \%1\"
On your machine, use notepad or similar to copy the lines above to create the two files and put them on a floppy disk.
On your friends machine, startup with the command prompt only, insert the floppy, type A: <Enter> Regfix <Enter>
This will remove the problem of being unable to run executables and the registry editor.
When the process has finished, reboot the machine and run an anti-virus scan using up-to-date definitions. Take appropriate action to remove the virus and other unwanted effects.
Symantec have a removal tool for the swen virus, if that's what the problem is. (http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html)
Usual warnings about messing with the registry! Plus usual disclaimers.
John T
ASKER
yep, i forget about this question being still open, sorry, arranging now....
Here is a vbs script for unlocking the registry
http://registry.winguides.com/display.php/190
If the above does not work, try using this vbs fix. copy the following text into a notepad window. Then click file save as, then click save as file type, choose all files, make sure you give it a .vbs extension. The source is very easy to read and understand so here it goes.
--------------------------
on error resume next
dim shell
set shell = wscript.createobject("wscr
testHKCU = shell.regread("HKCU\Softwa
testHKLM = shell.regread("HKLM\Softwa
if testHKCU or testHKLM = 1 then
result1 = msgbox("Editing the registry has been disabled"&vbcrlf&"Would you like to enable registry editing?"&vbcrlf&"This script can be rerun to both enable and disable registry editing",vbyesno,"Registry
if result1 = vbyes then
shell.regwrite"HKCU\Softwa
shell.regwrite"HKLM\Softwa
end if
else
result2 = msgbox("Editing the registry is currently enabled"&vbcrlf&"Would you like to disable registry editing?"&vbcrlf&"This script can be rerun to both enable and disable registry editing",vbyesno,"Registry
if result2 = vbyes then
shell.regwrite"HKCU\Softwa
shell.regwrite"HKLM\Softwa
end if
end if
--------------------------
Reference: http://oldlook.experts-exchange.com/questions/20753009/Registry-Editor-has-been-disabled-by-your-administrator.html
Best wishes, war1