Remove After Effects of Viruses/Malware/Spyware and Trojan Horses

Posted on

Is your PC infected? Are you unable to open task manager, command prompt or regedit? Has a virus disabled your control panel and removed the shutdown and log off button? Well look no further because this article will cover how malicious applications do all these things and explain how you can disinfect your system.

Today viruses, spyware, trojans and malware applications have become very intelligent and can do a lot of damage. They can execute complex instructions and find vulnerabilities deep within the system. But usually the first place they attack is the windows registry to disable essential services and make it difficult to repair the system. Moreover they disable regedit utility making it very difficult to correct the entries. Remember that some antivirus do not treat modification of registry keys as a threat and therefore such applications may not be caught. There are a few solutions ranging from keeping a backup of all the entries to running executables to correct or ‘disinfect’ the entries.

Backing up is a reliable method but it can be a memory and time consuming process because whenever a new software is installed it usually makes entries in the registry hives. If you miss out on backing up after an important installation the software may not function properly.

In this article I will show you the paths and values of important registry keys so that you can change the values to enable the services. After this article you will be able to do the following:-

* Enable Task Manager

* Enable Regedit

* Enable UAC in Vista

* Enable command prompt

* Enable access to USB drives

* Enable/Disable Automatic Updates

* Enable Windows Installer

* Enable Control Panel

* Show shutdown icon

* Show logoff button

* Enable applications such as: firefox, notepad

* Change file associations to correct application, eg. html pages will be opened by internet explorer

* Enable changing of file associations

* Show folder options

Below I have given the paths and the key values which will affect your PC on the next restart:

1.) Enable task manager

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr The key value should be 0 with type as “REG_DWORD”.

2.) Enable registry tools

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools

The key value should be 0.

3.) Enable cmd

HKCUSoftwarePoliciesMicrosoftWindowsSystemDisableCMD

The key value should be 0.

4.) Enable writing to USB drive

HKLMSYSTEMCurrentControlSetControlStorageDevicePoliciesWriteProtect

The key value should be 0.

5.) Enable Microsoft Automatic Updates

HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAUNoAutoUpdate

The key value should be 0

6.) Enable Control Panel

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerNoControlPanel

The Key value should be 0

7.) Show Shutdown button

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerNoClose

The key value should be 0.Or you may delete the registry altogether.

8.)Show log off button

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerNoLogOff

The key value should be 0. Or you may delete the registry altogether.

9.) Edit file associations for text file ( the entry defines which application will be called when a text file is opened)

HKEY_CLASSES_ROOTtxtfileshellopencommand.

The value should be “C:Program FilesInternet Explorernotepad.exe” and type should be “REG_SZ” which refers to a string

10.) Edit file associations for an html file

HKEY_CLASSES_ROOThtmlfileshellopencommand

The value should be “%ProgramFiles%Windows NTAccessoriesiexplore.exe”

11.) Enable modification of file associations by a user

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerNoFileAssociate

The value should be 0 with type “REG_DWORD”.

12.) Enable folder options ( User will be able to see hidden files which are enabled by default but the virus might have disabled it)

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerNoFolderOptions

Change the value to 0.

13.) (FOR VISTA USERS) Enable UAC

HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA

Change the value to 1.

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemCurrentPromptBehaviorAdmin

Change the value to 2.

14.) Enable writing to a USB drive

HKLMSYSTEMCurrentControlSetControlStorageDevicePoliciesWriteProtect

Change the value to 0.

Also if you are getting an error such as so and so application cannot run since it has been disabled then there is probably an entry in

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun

All the values in this key will be disabled and will not be executed.

Please note that HCKU refers to HKEY_CURRENT_USER and HKLM refers to HKEY_KOCAL_MACHINE. Entries in HCKU affects the user currently logged in whereas HKLM affects all the users. Users without admin privileges cannot change HKLM registry keys.

I have also created an application whose source code is written in Visual Basic (VB6). Just drop a comment if you want to have a look at the source code and/or exe application. The reason I created an exe was because most of the times malicious applications block execution of.reg files.

Leave a Reply

Your email address will not be published.