Windows script host Problem
1- your computer has a virus
2- you can get rid of the message by
start > run > type "msconfig"> go to 'startup' tab > uncheck all the stuff you don't wan't loading at startup
3- get a proper anti virus for your comp
RUPAK SEARCH ENGINE
Custom Search
How To Enable Folder Options in Windows Explorer
How To Enable Folder Options in Windows Explorer
Click Start
Click Run
Type REGEDIT
Click OK
The Registry Editor will now open
Browse to the following key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Note: HKCU stands for HKEY_CURRENT_USER
In the right pane, look for the value: NoFolderOptions
Right click NoFolderOptions and select Delete. (When prompted with "Are you sure you want to delete this value", select Yes.
Now browse to the following key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Note: HKLM stands for HKEY_LOCAL_MACHINE
In the right pane, look for the value: NoFolderOptions
Right click NoFolderOptions and select Delete. (When prompted with "Are you sure you want to delete this value", select Yes.
Close the Registry by choosing File | Exit
You should now be able to access the Folder Options menu. If not, reboot into Safe Mode and repeat the steps outlined above.
Click Start
Click Run
Type REGEDIT
Click OK
The Registry Editor will now open
Browse to the following key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Note: HKCU stands for HKEY_CURRENT_USER
In the right pane, look for the value: NoFolderOptions
Right click NoFolderOptions and select Delete. (When prompted with "Are you sure you want to delete this value", select Yes.
Now browse to the following key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Note: HKLM stands for HKEY_LOCAL_MACHINE
In the right pane, look for the value: NoFolderOptions
Right click NoFolderOptions and select Delete. (When prompted with "Are you sure you want to delete this value", select Yes.
Close the Registry by choosing File | Exit
You should now be able to access the Folder Options menu. If not, reboot into Safe Mode and repeat the steps outlined above.
Problem:Task Manager has been disabled by your administrator
Task Manager has been disabled by your administrator
Resolution
This error is caused if the DisableTaskMgr restriction is enabled. To enable Task Manager, try one of these methods:
IMPORTANT: If this restriction was enabled in your system without you doing anything or without your knowledge, then it's highly likely that a Virus has blocked the usage of Task Manager in your system by enabling the DisableTaskMgr policy via the registry. I strongly suggest that you perform a thorough checkup of your system immediately. Steps listed in the Resolution section of this article helps you unblock the Task Manager, but that does not remove the Virus (if any) from your system.
Method 1
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
Method 2
Download and run this REG fix and double-click it.
Method 3
Click Start, Run and type Regedit.exe
Navigate to the following branch:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System
In the right-pane, delete the value named DisableTaskMgr
Close Regedit.exe
Method 4: Using Group Policy Editor - for Windows XP Professional
Click Start, Run, type gpedit.msc and click OK.
Navigate to this branch:
User Configuration / Administrative Templates / System / Ctrl+Alt+Delete Options / Remove Task Manager
Double-click the Remove Task Manager option.
Set the policy to Not Configured.
Resolution
This error is caused if the DisableTaskMgr restriction is enabled. To enable Task Manager, try one of these methods:
IMPORTANT: If this restriction was enabled in your system without you doing anything or without your knowledge, then it's highly likely that a Virus has blocked the usage of Task Manager in your system by enabling the DisableTaskMgr policy via the registry. I strongly suggest that you perform a thorough checkup of your system immediately. Steps listed in the Resolution section of this article helps you unblock the Task Manager, but that does not remove the Virus (if any) from your system.
Method 1
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
Method 2
Download and run this REG fix and double-click it.
Method 3
Click Start, Run and type Regedit.exe
Navigate to the following branch:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System
In the right-pane, delete the value named DisableTaskMgr
Close Regedit.exe
Method 4: Using Group Policy Editor - for Windows XP Professional
Click Start, Run, type gpedit.msc and click OK.
Navigate to this branch:
User Configuration / Administrative Templates / System / Ctrl+Alt+Delete Options / Remove Task Manager
Double-click the Remove Task Manager option.
Set the policy to Not Configured.
Problems with the registry editing on their system mostly because of virus activity.
Problems with the registry editing on their system mostly because of virus activity.
Whenever they open Run and type regedit and press enter a message prompt appears saying “Registry editing has been disabled by your administrator“.
Let’s see how can we fix it.
Fix:
There are two ways through which you can enable registry editing in windows XP
Method 1:
You can use a simple UnHookExec.inf to enable registry editing.
1. Download UnHookExec.inf
2. Right click on the downloaded file and select install.
Method 2:
For enabling you can also use the remove restrictions tool by Sergiwa.com, if the method 1 doesn’t work for you.
we have already posted how you can remove the restrictions imposed by the virus with RRT
1. First Download Remove Restrictions Tool
2. Run and check the registry tools and click apply.
Method 3:
if the above two methods does not work for you , you can also try executing a small vbscript which I found on major geeks.
1. First Download EnableRegEdit.vbs
2. Double click on the downloaded file to enable registry editing.
We hope at least one of the above will help to fix the trouble
Whenever they open Run and type regedit and press enter a message prompt appears saying “Registry editing has been disabled by your administrator“.
Let’s see how can we fix it.
Fix:
There are two ways through which you can enable registry editing in windows XP
Method 1:
You can use a simple UnHookExec.inf to enable registry editing.
1. Download UnHookExec.inf
2. Right click on the downloaded file and select install.
Method 2:
For enabling you can also use the remove restrictions tool by Sergiwa.com, if the method 1 doesn’t work for you.
we have already posted how you can remove the restrictions imposed by the virus with RRT
1. First Download Remove Restrictions Tool
2. Run and check the registry tools and click apply.
Method 3:
if the above two methods does not work for you , you can also try executing a small vbscript which I found on major geeks.
1. First Download EnableRegEdit.vbs
2. Double click on the downloaded file to enable registry editing.
We hope at least one of the above will help to fix the trouble
Disabled command prompt
Disabled command prompt
There are also cases when the user reported that their computer restart when they try to launch command prompt, or command prompt blinks for a second and nothing happens.
Let’s see how can you enable your command prompt again when it is disabled by a virus.
Fix:
There has been two most successful methods with which you can enable your disabled command prompt.
Method 1:
The simplest method to get your command prompt back is to add a registry key , but you should be having registry editing is enabled.
1. Open Start >> Run and type the following command ( or just copy it ) REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f
2. Copy the above command and press Enter.
This will solve your trouble and your command prompt will be enabled.
Note: Method 1 may not work when your system is severely infected by a virus and even the registry editing is disabled due to which you are not able to run the above command from run prompt.
Method 2:
It involves a tool called RRT - Remove Restrictions Tool by sergiwa which can enable the disabled command prompt by virus.
It also helps in removing other restrictions which are also caused due to virus infection listed below.
Disable Folder Options
Disable Registry Tools
Disable Ctrl+Alt+Del
Disable Show hidden files & folders come with hidden attribute set to true!
Disable Run Command
Other than it also includes fixes for the removing 38 restrictions that are caused by different types of viruses.
Note: Make sure you boot in to Safe Mode to use Remove Restrictions Tool (RRT). Just click on the buttons and it’ll do it’s job.
The limited version is RRT tool is for FREE for personal use only. If you would like to use the application in a business environment you are required to license the application.
There are also cases when the user reported that their computer restart when they try to launch command prompt, or command prompt blinks for a second and nothing happens.
Let’s see how can you enable your command prompt again when it is disabled by a virus.
Fix:
There has been two most successful methods with which you can enable your disabled command prompt.
Method 1:
The simplest method to get your command prompt back is to add a registry key , but you should be having registry editing is enabled.
1. Open Start >> Run and type the following command ( or just copy it ) REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f
2. Copy the above command and press Enter.
This will solve your trouble and your command prompt will be enabled.
Note: Method 1 may not work when your system is severely infected by a virus and even the registry editing is disabled due to which you are not able to run the above command from run prompt.
Method 2:
It involves a tool called RRT - Remove Restrictions Tool by sergiwa which can enable the disabled command prompt by virus.
It also helps in removing other restrictions which are also caused due to virus infection listed below.
Disable Folder Options
Disable Registry Tools
Disable Ctrl+Alt+Del
Disable Show hidden files & folders come with hidden attribute set to true!
Disable Run Command
Other than it also includes fixes for the removing 38 restrictions that are caused by different types of viruses.
Note: Make sure you boot in to Safe Mode to use Remove Restrictions Tool (RRT). Just click on the buttons and it’ll do it’s job.
The limited version is RRT tool is for FREE for personal use only. If you would like to use the application in a business environment you are required to license the application.
To Enable the Disabled Task Manager on your system
To Enable the Disabled Task Manager on your system
1. Press window key+r to show run prompt
2. Follow the following steps
Enter gpedit.msc in the run prompt and click OK
In the Group Policy settings window
Select User Configuration
Select Administrative Templates
Select System
Select Ctrl+Alt+Delete options
Select Remove Task Manager
Double-click the Remove Task Manager option’.
Set the property of this item as disabled.
For Those who use Windows XP Home Edition can use the registry to enable Task Manager
1. open start >> run and type regedit
2. Navigate to the following path:
Hive: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
3. You will find a registry key with name DisableTaskMgr of type: REG_DWORD
4. Double click the key with and set the Value to 0
5. Exit the registry and restart to see the effect.
1. Press window key+r to show run prompt
2. Follow the following steps
Enter gpedit.msc in the run prompt and click OK
In the Group Policy settings window
Select User Configuration
Select Administrative Templates
Select System
Select Ctrl+Alt+Delete options
Select Remove Task Manager
Double-click the Remove Task Manager option’.
Set the property of this item as disabled.
For Those who use Windows XP Home Edition can use the registry to enable Task Manager
1. open start >> run and type regedit
2. Navigate to the following path:
Hive: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
3. You will find a registry key with name DisableTaskMgr of type: REG_DWORD
4. Double click the key with and set the Value to 0
5. Exit the registry and restart to see the effect.
Master Boot Record (MBR) as its Auto-Start Entry Point (ASEP) (HOW VIRUS LOAD)
Master Boot Record (MBR) as its Auto-Start Entry Point (ASEP)
There are several binaries in the wild which try to install this RootKit. All the known variants are detected by Microsoft antimalware products using two generic signatures: PWS: Win32/Sinowal.gen!C and PWS: Win32/Sinowal.gen!D.
This Malware attempts to modify the MBR so that it can control what gets read from the disk into memory and execute very early in the boot process. After the modified MBR is executed, it reads additional malicious code into memory which modifies the NT kernel to force it to load a malicious driver that has been stored at the end of the physical disk (The driver will not be visible while the infected OS is running.). Once the driver is loaded into the kernel, it behaves just like a standard kernel mode RootKit, providing covert and stealth network backdoor functionality by hooking low level APIs to attempt to avoid detection. Here are some interesting things about this Malware:
First, the installer for this RootKit needs to modify the MBR in order to ensure that the RootKit can persist across reboots. It does this by using the CreateFile API attempting to open “\Device\Harddisk0\DR0” for write access. Using the CreateFile API in this way (for direct / raw disk access) requires administrative privileges. So if you are logged into Windows as a standard user or if you are using Windows Vista with UAC enabled, even if you accidentally run the Malware installer or it runs via some exploit code, it will be running with insufficient privilege to modify the hard disks MBR; thus it will not be able to persist a system restart.
Next, the perceived strength of this new RootKit, its lack of a visible footprint in the registry and file system due to the use of the MBR as the ASEP, is also a big weakness! If you suspect that you have a system that is infected with this RootKit, to prevent it from loading, all that is required is to write a known-good copy of a master boot record back to the disk to prevent the RootKit driver from being loaded on the next reboot! Fortunately, we have made that a fairly painless process with the Windows Recovery Console and the ‘fixmbr’ command!
Here are some instructions for using the Windows Recovery Console:
Windows XP instructions: http://support.microsoft.com/kb/314058 (just type ‘fixmbr’ in the console)
Windows Vista instructions: http://support.microsoft.com/kb/927392 (just type ‘bootrec.exe /fixmbr’ at the console)
After restoring a known-good MBR to the hard drive, you should be able to start Windows and perform an on-line antivirus scan to detect and remove any of the Malware components or any other Malware that may have been installed on the system and hidden by the RootKit.
The main driver makes outbound HTTP connections to a particular hard-coded IP address or domain. We presume this is so that it can receive instructions and/or register with its overseer. It may also be able to receive instructions which allow it to act as an HTTP proxy, or to download and execute further Malware. The Malware makes similar connections to a number of domains which appear to be pseudo-randomly generated.
Example:
VirTool: WinNT/Sinowal.A
--------------------------------------------------------------------------------------------------------------------------------------------- When the Malware is executed, it creates following files:
VirTool: WinNT/Sinowal.A creates an executable temporary file with the prefix 'ldo'
eg: "c:\Documents and Settings\User\Local Settings\Temp\ldo1.tmp". It then executes this file.
It launches itself, using another temporary file with the prefix 'cln' as the parameter
eg: --cp "c:\Documents and Settings\User\Local Settings\Temp\cln2.tmp".
This action creates a copy of the original file and "converts" the file to a DLL.
The newly created DLL is then loaded. It creates the following service:
ServiceName = "{7663B344-A474-4eff-A35D-F5BE7F6531B4}"
DisplayName = ""
StartType = SERVICE_DEMAND_START
BinaryPathName = "%SystemRoot%\System32\svchost.exe -k netsvcs"
It sets the following registry key so the DLL can run as a service:
Adds value: ServiceDll
With data: "c:\Documents and Settings\User\Local Settings\Temp\cln2.tmp"
To subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7663B344-A474-4eff-A35D-F5BE7F6531B4}\Parameters
It starts the service; the service drops a driver to: "\{4C35FFDF-5669-4e96-8F6B-6CE0C16B4331}"
and installs it via the following registry modifications:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{4C35FFDF-5669-4e96-8F6B-6CE0C16B4331}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{4C35FFDF-5669-4e96-8F6B-6CE0C16B4331}\ImagePath=\??\C:\WINDOWS\System32\{4C35FFDF-5669-4e96-8F6B-6CE0C16B4331}
MBR Modification
The abovementioned mentioned file 'ldo1.tmp' is responsible for modifying the hard disk's MBR (Master Boot Record) and writing the main driver and driver loaders portion directly to disk.
It attempts to access the hard disk directly via a previously installed driver. If this fails, it then reverts to trying to access the hard disk directly via \\.\PhysicalDrive0.
The original MBR is then overwritten with malicious code. Additionally, the main driver is written to the end of the physical drive, from where it is loaded directly.
Once complete the Trojan sleeps for a random period of time between 15 - 30 minutes in length, after which it initiates a system shutdown. The dialog box displaying the countdown timer is hidden from the user.
Backdoor Functionality
The main driver makes outbound connections via HTTP to the following hard coded IP address: 74.86.208.140. Presumably this is to receive instructions and/or register with a remote attacker. Static Analysis suggests that the main component can receive instructions which allow it to act as an HTTP proxy, or to download and execute further Malware Currently, these domains resolve to the following IP address: 72.5.175.97.
____________________________________________________________________________________________________
Rootkit Installation 1 - Loads a driver in via ZwSetSystemInformation API. A very old, known and effective way to install a rootkit.
Rootkit Installation 2 - Loads driver by overwriting a standard driver (beep.sys) and starting it with service control manager (e.g. Trojan.Virantix.B).
DLL Injection 1 - Injects DLL into trusted process (svchost.exe) by injecting APC on LoadLibraryExA with "dll.dll" as a param. The string "dll.dll" is not written into process memory, it's from the ntdll.dll export table which has the same address in all processes. The APC is injected into second thread of the svchost.exe which is always in alertable state.
DLL Injection 2 - An old technique. The DLL is injected via remote thread creation in the trusted process, without using WriteProcessMemory.
BITS Hijack - Downloads a file from the internet using "Background Intelligent Transfer Service" which acts from the trusted process (svchost.exe)
____________________________________________________________________________________________________
There are several binaries in the wild which try to install this RootKit. All the known variants are detected by Microsoft antimalware products using two generic signatures: PWS: Win32/Sinowal.gen!C and PWS: Win32/Sinowal.gen!D.
This Malware attempts to modify the MBR so that it can control what gets read from the disk into memory and execute very early in the boot process. After the modified MBR is executed, it reads additional malicious code into memory which modifies the NT kernel to force it to load a malicious driver that has been stored at the end of the physical disk (The driver will not be visible while the infected OS is running.). Once the driver is loaded into the kernel, it behaves just like a standard kernel mode RootKit, providing covert and stealth network backdoor functionality by hooking low level APIs to attempt to avoid detection. Here are some interesting things about this Malware:
First, the installer for this RootKit needs to modify the MBR in order to ensure that the RootKit can persist across reboots. It does this by using the CreateFile API attempting to open “\Device\Harddisk0\DR0” for write access. Using the CreateFile API in this way (for direct / raw disk access) requires administrative privileges. So if you are logged into Windows as a standard user or if you are using Windows Vista with UAC enabled, even if you accidentally run the Malware installer or it runs via some exploit code, it will be running with insufficient privilege to modify the hard disks MBR; thus it will not be able to persist a system restart.
Next, the perceived strength of this new RootKit, its lack of a visible footprint in the registry and file system due to the use of the MBR as the ASEP, is also a big weakness! If you suspect that you have a system that is infected with this RootKit, to prevent it from loading, all that is required is to write a known-good copy of a master boot record back to the disk to prevent the RootKit driver from being loaded on the next reboot! Fortunately, we have made that a fairly painless process with the Windows Recovery Console and the ‘fixmbr’ command!
Here are some instructions for using the Windows Recovery Console:
Windows XP instructions: http://support.microsoft.com/kb/314058 (just type ‘fixmbr’ in the console)
Windows Vista instructions: http://support.microsoft.com/kb/927392 (just type ‘bootrec.exe /fixmbr’ at the console)
After restoring a known-good MBR to the hard drive, you should be able to start Windows and perform an on-line antivirus scan to detect and remove any of the Malware components or any other Malware that may have been installed on the system and hidden by the RootKit.
The main driver makes outbound HTTP connections to a particular hard-coded IP address or domain. We presume this is so that it can receive instructions and/or register with its overseer. It may also be able to receive instructions which allow it to act as an HTTP proxy, or to download and execute further Malware. The Malware makes similar connections to a number of domains which appear to be pseudo-randomly generated.
Example:
VirTool: WinNT/Sinowal.A
--------------------------------------------------------------------------------------------------------------------------------------------- When the Malware is executed, it creates following files:
VirTool: WinNT/Sinowal.A creates an executable temporary file with the prefix 'ldo'
eg: "c:\Documents and Settings\User\Local Settings\Temp\ldo1.tmp". It then executes this file.
It launches itself, using another temporary file with the prefix 'cln' as the parameter
eg: --cp "c:\Documents and Settings\User\Local Settings\Temp\cln2.tmp".
This action creates a copy of the original file and "converts" the file to a DLL.
The newly created DLL is then loaded. It creates the following service:
ServiceName = "{7663B344-A474-4eff-A35D-F5BE7F6531B4}"
DisplayName = ""
StartType = SERVICE_DEMAND_START
BinaryPathName = "%SystemRoot%\System32\svchost.exe -k netsvcs"
It sets the following registry key so the DLL can run as a service:
Adds value: ServiceDll
With data: "c:\Documents and Settings\User\Local Settings\Temp\cln2.tmp"
To subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7663B344-A474-4eff-A35D-F5BE7F6531B4}\Parameters
It starts the service; the service drops a driver to: "
and installs it via the following registry modifications:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{4C35FFDF-5669-4e96-8F6B-6CE0C16B4331}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{4C35FFDF-5669-4e96-8F6B-6CE0C16B4331}\ImagePath=\??\C:\WINDOWS\System32\{4C35FFDF-5669-4e96-8F6B-6CE0C16B4331}
MBR Modification
The abovementioned mentioned file 'ldo1.tmp' is responsible for modifying the hard disk's MBR (Master Boot Record) and writing the main driver and driver loaders portion directly to disk.
It attempts to access the hard disk directly via a previously installed driver. If this fails, it then reverts to trying to access the hard disk directly via \\.\PhysicalDrive0.
The original MBR is then overwritten with malicious code. Additionally, the main driver is written to the end of the physical drive, from where it is loaded directly.
Once complete the Trojan sleeps for a random period of time between 15 - 30 minutes in length, after which it initiates a system shutdown. The dialog box displaying the countdown timer is hidden from the user.
Backdoor Functionality
The main driver makes outbound connections via HTTP to the following hard coded IP address: 74.86.208.140. Presumably this is to receive instructions and/or register with a remote attacker. Static Analysis suggests that the main component can receive instructions which allow it to act as an HTTP proxy, or to download and execute further Malware Currently, these domains resolve to the following IP address: 72.5.175.97.
____________________________________________________________________________________________________
Rootkit Installation 1 - Loads a driver in via ZwSetSystemInformation API. A very old, known and effective way to install a rootkit.
Rootkit Installation 2 - Loads driver by overwriting a standard driver (beep.sys) and starting it with service control manager (e.g. Trojan.Virantix.B).
DLL Injection 1 - Injects DLL into trusted process (svchost.exe) by injecting APC on LoadLibraryExA with "dll.dll" as a param. The string "dll.dll" is not written into process memory, it's from the ntdll.dll export table which has the same address in all processes. The APC is injected into second thread of the svchost.exe which is always in alertable state.
DLL Injection 2 - An old technique. The DLL is injected via remote thread creation in the trusted process, without using WriteProcessMemory.
BITS Hijack - Downloads a file from the internet using "Background Intelligent Transfer Service" which acts from the trusted process (svchost.exe)
____________________________________________________________________________________________________
Auto-Start Entry Point (ASEP) Methods (HOW VIRUS LOADS)
Auto-Start Entry Point (ASEP) Methods
AppInit_DLLs: All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session. The AppInit DLLs are loaded by using the LoadLibrary() function during the DLL_PROCESS_ATTACH process of User32.dll. Therefore, executables that do not link with User32.dll do not load the AppInit DLLs. Therefore one of the 16 imports was user32.dll (Import table (libraries: 16))
Because of their early loading, only API functions that are exported from Kernel32.dll are safe to use in the initialization of the AppInit DLLs. So murka.dat registers itself in the "AppInit_DLLs" as a load point for the beep.sys so that every time the computer starts, the RootKit driver can load itself with the kernel...
Example:
Trojan.Virantix.B
---------------------------------------------------------------------------------------------------------------------------------------------
When the Trojan is executed, it creates following files:
%System%\user32.dat
%Windir%\medichi.exe
%Windir%\medichi2.exe
%Windir%\murka.dat
It then overwrites following files:
%System%\beep.sys |
%System%\dllcache\beep.sys | <---- Actual driver that later on uses RootKit feature to hide the process medichi.exe
Next, the Trojan creates the following registry entries so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "%Windir%\murka.dat"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Medichi" = %Windir%\medichi.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Medichi2" = "%Windir%\medichi2"
It then hooks the following API and hides itself: <--- RootKit activity
ZwQuerySystemInformation <--- Hooks the Native subsystems funftion call
The Trojan then connects to the following location, which displays a fake security alert:
hxxp://gomyhit.com/MTc3MTY=/2/6018/852/
It also opens the following URL, which may contain another program:
hxxp://81.13.38.39/aler
The Trojan monitors the browser on the compromised computer and steals search keywords that can be used on certain search engines and submits it to following remote location:
hxxp://werdagoniotu.com/searc
It attempts to download updates of itself from the following locations:
hxxp://globalmenu.net/1/sert
hxxp://softinfoway.info/1/sert
hxxp://getupdate.info/1/sert
____________________________________________________________________________________________________
RootKit Activity: Rootkits work by changing API results so that a system view using APIs differs from the actual view in storage. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format). Thus, Rootkits, user mode or kernel mode, manipulate the Windows API or native API to remove their presence from a directory listing. A kernel-mode RootKit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system, can be compromised.
Little More Details:
The early Rootkits were basically application Rootkits. They used to overwrite Windows user-mode application binaries with trojaned binaries. To hide a given piece of Malware effectively, the RootKit might need to overwrite many applications. This sledge-hammer technique was relatively crude and easily spotted by checksum-based PC security programs.
Instead of overwriting binaries, User Mode Rootkits can hide objects by intercepting (hooking) application calls to high-level Windows API functions. Most Windows applications rely on stock functions for a wide range of basic tasks, such as displaying dialog boxes or driving devices such as hard drives and printers. The stock Microsoft functions are grouped conceptually and stored in shared libraries, referred to as Dynamic Link Libraries (DLLs). Every developer can learn the locations of functions within DLLs -- and every attacker can exploit this same knowledge. For example, many applications use the kernel32.dll FindFirstFile function to explore files. A RootKit may change the application's Import Address Table, replacing pointers to the location of kernel32.dll with RootKit DLL pointers. When the FindFirstFile function is invoked, the RootKit uses the kernel32.dll's FindFirstFile function, but filters the result to hide filenames that provide evidence of the Rootkits presence. This Windows API hooking technique can also be used to hide processes, sockets, services, and registry keys.
More sophisticated User Mode Rootkits exploit the slightly lower-level Native API which invokes functions provided by the operating system's ntdll.dll library. For example, Task Manager (iexplore.exe) uses the ntdll.dll NtQuerySystemInformation function to get a list of active processes. A RootKit can hook Task Manager's call to ntdll.dll, and then strip Malware processes from the returned list.
Some User Mode Rootkits patch a few bytes of in-memory Windows API code to insert a jump to the Rootkits DLL. As described above, the RootKit filters output objects before returning control to the compromised code, which then returns data to the application that invoked the Windows API or Native API. A malicious hacker can use in-memory patching to hide files, processes, services, drivers, registry keys and values, open ports, and disk space usage.
User Mode applications and DLLs access the kernel by using system calls to reach device drivers. Drivers have direct access to kernel data objects, including the Master File Table, the Registry Hive, and the kernel's active process table. Kernel Mode Rootkits hook these system calls, patch these device drivers, or modify kernel data objects to alter results at the lowest level. For example, system call hooking can modify the process list returned by the kernel to ntdll.dll, instead of changing the list returned by ntdll.dll to Task Manager. Due to complexity and tight-coupling, Kernel Mode Rootkits must take care to avoid crashing the compromised PC.
An increasingly popular technique used by Kernel Mode Rootkits is Direct Kernel Object Manipulation (DKM). Instead of intercepting query and enumeration API calls, DKM modifies the kernel's own data structures. For example, a DKM RootKit might remove a Malware process from the kernel's process table. It might use syntactically-invalid names to hide folders and files from the Windows NT file system (NTFS). Or it might manipulate the Registry Hive to prevent enumeration of hidden registry keys; for example, embedding a NULL character in a key's name or value, hiding what follows from Windows API RegEnumValue or Native API NtEnumerateKey queries.
These methods can be found in many Windows Rootkits, including AFX (kernel32.dll hooking and patching), Vanquish (kernel32.dll patching), Hacker Defender (ntdll.dll patching), and FU (DKM). For instance, FU loads the driver msdirectx.sys, which can then be used to hide Malware processes and device drivers. Unlike most Rootkits, FU does not attempt to hide itself, which may explain why FU is the most oft-removed RootKit encountered by Microsoft's Malicious Software Removal Tool.
Summary
They patch the Kernel level functions and load a driver in its place. The directory listing calls are thus intercepted by the RootKit driver and then forwarded to the actual NTDLL subsystems library function. When the control is again sent back to the RootKit driver from the actual Kernel function, it then filters the output thus hiding its presence.
In the above example, %System%\dllcache\beep.sys is the RootKit driver that patches the ZwQuerySystemInformation. It thus hides the presence of the below mentioned infected files:
%System%\user32.dat
%Windir%\medichi.exe
%Windir%\medichi2.exe
%Windir%\murka.dat
At times the RootKit driver patches the ZwQuerySystemInformation or the NtQuerySystemInformation Kernel function.
---------------------------------------------------------------------------------------------------------------------------------------------
The native API, referred to as the NTDLL subsystem, is a series of undocumented API function calls that handle most of the work performed by KERNEL. The NTDLL subsystem is located in ntdll.dll. This library contains many API function calls, and all follow a particular naming scheme. Each function has a prefix: Ldr, Ki, Nt, Zw, Csr, dbg, etc. All the functions that have a particular prefix follow particular a rules.
The "official" native API is usually limited only to functions whose prefix is Nt or Zw. These calls are in fact the same and are used to provide function calls in both Kernel and User space. However User applications are encouraged to use the Nt* calls, while Kernel callers are supposed to use the Zw* calls. Writing drivers for Windows is allowed to use the Kernel-mode functions in NTDLL because these drivers operate at Kernel Level.
____________________________________________________________________________________________________
AppInit_DLLs: All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session. The AppInit DLLs are loaded by using the LoadLibrary() function during the DLL_PROCESS_ATTACH process of User32.dll. Therefore, executables that do not link with User32.dll do not load the AppInit DLLs. Therefore one of the 16 imports was user32.dll (Import table (libraries: 16))
Because of their early loading, only API functions that are exported from Kernel32.dll are safe to use in the initialization of the AppInit DLLs. So murka.dat registers itself in the "AppInit_DLLs" as a load point for the beep.sys so that every time the computer starts, the RootKit driver can load itself with the kernel...
Example:
Trojan.Virantix.B
---------------------------------------------------------------------------------------------------------------------------------------------
When the Trojan is executed, it creates following files:
%System%\user32.dat
%Windir%\medichi.exe
%Windir%\medichi2.exe
%Windir%\murka.dat
It then overwrites following files:
%System%\beep.sys |
%System%\dllcache\beep.sys | <---- Actual driver that later on uses RootKit feature to hide the process medichi.exe
Next, the Trojan creates the following registry entries so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "%Windir%\murka.dat"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Medichi" = %Windir%\medichi.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Medichi2" = "%Windir%\medichi2"
It then hooks the following API and hides itself: <--- RootKit activity
ZwQuerySystemInformation <--- Hooks the Native subsystems funftion call
The Trojan then connects to the following location, which displays a fake security alert:
hxxp://gomyhit.com/MTc3MTY=/2/6018/852/
It also opens the following URL, which may contain another program:
hxxp://81.13.38.39/aler
The Trojan monitors the browser on the compromised computer and steals search keywords that can be used on certain search engines and submits it to following remote location:
hxxp://werdagoniotu.com/searc
It attempts to download updates of itself from the following locations:
hxxp://globalmenu.net/1/sert
hxxp://softinfoway.info/1/sert
hxxp://getupdate.info/1/sert
____________________________________________________________________________________________________
RootKit Activity: Rootkits work by changing API results so that a system view using APIs differs from the actual view in storage. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format). Thus, Rootkits, user mode or kernel mode, manipulate the Windows API or native API to remove their presence from a directory listing. A kernel-mode RootKit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system, can be compromised.
Little More Details:
The early Rootkits were basically application Rootkits. They used to overwrite Windows user-mode application binaries with trojaned binaries. To hide a given piece of Malware effectively, the RootKit might need to overwrite many applications. This sledge-hammer technique was relatively crude and easily spotted by checksum-based PC security programs.
Instead of overwriting binaries, User Mode Rootkits can hide objects by intercepting (hooking) application calls to high-level Windows API functions. Most Windows applications rely on stock functions for a wide range of basic tasks, such as displaying dialog boxes or driving devices such as hard drives and printers. The stock Microsoft functions are grouped conceptually and stored in shared libraries, referred to as Dynamic Link Libraries (DLLs). Every developer can learn the locations of functions within DLLs -- and every attacker can exploit this same knowledge. For example, many applications use the kernel32.dll FindFirstFile function to explore files. A RootKit may change the application's Import Address Table, replacing pointers to the location of kernel32.dll with RootKit DLL pointers. When the FindFirstFile function is invoked, the RootKit uses the kernel32.dll's FindFirstFile function, but filters the result to hide filenames that provide evidence of the Rootkits presence. This Windows API hooking technique can also be used to hide processes, sockets, services, and registry keys.
More sophisticated User Mode Rootkits exploit the slightly lower-level Native API which invokes functions provided by the operating system's ntdll.dll library. For example, Task Manager (iexplore.exe) uses the ntdll.dll NtQuerySystemInformation function to get a list of active processes. A RootKit can hook Task Manager's call to ntdll.dll, and then strip Malware processes from the returned list.
Some User Mode Rootkits patch a few bytes of in-memory Windows API code to insert a jump to the Rootkits DLL. As described above, the RootKit filters output objects before returning control to the compromised code, which then returns data to the application that invoked the Windows API or Native API. A malicious hacker can use in-memory patching to hide files, processes, services, drivers, registry keys and values, open ports, and disk space usage.
User Mode applications and DLLs access the kernel by using system calls to reach device drivers. Drivers have direct access to kernel data objects, including the Master File Table, the Registry Hive, and the kernel's active process table. Kernel Mode Rootkits hook these system calls, patch these device drivers, or modify kernel data objects to alter results at the lowest level. For example, system call hooking can modify the process list returned by the kernel to ntdll.dll, instead of changing the list returned by ntdll.dll to Task Manager. Due to complexity and tight-coupling, Kernel Mode Rootkits must take care to avoid crashing the compromised PC.
An increasingly popular technique used by Kernel Mode Rootkits is Direct Kernel Object Manipulation (DKM). Instead of intercepting query and enumeration API calls, DKM modifies the kernel's own data structures. For example, a DKM RootKit might remove a Malware process from the kernel's process table. It might use syntactically-invalid names to hide folders and files from the Windows NT file system (NTFS). Or it might manipulate the Registry Hive to prevent enumeration of hidden registry keys; for example, embedding a NULL character in a key's name or value, hiding what follows from Windows API RegEnumValue or Native API NtEnumerateKey queries.
These methods can be found in many Windows Rootkits, including AFX (kernel32.dll hooking and patching), Vanquish (kernel32.dll patching), Hacker Defender (ntdll.dll patching), and FU (DKM). For instance, FU loads the driver msdirectx.sys, which can then be used to hide Malware processes and device drivers. Unlike most Rootkits, FU does not attempt to hide itself, which may explain why FU is the most oft-removed RootKit encountered by Microsoft's Malicious Software Removal Tool.
Summary
They patch the Kernel level functions and load a driver in its place. The directory listing calls are thus intercepted by the RootKit driver and then forwarded to the actual NTDLL subsystems library function. When the control is again sent back to the RootKit driver from the actual Kernel function, it then filters the output thus hiding its presence.
In the above example, %System%\dllcache\beep.sys is the RootKit driver that patches the ZwQuerySystemInformation. It thus hides the presence of the below mentioned infected files:
%System%\user32.dat
%Windir%\medichi.exe
%Windir%\medichi2.exe
%Windir%\murka.dat
At times the RootKit driver patches the ZwQuerySystemInformation or the NtQuerySystemInformation Kernel function.
---------------------------------------------------------------------------------------------------------------------------------------------
The native API, referred to as the NTDLL subsystem, is a series of undocumented API function calls that handle most of the work performed by KERNEL. The NTDLL subsystem is located in ntdll.dll. This library contains many API function calls, and all follow a particular naming scheme. Each function has a prefix: Ldr, Ki, Nt, Zw, Csr, dbg, etc. All the functions that have a particular prefix follow particular a rules.
The "official" native API is usually limited only to functions whose prefix is Nt or Zw. These calls are in fact the same and are used to provide function calls in both Kernel and User space. However User applications are encouraged to use the Nt* calls, while Kernel callers are supposed to use the Zw* calls. Writing drivers for Windows is allowed to use the Kernel-mode functions in NTDLL because these drivers operate at Kernel Level.
____________________________________________________________________________________________________
OTHER WORKS THAT CAN BE DO IN REGIDIT
Changing the Tips of the Day
You can edit the Tips of the day in the Registry by going to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\ CurrentVersion\ explorer\ Tips
Disabling Drives in My Computer
To turn off the display of local or networked drives when you click on My Computer:
1.Open RegEdit
2.Go to
HKEY_CURRENT_USER\Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
3.Add a New DWORD item and name it NoDrives
4.Give it a value of 3FFFFFF
5.Now when you click on My Computer, none of your drives will show.
Changing the caption on the Title Bar
Change the Caption on the Title Bar for OutLook Express or the Internet Explorer:
For Outlook Express:
1. Open RegEdit
2. Go to
HKEY_CURRENT_USER\Software\Microsoft\OutLook Express
For IE5 and up use:
HKEY_CURRENT_USER\IDENTITIES \{9DDDACCO-38F2-11D6-93CA-812B1F3493B}\ SOFTWARE\ MICROSOFT\ OUTLOOK EXPRESS\5.0
3. Add a string value "WindowTitle" (no space)
4. Modify the value to what ever you like.
For no splash screen, add a dword value "NoSplash" set to 1
The Key {9DDDACCO-38F2-11D6-93CA-812B1F3493B} can be any key you find here. Each user has his own Key number.
The Key 5.0 is whatever version of IE you have
For Internet Explorer:
1. Open RegEdit
2. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
3. Add a string value "Window Title" (use a space)
4. Modify the value to what ever you like.
Disabling the Right-Click on the Start Button
Normally, when you right button click on the Start button, it allows you to open your programs folder, the Explorer and run Find.
In situations where you don't want to allow users to be able to do this in order to secure your computer.
1.Open RegEdit
2.Search for Desktop
3.This should bring you to HKEY_CLASSES_ROOT\Directory
4.Expand this section
5.Under Shell is Find
6.Delete Find
7.Move down a little in the Registry to Folder
8.Expand this section and remove Explore and Open
Now when you right click on the Start button, nothing should happen.
You can delete only those items that you need.
Note: - On Microsoft keyboards, this also disables the Window-E (for Explorer) and Window-F
(for Find) keys.
See the section on Installation in the RESKIT to see how to do this automatically during an install.
Disabling My Computer
In areas where you are trying to restrict what users can do on the computer, it might be beneficial to disable the ability to click on My Computer and have access to the drives, control panel etc.
To disable this:
1.Open RegEdit
2.Search for 20D04FE0-3AEA-1069-A2D8-08002B30309D
3.This should bring you to the HKEY_CLASSES_ROOT\CLSID section
4.Delete the entire section.
Now when you click on My Computer, nothing will happen.
You might want to export this section to a Registry file before deleting it just in case you want to enable it again. Or you can rename it to 20D0HideMyComputer4FE0-3AEA-1069-A2D8-08002B30309D. You can also hide all the Desktop Icons, see Change/Add restrictions.
Opening Explorer from My Computer
By default, when you click on the My Computer icon, you get a display of all your drives, the Control Panel etc. If you would like to have this open the Explorer:
1. Open RegEdit
2. Go to
HKEY_CLASSES_ROOT\CLSID\ {20D04FE0-3AEA-1069-A2D8-08002B30309D}\ Shell
3 . Add a new Key named "Open" if it does not exists by right clicking "Shell" and selecting new.
4. . Add a new Key named "Command" by right clicking "Open" and selecting new
5. Set the (Default) value for the Command Key to "Explorer.exe" or "C:\Windows\Explorer.exe"
Recycle Bin Edits
Fooling with the recycle bin. Why not make the icon context menu act like other icon context menus.
Add rename to the menu:
HKEY_CLASSES_ROOT\CLSID\ {645FF040-5081-101B-9F08-00AA002F954E}\ ShellFolder
"Attributes"=hex:50,01,00,20
Add delete to the menu:
HKEY_CLASSES_ROOT\CLSID\ {645FF040-5081-101B-9F08-00AA002F954E}\ ShellFolder
"Attributes"=hex:60,01,00,20
Add rename and delete to the menu:
HKEY_CLASSES_ROOT\CLSID\ {645FF040-5081-101B-9F08-00AA002F954E} \ShellFolder
"Attributes"=hex:70,01,00,20
Restore the recycle bin to Windows defaults including un-deleting the icon after deletion:
Restore the icon.
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\ Windows \CurrentVersion\ explorer\
Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}
@="Recycle Bin"
Reset Windows defaults.
HKEY_CLASSES_ROOT\CLSID\ {645FF040-5081-101B-9F08-00AA002F954E} \ShellFolder
"Attributes"=hex:40,01,00,20
Other edits to the recycle bin icon:
HKEY_CLASSES_ROOT\CLSID\ {645FF040-5081-101B-9F08-00AA002F954E}\ ShellFolder
"Attributes"=hex:40,01,01,20 ... standard shortcut arrow
"Attributes"=hex:40,01,02,20 ... a different shortcut arrow
"Attributes"=hex:40,01,04,20 ... and still another shortcut arrow
"Attributes"=hex:40,01,08,20 ... make it look disabled (like it's been cut)
For Windows XP and 2000 also edit HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ CLSID\ {645FF040-5081-101B-9F08-00AA002F954E}
For Windows ME also edit HKEY_CURRENT_USER \Software\ Classes\ CLSID\ {645FF040-5081-101B-9F08-00AA002F954E}
Setting the Minimum Password Length
1.Open RegEdit
2.Go to
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Policies\ Network
3. Now, choose the Edit/New/Binary value command and call the new value MinPwdLen. Press Enter twice and Assign it a value equal to your minimum password length.
Add\delete programs to run every time Windows starts
You can start or stop programs from executing at boot up by adding or deleting them to/from the run Keys in the Registry. Windows loads programs to start in the following order; Program listed in the Local Machine hive, then the Current User hive, then theWin.ini Run= and Load = lines. then finally programs in your Start Up folder.
To add or remove programs in the Registry
1.Open RegEdit
2.Go to the desired Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion \Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion \RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows \CurrentVersion \Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows \CurrentVersion \RunServices
3. Add a new String Value and name it anything you like
4. For the value data, enter the path and executable for the program you want to run.
By adding the value to the HKEY_CURRENT_USER hive instead allows the program to start only when that user is logged on.
If you add the value to the RunOnce key the program will run once and be removed from the key by Windows.
Removing the Shortcut Icon Arrows
1.Open RegEdit
2.Open the Key HKEY_CLASSES_ROOT
3.Open the Key LNKFILE
4.Delete the value IsShortcut
5.Open the next Key PIFFILE
6.Delete the value IsShortcut
7.Restart the Windows
Turn Off Window Animation
You can shut off the animation displayed when you minimize and maximize Windows.
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\Control panel \Desktop\ WindowMetrics
3. Create a new string value "MinAnimate".
4. Set the value data of 0 for Off or 1 for On
Changing your Modem's Initialization String
1.Open RegEdit
2.Go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet \Services \Class \Modem \0000 \Init
3.Change the settings to the new values
Increasing the Modem Timeout
If your modem it is timing out during file transfers or loading Web Pages, you might try increasing the timeout period. To change the Time Out::
1.Open RegEdit
2.Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\ Class\ Modem\ XXXX\ Settings Where XXXX is the number of your modem
3. In the right panel and double click on Inactivity Timeout
4.The number of minutes for a timeout should be entered between the brackets.
5.For example, a setting could have S19=<10> to set it to 10 minutes.
Removing Programs from Control Panel's Add/Remove Programs Section
If you uninstalled a program by deleting the files, it may still show up in the Add/Remove programs list in the Control Panel.
In order to remove it from the list.
1.Open RegEdit
2.Go to HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall
3.Delete any programs here.
If you have a problem locating the desired program open each key and view the DisplayName value
The Fix for Grayed Out Boxes
The File Types tab in Explorer's View / Options menu lets you edit most of your file types, but certain settings cannot be changed. The default action for a batch file, for instance, runs the batch file instead of opening it via Notepad or Wordpad. Thus, when you double-click on AUTOEXEC.BAT, a DOS window opens, and the file executes. If you want to change this default action and edit a batch file when you double-click on it, however, the File Types tab does not let you do so; the Set Default button for the file type called MS-DOS Batch File is always grayed out.
The button is grayed out because HKEY_CLASSES_ROOT's batfile key contains an EditFlag value entry. Such entries are used throughout the Registry to prevent novice users from altering certain system settings. The binary data in batfile's EditFlag reads d0 04 00 00. If you change this value to 00 00 00 00, you can then change any of the batch file settings. Do not, however, indiscriminately zero out EditFlag; if you do so in a system ProgID such as Drive or AudioCD, it completely disappears from the File Types list. For ProgIDs that are linked to extensions, set all EditFlags to 00 00 00 00. For system ProgIDs, replace EditFlag data with 02 00 00 00.
If you wish to have access to some buttons while leaving others grayed out, you must know the function of each EditFlag bit. The last two bytes of data are always zero, but most bits within the first two bytes have a specific effect:
Byte 1, bit 1: Removes the file type from the master list in the File Types tab (select View / Options under Explorer) if it has an associated extension.
Byte 1, bit 2: Adds the file type to the File Types tab if it does not have an associated extension.
Byte 1, bit 3: Identifies a type with no associated extension.
Byte 1, bit 4: Grays out the Edit button in the File Types tab.
Byte 1, bit 5: Grays out the Remove button in the File Types tab.
Byte 1, bit 6: Grays out the New button in the Edit File Type dialog (select the Edit button in the File Types tab).
Byte 1, bit 7: Grays out the Edit button in the Edit File Type dialog.
Byte 1, bit 8: Grays out the Remove button in the Edit File Type dialog.
Byte 2, bit 1: Prevents you from editing a file type's description in the Edit File Type dialog.
Byte 2, bit 2: Grays out the Change Icon button in the Edit File Type dialog.
Byte 2, bit 3: Grays out the SetDefault button in the Edit File Type dialog.
Byte 2, bit 4: Prevents you from editing an action's description in the Edit Action dialog (select the Edit button in the Edit File Type dialog).
Byte 2, bit 5: Prevents you from editing the command line in the Edit Action dialog.
Byte 2, bit 6: Prevents you from setting DDE (Dynamic Data Exchange) fields in the Edit Action dialog.
The EditFlags value for Drive, for instance, is d2 01 00 00 in Hex (1101 0010 0000 0001 in binary). Bits 2, 5, 7, and 8 are on in byte 1, and bit 1 is on in byte 2. The EditFlag for batfile is d0 04 00 00 in Hex or 1101 0000 0000 0100 in binary. In this case, bits 5, 7, and 8 are on in byte 1, and bit 3 is on in byte 2.
Bits 4, 5, and 6 of byte 2 apply only to actions that are protected. EditFlags with action keys (such as HKEY_CLASSES_ROOT\batfile\shell\open) determine protection. If byte 1, bit 1 of such an EditFlag is 0 (or if there is no EditFlag), then the action is protected. If byte 1, bit 1 is 1, then the action is unprotected.
Protection on system files
To enable protection on system files such as the KnownDLLs list, add the following value;
1. Open RegEdit
2. HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\ SessionManager
3. Create the a Dword value and name it "ProtectionMode "
4. Set the Value to1
Removing Add/Remove Programs Entries From RegEdit
Generally we use Add/Remove programs option in Control Panel to remove any unwanted program from our computer. Normally this may be due to poorly designed uninstaller with this program. That is why some programs may not be removed properly and a reference to this program remains in the computer registry. This reference in registry may be creating problems to run your computer smoothly. Here you need to delete this reference to edit your computer registry using RegEdit editor.
First go to Start button and open Run dialog box. Type here RegEdit and press Enter.
Now in editor Navigate to the given path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
Here locate the entry created by your program with its name and select that entry from the list on the left panel and delete its key.
Close the Registry Editor and restart your computer, the program will be removed from your computer permanently
You can edit the Tips of the day in the Registry by going to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\ CurrentVersion\ explorer\ Tips
Disabling Drives in My Computer
To turn off the display of local or networked drives when you click on My Computer:
1.Open RegEdit
2.Go to
HKEY_CURRENT_USER\Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
3.Add a New DWORD item and name it NoDrives
4.Give it a value of 3FFFFFF
5.Now when you click on My Computer, none of your drives will show.
Changing the caption on the Title Bar
Change the Caption on the Title Bar for OutLook Express or the Internet Explorer:
For Outlook Express:
1. Open RegEdit
2. Go to
HKEY_CURRENT_USER\Software\Microsoft\OutLook Express
For IE5 and up use:
HKEY_CURRENT_USER\IDENTITIES \{9DDDACCO-38F2-11D6-93CA-812B1F3493B}\ SOFTWARE\ MICROSOFT\ OUTLOOK EXPRESS\5.0
3. Add a string value "WindowTitle" (no space)
4. Modify the value to what ever you like.
For no splash screen, add a dword value "NoSplash" set to 1
The Key {9DDDACCO-38F2-11D6-93CA-812B1F3493B} can be any key you find here. Each user has his own Key number.
The Key 5.0 is whatever version of IE you have
For Internet Explorer:
1. Open RegEdit
2. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
3. Add a string value "Window Title" (use a space)
4. Modify the value to what ever you like.
Disabling the Right-Click on the Start Button
Normally, when you right button click on the Start button, it allows you to open your programs folder, the Explorer and run Find.
In situations where you don't want to allow users to be able to do this in order to secure your computer.
1.Open RegEdit
2.Search for Desktop
3.This should bring you to HKEY_CLASSES_ROOT\Directory
4.Expand this section
5.Under Shell is Find
6.Delete Find
7.Move down a little in the Registry to Folder
8.Expand this section and remove Explore and Open
Now when you right click on the Start button, nothing should happen.
You can delete only those items that you need.
Note: - On Microsoft keyboards, this also disables the Window-E (for Explorer) and Window-F
(for Find) keys.
See the section on Installation in the RESKIT to see how to do this automatically during an install.
Disabling My Computer
In areas where you are trying to restrict what users can do on the computer, it might be beneficial to disable the ability to click on My Computer and have access to the drives, control panel etc.
To disable this:
1.Open RegEdit
2.Search for 20D04FE0-3AEA-1069-A2D8-08002B30309D
3.This should bring you to the HKEY_CLASSES_ROOT\CLSID section
4.Delete the entire section.
Now when you click on My Computer, nothing will happen.
You might want to export this section to a Registry file before deleting it just in case you want to enable it again. Or you can rename it to 20D0HideMyComputer4FE0-3AEA-1069-A2D8-08002B30309D. You can also hide all the Desktop Icons, see Change/Add restrictions.
Opening Explorer from My Computer
By default, when you click on the My Computer icon, you get a display of all your drives, the Control Panel etc. If you would like to have this open the Explorer:
1. Open RegEdit
2. Go to
HKEY_CLASSES_ROOT\CLSID\ {20D04FE0-3AEA-1069-A2D8-08002B30309D}\ Shell
3 . Add a new Key named "Open" if it does not exists by right clicking "Shell" and selecting new.
4. . Add a new Key named "Command" by right clicking "Open" and selecting new
5. Set the (Default) value for the Command Key to "Explorer.exe" or "C:\Windows\Explorer.exe"
Recycle Bin Edits
Fooling with the recycle bin. Why not make the icon context menu act like other icon context menus.
Add rename to the menu:
HKEY_CLASSES_ROOT\CLSID\ {645FF040-5081-101B-9F08-00AA002F954E}\ ShellFolder
"Attributes"=hex:50,01,00,20
Add delete to the menu:
HKEY_CLASSES_ROOT\CLSID\ {645FF040-5081-101B-9F08-00AA002F954E}\ ShellFolder
"Attributes"=hex:60,01,00,20
Add rename and delete to the menu:
HKEY_CLASSES_ROOT\CLSID\ {645FF040-5081-101B-9F08-00AA002F954E} \ShellFolder
"Attributes"=hex:70,01,00,20
Restore the recycle bin to Windows defaults including un-deleting the icon after deletion:
Restore the icon.
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\ Windows \CurrentVersion\ explorer\
Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}
@="Recycle Bin"
Reset Windows defaults.
HKEY_CLASSES_ROOT\CLSID\ {645FF040-5081-101B-9F08-00AA002F954E} \ShellFolder
"Attributes"=hex:40,01,00,20
Other edits to the recycle bin icon:
HKEY_CLASSES_ROOT\CLSID\ {645FF040-5081-101B-9F08-00AA002F954E}\ ShellFolder
"Attributes"=hex:40,01,01,20 ... standard shortcut arrow
"Attributes"=hex:40,01,02,20 ... a different shortcut arrow
"Attributes"=hex:40,01,04,20 ... and still another shortcut arrow
"Attributes"=hex:40,01,08,20 ... make it look disabled (like it's been cut)
For Windows XP and 2000 also edit HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ CLSID\ {645FF040-5081-101B-9F08-00AA002F954E}
For Windows ME also edit HKEY_CURRENT_USER \Software\ Classes\ CLSID\ {645FF040-5081-101B-9F08-00AA002F954E}
Setting the Minimum Password Length
1.Open RegEdit
2.Go to
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Policies\ Network
3. Now, choose the Edit/New/Binary value command and call the new value MinPwdLen. Press Enter twice and Assign it a value equal to your minimum password length.
Add\delete programs to run every time Windows starts
You can start or stop programs from executing at boot up by adding or deleting them to/from the run Keys in the Registry. Windows loads programs to start in the following order; Program listed in the Local Machine hive, then the Current User hive, then theWin.ini Run= and Load = lines. then finally programs in your Start Up folder.
To add or remove programs in the Registry
1.Open RegEdit
2.Go to the desired Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion \Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion \RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows \CurrentVersion \Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows \CurrentVersion \RunServices
3. Add a new String Value and name it anything you like
4. For the value data, enter the path and executable for the program you want to run.
By adding the value to the HKEY_CURRENT_USER hive instead allows the program to start only when that user is logged on.
If you add the value to the RunOnce key the program will run once and be removed from the key by Windows.
Removing the Shortcut Icon Arrows
1.Open RegEdit
2.Open the Key HKEY_CLASSES_ROOT
3.Open the Key LNKFILE
4.Delete the value IsShortcut
5.Open the next Key PIFFILE
6.Delete the value IsShortcut
7.Restart the Windows
Turn Off Window Animation
You can shut off the animation displayed when you minimize and maximize Windows.
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\Control panel \Desktop\ WindowMetrics
3. Create a new string value "MinAnimate".
4. Set the value data of 0 for Off or 1 for On
Changing your Modem's Initialization String
1.Open RegEdit
2.Go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet \Services \Class \Modem \0000 \Init
3.Change the settings to the new values
Increasing the Modem Timeout
If your modem it is timing out during file transfers or loading Web Pages, you might try increasing the timeout period. To change the Time Out::
1.Open RegEdit
2.Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\ Class\ Modem\ XXXX\ Settings Where XXXX is the number of your modem
3. In the right panel and double click on Inactivity Timeout
4.The number of minutes for a timeout should be entered between the brackets.
5.For example, a setting could have S19=<10> to set it to 10 minutes.
Removing Programs from Control Panel's Add/Remove Programs Section
If you uninstalled a program by deleting the files, it may still show up in the Add/Remove programs list in the Control Panel.
In order to remove it from the list.
1.Open RegEdit
2.Go to HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall
3.Delete any programs here.
If you have a problem locating the desired program open each key and view the DisplayName value
The Fix for Grayed Out Boxes
The File Types tab in Explorer's View / Options menu lets you edit most of your file types, but certain settings cannot be changed. The default action for a batch file, for instance, runs the batch file instead of opening it via Notepad or Wordpad. Thus, when you double-click on AUTOEXEC.BAT, a DOS window opens, and the file executes. If you want to change this default action and edit a batch file when you double-click on it, however, the File Types tab does not let you do so; the Set Default button for the file type called MS-DOS Batch File is always grayed out.
The button is grayed out because HKEY_CLASSES_ROOT's batfile key contains an EditFlag value entry. Such entries are used throughout the Registry to prevent novice users from altering certain system settings. The binary data in batfile's EditFlag reads d0 04 00 00. If you change this value to 00 00 00 00, you can then change any of the batch file settings. Do not, however, indiscriminately zero out EditFlag; if you do so in a system ProgID such as Drive or AudioCD, it completely disappears from the File Types list. For ProgIDs that are linked to extensions, set all EditFlags to 00 00 00 00. For system ProgIDs, replace EditFlag data with 02 00 00 00.
If you wish to have access to some buttons while leaving others grayed out, you must know the function of each EditFlag bit. The last two bytes of data are always zero, but most bits within the first two bytes have a specific effect:
Byte 1, bit 1: Removes the file type from the master list in the File Types tab (select View / Options under Explorer) if it has an associated extension.
Byte 1, bit 2: Adds the file type to the File Types tab if it does not have an associated extension.
Byte 1, bit 3: Identifies a type with no associated extension.
Byte 1, bit 4: Grays out the Edit button in the File Types tab.
Byte 1, bit 5: Grays out the Remove button in the File Types tab.
Byte 1, bit 6: Grays out the New button in the Edit File Type dialog (select the Edit button in the File Types tab).
Byte 1, bit 7: Grays out the Edit button in the Edit File Type dialog.
Byte 1, bit 8: Grays out the Remove button in the Edit File Type dialog.
Byte 2, bit 1: Prevents you from editing a file type's description in the Edit File Type dialog.
Byte 2, bit 2: Grays out the Change Icon button in the Edit File Type dialog.
Byte 2, bit 3: Grays out the SetDefault button in the Edit File Type dialog.
Byte 2, bit 4: Prevents you from editing an action's description in the Edit Action dialog (select the Edit button in the Edit File Type dialog).
Byte 2, bit 5: Prevents you from editing the command line in the Edit Action dialog.
Byte 2, bit 6: Prevents you from setting DDE (Dynamic Data Exchange) fields in the Edit Action dialog.
The EditFlags value for Drive, for instance, is d2 01 00 00 in Hex (1101 0010 0000 0001 in binary). Bits 2, 5, 7, and 8 are on in byte 1, and bit 1 is on in byte 2. The EditFlag for batfile is d0 04 00 00 in Hex or 1101 0000 0000 0100 in binary. In this case, bits 5, 7, and 8 are on in byte 1, and bit 3 is on in byte 2.
Bits 4, 5, and 6 of byte 2 apply only to actions that are protected. EditFlags with action keys (such as HKEY_CLASSES_ROOT\batfile\shell\open) determine protection. If byte 1, bit 1 of such an EditFlag is 0 (or if there is no EditFlag), then the action is protected. If byte 1, bit 1 is 1, then the action is unprotected.
Protection on system files
To enable protection on system files such as the KnownDLLs list, add the following value;
1. Open RegEdit
2. HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\ SessionManager
3. Create the a Dword value and name it "ProtectionMode "
4. Set the Value to1
Removing Add/Remove Programs Entries From RegEdit
Generally we use Add/Remove programs option in Control Panel to remove any unwanted program from our computer. Normally this may be due to poorly designed uninstaller with this program. That is why some programs may not be removed properly and a reference to this program remains in the computer registry. This reference in registry may be creating problems to run your computer smoothly. Here you need to delete this reference to edit your computer registry using RegEdit editor.
First go to Start button and open Run dialog box. Type here RegEdit and press Enter.
Now in editor Navigate to the given path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
Here locate the entry created by your program with its name and select that entry from the list on the left panel and delete its key.
Close the Registry Editor and restart your computer, the program will be removed from your computer permanently
Changing Telnet Window
Changing Telnet Window
You can view more data if you increase the line count of Telnet. By Default it has a window size of 25 lines. To increase this so you can scroll back and look at a larger number on lines:
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\Software\Microsoft\Telnet
3. Modify the value data of "Rows"
You can view more data if you increase the line count of Telnet. By Default it has a window size of 25 lines. To increase this so you can scroll back and look at a larger number on lines:
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\Software\Microsoft\Telnet
3. Modify the value data of "Rows"
Removing Items from NEW Context Menu
Removing Items from NEW Context Menu
When you right-click on the desktop and select New, or use the File Menu item in the Explore and select New a list of default templates you can open up are listed.
To remove items from that list:
1. Open RegEdit
2. Do a Search for the string ShellNew in the HKEY_CLASSES_ROOT Hive
3. Delete the ShellNew command key for the items you want to remove.
When you right-click on the desktop and select New, or use the File Menu item in the Explore and select New a list of default templates you can open up are listed.
To remove items from that list:
1. Open RegEdit
2. Do a Search for the string ShellNew in the HKEY_CLASSES_ROOT Hive
3. Delete the ShellNew command key for the items you want to remove.
Remove Open, Explore & Find from Start Button
Remove Open, Explore & Find from Start Button
When you right click on the Start Button, you can select Open, Explore or Find.
Open shows your Programs folder. Explore starts the Explorer and allows access to all drives.
Find allows you to search and then run programs. In certain situations you might want to disable this feature.
To remove them:
1.Open RegEdit
2.Go to HKEY_CLASSES_ROOT\Directory\Shell\Find
3.Delete Find
4.Scroll down below Directory to Folder
5.Expand this section under shell
6.Delete Explore and Open
Caution: - When you remove Open, you cannot open any folders.
When you right click on the Start Button, you can select Open, Explore or Find.
Open shows your Programs folder. Explore starts the Explorer and allows access to all drives.
Find allows you to search and then run programs. In certain situations you might want to disable this feature.
To remove them:
1.Open RegEdit
2.Go to HKEY_CLASSES_ROOT\Directory\Shell\Find
3.Delete Find
4.Scroll down below Directory to Folder
5.Expand this section under shell
6.Delete Explore and Open
Caution: - When you remove Open, you cannot open any folders.
Adding Items to the Start Button
Adding Items to the Start Button
To add items when you right-click on the Start Button:
1.Open RegEdit
2.Go to HKEY_CLASSES_ROOT\Directory\Shell
3.Right-click on Shell and select New Key
4.Type in the name of the key and press the Enter key
5.In the Default name that shows in the right hand panel, you can add a title with a "&" character in front of the letter for a shortcut
6.Right-click on the key you just created and create another key under it called command
7.For the value of this command, enter the full path and program you want to execute
8.Now when you right click on the Start Button, your new program will be there.
9.For example, if you want Word to be added, you would add that as the first key, the default in the right panel would be &Word so when you right click on the Start Button, the W would be the Hot Key on your keyboard. The value of the key would be C:\Program Files\Office\Winword\Winword.exe
To add items when you right-click on the Start Button:
1.Open RegEdit
2.Go to HKEY_CLASSES_ROOT\Directory\Shell
3.Right-click on Shell and select New Key
4.Type in the name of the key and press the Enter key
5.In the Default name that shows in the right hand panel, you can add a title with a "&" character in front of the letter for a shortcut
6.Right-click on the key you just created and create another key under it called command
7.For the value of this command, enter the full path and program you want to execute
8.Now when you right click on the Start Button, your new program will be there.
9.For example, if you want Word to be added, you would add that as the first key, the default in the right panel would be &Word so when you right click on the Start Button, the W would be the Hot Key on your keyboard. The value of the key would be C:\Program Files\Office\Winword\Winword.exe
Changing the MaxMTU for faster Downloads
Changing the MaxMTU for faster Downloads
There are four Internet settings that can be configured, you can get greater throughput (faster Internet downloads) by modifying a few settings.
They are the MaxMTU, MaxMSS and DefaultRcvWindow, and DefaultTTL
1.Open RegEdit
2.Go to
HKEY_LOCAL_MACHINE\System\CurrentControlset\ Services\ Class\ net\ 000x
(where x is your particular network adapter binding.)
3.Right click on the right panel
4.Select New\String Value and create the value name IPMTU
5.Double click on it and enter then the number you want. The usual change is to 576
6.Similarly, you can add IPMSS and give it a value of 536
(Windows 9X)You can set DefaultRcvWindow, and DefaultTTL by adding these string values to HKEY_LOCAL_MACHINE\ System\ CurrentControlset\ Services\ VXD\ MSTCP
Set the DefaultRcvWindow to"5840"and the DefaultTTL to "128"
Note: These settings will slow down your network access speed slightly, but you will probably not even see the difference if you are using a network card. If you are using Direct Cable you should see a sight difference.
There are four Internet settings that can be configured, you can get greater throughput (faster Internet downloads) by modifying a few settings.
They are the MaxMTU, MaxMSS and DefaultRcvWindow, and DefaultTTL
1.Open RegEdit
2.Go to
HKEY_LOCAL_MACHINE\System\CurrentControlset\ Services\ Class\ net\ 000x
(where x is your particular network adapter binding.)
3.Right click on the right panel
4.Select New\String Value and create the value name IPMTU
5.Double click on it and enter then the number you want. The usual change is to 576
6.Similarly, you can add IPMSS and give it a value of 536
(Windows 9X)You can set DefaultRcvWindow, and DefaultTTL by adding these string values to HKEY_LOCAL_MACHINE\ System\ CurrentControlset\ Services\ VXD\ MSTCP
Set the DefaultRcvWindow to"5840"and the DefaultTTL to "128"
Note: These settings will slow down your network access speed slightly, but you will probably not even see the difference if you are using a network card. If you are using Direct Cable you should see a sight difference.
Disable Password Caching
Disable Password Caching
To disable password caching, which allows for the single Network login and eliminates the secondary Windows logon screen. Either use the same password or:
1. Open RegEdit
2. Go to the key
HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\ Windows\ CurrentVersion\ Policies\ Network
3. Add a Dword value "DisablePwdCaching" and set the value to 1
To disable password caching, which allows for the single Network login and eliminates the secondary Windows logon screen. Either use the same password or:
1. Open RegEdit
2. Go to the key
HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\ Windows\ CurrentVersion\ Policies\ Network
3. Add a Dword value "DisablePwdCaching" and set the value to 1
Automatic Screen Refresh
Automatic Screen Refresh
When you make changes to your file system and use Explorer, the changes are not usually displayed until you press the F5 key
To refresh automatically:
1. Open RegEdit
2. Go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update
3. Set the value name "UpdateMode" to 1
When you make changes to your file system and use Explorer, the changes are not usually displayed until you press the F5 key
To refresh automatically:
1. Open RegEdit
2. Go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update
3. Set the value name "UpdateMode" to 1
Creating a Default File Opener
Creating a Default File Opener
If you have a un-registered file type and want to view it instead of having to select Open With. Use Explorer's Right-click and add your program to the right-click options by:
1. Open RegEdit
2. Go to HKEY_CLASSES_ROOT\Unknown\Shell
3. Right click on "Shell" and create a New Key and name it "Open "
4. Create a New Key under the "Open" key you just created and name it "Command"
5. Set the (Default) value to the path and filename of the program you want to use to open the file type
6. For example: C:\Windows\NOTEPAD.EXE %1
You must use the "%1" for this to work.and a space between the exe and the %1
If you have a un-registered file type and want to view it instead of having to select Open With. Use Explorer's Right-click and add your program to the right-click options by:
1. Open RegEdit
2. Go to HKEY_CLASSES_ROOT\Unknown\Shell
3. Right click on "Shell" and create a New Key and name it "Open "
4. Create a New Key under the "Open" key you just created and name it "Command"
5. Set the (Default) value to the path and filename of the program you want to use to open the file type
6. For example: C:\Windows\NOTEPAD.EXE %1
You must use the "%1" for this to work.and a space between the exe and the %1
How to check and recover your pendrive from VIRUS
How to check and recover your pendrive from VIRUS
Many of your PC/laptop's normally gets virus because of Pen Drives or USB devices (Even PC's who are not connected to network ). Some Virus like Ravmon Virus , Heap41a worm which are not detected by anti virus normally spreads mostly by the Pen Drives . In such a case what can you do to prevent your PC from getting infected with Virus that spreads through USB devices or Pen Drives ?
You can protect your PC by just following the simple steps below . It won't take much time.
Connect your Pen Drive or USB drive to your computer .
• Now a dialogue window will popup asking you to choose among the options as shown in the figure
• Don't choose any of them , Just simply click Cancel.
• *Now go to Start--> Run and type cmd to open the Command Prompt window .
• *Now go to My Computer and Check the Drive letter of your USB drive or Pen Drive . ( E.g. If it is written Kingston (I:) , then I: will be the drive letter .)
• *In the Command Window ( cmd ) , type the drive letter: and Hit Enter .
• *Now type dir/w/o/a/p and Hit Enter
• *You will get a list of files . In the list , search if anyone of the following do exist
• 1. Autorun.inf
• 2. New Folder.exe
• 3. Bha.vbs
• 4. Iexplore..vbs
• 5. Info.exe
• 6. New_Folder.exe
• 7. Ravmon.exe
• 8. RVHost.exe or any other files with .exe Extension .
•
• If you find any one of the files above , Run the command attrib -h -r -s -a *.* and Hit Enter.
• Now Delete each File using the following Command del filename ( E.g del autorun.inf ) .
• That's it . Now just scan your USB drive with the anti virus you have to ensure that you made your Pen Drive free of Virus .
“C:\heap41a” virus is very very common now...
To know whether ur system is infected just type C:\heap41a in the address bar...
if there is a folder named heap41a, then ur system is infected...
(AVAST antivirus is the best solution for this worm...) symantec also works..
Many of your PC/laptop's normally gets virus because of Pen Drives or USB devices (Even PC's who are not connected to network ). Some Virus like Ravmon Virus , Heap41a worm which are not detected by anti virus normally spreads mostly by the Pen Drives . In such a case what can you do to prevent your PC from getting infected with Virus that spreads through USB devices or Pen Drives ?
You can protect your PC by just following the simple steps below . It won't take much time.
Connect your Pen Drive or USB drive to your computer .
• Now a dialogue window will popup asking you to choose among the options as shown in the figure
• Don't choose any of them , Just simply click Cancel.
• *Now go to Start--> Run and type cmd to open the Command Prompt window .
• *Now go to My Computer and Check the Drive letter of your USB drive or Pen Drive . ( E.g. If it is written Kingston (I:) , then I: will be the drive letter .)
• *In the Command Window ( cmd ) , type the drive letter: and Hit Enter .
• *Now type dir/w/o/a/p and Hit Enter
• *You will get a list of files . In the list , search if anyone of the following do exist
• 1. Autorun.inf
• 2. New Folder.exe
• 3. Bha.vbs
• 4. Iexplore..vbs
• 5. Info.exe
• 6. New_Folder.exe
• 7. Ravmon.exe
• 8. RVHost.exe or any other files with .exe Extension .
•
• If you find any one of the files above , Run the command attrib -h -r -s -a *.* and Hit Enter.
• Now Delete each File using the following Command del filename ( E.g del autorun.inf ) .
• That's it . Now just scan your USB drive with the anti virus you have to ensure that you made your Pen Drive free of Virus .
“C:\heap41a” virus is very very common now...
To know whether ur system is infected just type C:\heap41a in the address bar...
if there is a folder named heap41a, then ur system is infected...
(AVAST antivirus is the best solution for this worm...) symantec also works..
Creating a Logon Banner
Creating a Logon Banner
If you want to create a Logon Banner: A message box to appear below your logon on.
1.Open RegEdit
2.Go To
For Windows 9x and ME -
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Winlogon
For Windows 2000 XP 2003 Vista -
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Winlogon
3.Create a new String value"LegalNoticeCaption "
4. Enter the Title of the window. What is displayed in the Title Bar.
5. Create a new string value "LegalNoticeText"
6. Enter the text for your message box that will appear even before the Logon window.
If you want to create a Logon Banner: A message box to appear below your logon on.
1.Open RegEdit
2.Go To
For Windows 9x and ME -
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Winlogon
For Windows 2000 XP 2003 Vista -
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Winlogon
3.Create a new String value"LegalNoticeCaption "
4. Enter the Title of the window. What is displayed in the Title Bar.
5. Create a new string value "LegalNoticeText"
6. Enter the text for your message box that will appear even before the Logon window.
Changing the Location of Windows' Installation Files
Changing the Location of Windows' Installation Files
If you need to change the drive and or path where Windows looks for its installation files:
1.Open RegEdit
2.Go to
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Setup
3.Edit the value next to SourcePath
If you need to change the drive and or path where Windows looks for its installation files:
1.Open RegEdit
2.Go to
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Setup
3.Edit the value next to SourcePath
Adding Explore From Here to Every Folder
Adding Explore From Here to Every Folder
When you want to right click on any folder and want to open up an Explorer window of that folder.
1. Open RegEdit
2. Go to HKEY_CLASSES_ROOT\Folder\shell
3. Add a new Key "RootExplore " under the "Shell" Key
4. Set the (Default) value to "E&xplore From Here "
5. Right Click the "RootExplore " Key and add a new Key "Command"to the RootExplore
6. Set the (Default) value of Explorer.exe /e,/root,/idlist,%i
When you want to right click on any folder and want to open up an Explorer window of that folder.
1. Open RegEdit
2. Go to HKEY_CLASSES_ROOT\Folder\shell
3. Add a new Key "RootExplore " under the "Shell" Key
4. Set the (Default) value to "E&xplore From Here "
5. Right Click the "RootExplore " Key and add a new Key "Command"to the RootExplore
6. Set the (Default) value of Explorer.exe /e,/root,/idlist,%i
Adding an Application to the Right Click on Every Folder
Adding an Application to the Right Click on Every Folder
Here is how to add any application to the Context Menu when you right click on any Folder. This way you do not have to always go to the Start Menu. When you right click on any folder, you can have access to that application, the same as using Sent To.
1. Open RegEdit
2. Go to HKEY_CLASSES_ROOT\Folder\shell
3. Add a new Key to the "Shell" Key and name it anything you like.
4. Give it a default value that will appear when you right click a folder, i.e. NewKey (use an "&" without the quotes, in front of any character and it will allow you to use the keyboard)
5. Click on the Key HKEY_CLASSES_ROOT\Folder\shell\NewKey
6. Add a New Key named Command
7. Set the (Default) value of the application you want to run
8. For example: c:\program files\internet explorer\iexplore.exe (Include the full path and parameters if you need them)
Here is how to add any application to the Context Menu when you right click on any Folder. This way you do not have to always go to the Start Menu. When you right click on any folder, you can have access to that application, the same as using Sent To.
1. Open RegEdit
2. Go to HKEY_CLASSES_ROOT\Folder\shell
3. Add a new Key to the "Shell" Key and name it anything you like.
4. Give it a default value that will appear when you right click a folder, i.e. NewKey (use an "&" without the quotes, in front of any character and it will allow you to use the keyboard)
5. Click on the Key HKEY_CLASSES_ROOT\Folder\shell\NewKey
6. Add a New Key named Command
7. Set the (Default) value of the application you want to run
8. For example: c:\program files\internet explorer\iexplore.exe (Include the full path and parameters if you need them)
Add/Remove Sound Events from Control Panel
Add/Remove Sound Events from Control Panel
You can Add and delete sounds events in the Control Panel. In order to do that:
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\AppEvents\Schemes\Apps and HKEY_CURRENT_USER\AppEvents\Schemes\Eventlabels. If this key does not exist you can create it and add events.
3. You can add/delete any items you want to or delete the ones you no longer want.
You can Add and delete sounds events in the Control Panel. In order to do that:
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\AppEvents\Schemes\Apps and HKEY_CURRENT_USER\AppEvents\Schemes\Eventlabels. If this key does not exist you can create it and add events.
3. You can add/delete any items you want to or delete the ones you no longer want.
To change the location of your mailbox for Outlook
To change the location of your mailbox for Outlook
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\Software\Microsoft\Outlook (or Outlook Express if Outlook Express)
3. Go to the section "Store Root"
4. Make the change to file location
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\Software\Microsoft\Outlook (or Outlook Express if Outlook Express)
3. Go to the section "Store Root"
4. Make the change to file location
Changing Exchange/Outlook Mailbox Location
Changing Exchange/Outlook Mailbox Location
To change the location of your mailbox for Exchange:
1. Open RegEdit
2. Go to
HKEY_CURRENT_USER\Software\ Microsoft\Windows Messaging Subsystem\ Profiles
3. Go to the profile you want to change
4. Go to the value name that has the file location for your mailbox (*.PST) file
5. Make the change to file location or name
To change the location of your mailbox for Exchange:
1. Open RegEdit
2. Go to
HKEY_CURRENT_USER\Software\ Microsoft\Windows Messaging Subsystem\ Profiles
3. Go to the profile you want to change
4. Go to the value name that has the file location for your mailbox (*.PST) file
5. Make the change to file location or name
Opening a DOS Window to either the Drive or Directory in Explorer
Opening a DOS Window to either the Drive or Directory in Explorer
Add the following Registry Keys for a Directory:
HKEY_CLASSES_ROOT\Directory\shell\opennew
@="Dos Prompt in that Directory"
HKEY_CLASSES_ROOT\Directory\shell\opennew\command
@="command.com /k cd %1"
Add or Edit the following Registry Keys for a Drive:
HKEY_CLASSES_ROOT\Drive\shell\opennew
@="Dos Prompt in that Drive"
HKEY_CLASSES_ROOT\Drive\shell\opennew\command
@="command.com /k cd %1"
These will allow you to right click on either the drive or the directory and the option of starting the dos prompt will pop up.
Add the following Registry Keys for a Directory:
HKEY_CLASSES_ROOT\Directory\shell\opennew
@="Dos Prompt in that Directory"
HKEY_CLASSES_ROOT\Directory\shell\opennew\command
@="command.com /k cd %1"
Add or Edit the following Registry Keys for a Drive:
HKEY_CLASSES_ROOT\Drive\shell\opennew
@="Dos Prompt in that Drive"
HKEY_CLASSES_ROOT\Drive\shell\opennew\command
@="command.com /k cd %1"
These will allow you to right click on either the drive or the directory and the option of starting the dos prompt will pop up.
Change the Registered User Information
Change the Registered User Information
You can change the Registered Owner or Registered Organization to anything you want even after Windows is installed.
1) Open RegEdit
2) Got to
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion.
3) Change the value of "RegisteredOrganization" or "RegisteredOwner", to what ever you want
You can change the Registered Owner or Registered Organization to anything you want even after Windows is installed.
1) Open RegEdit
2) Got to
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion.
3) Change the value of "RegisteredOrganization" or "RegisteredOwner", to what ever you want
Change Default Folder Locations
Change Default Folder Locations
You can change or delete the Windows mandatory locations of folder like My Documents:
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders
3. Change the desired folder location, My Documents is normally list as "Personal"
4. Open the Explorer and rename or create the folder you wish.
To change the desired location of the Program Files folder
1. Go to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2. Change the value of "ProgramFiles", or "ProgramFilesDir"
Now when you install a new program it will default to the new location you have selected.
You can change or delete the Windows mandatory locations of folder like My Documents:
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders
3. Change the desired folder location, My Documents is normally list as "Personal"
4. Open the Explorer and rename or create the folder you wish.
To change the desired location of the Program Files folder
1. Go to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2. Change the value of "ProgramFiles", or "ProgramFilesDir"
Now when you install a new program it will default to the new location you have selected.
Changing Windows' Icons
Changing Windows' Icons
You can change the Icons Windows uses for folders, the Start Menu, opened and closed folder in the Explorer, and many more.
1. Open RegEdit
2. Go to
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Icons
3. Add a string value for each Icon you wish to change.
Example: "3" ="C:\Windows\Icons\MyIcon.ico,0" This will change the closed folders in the Explorer to "MyIcon.ico". Here is a complete list for each value.
0= Unknown file type
1= MSN file types
2= Applications Generic
3= Closed Folder
4= Open Folder
5= 5.25" Drive
6= 3.25" Drive
7= Removable Drive
8= Hard Drive
9= NetWork Drive
10= Network Drive Offline
11= CD-ROM Drive
12= RAM Drive
13= Entire Network 14= Network Hub
15= My Computer
16= Printer
17= Network Neighborhood
18= Network Workgroup
19= Start Menu's Program Folders
20= Start Menu's Documents
21= Start Menu's Setting
22= Start Menu's Find
23= Start Menu's Help
24= Start Menu's Run
25= Start Menu's Suspend
26= Start Menu's PC Undock
27= Start Menu's Shutdown 28= Shared
29= Shortcut Arrow
30= (Unknown Overlay)
31= Recycle Bin Empty
32= Recycle Bin Full
33= Dial-up Network
34= DeskTop
35= Control Panel
36= Start Menu's Programs
37= Printer Folder
38= Fonts Folder
39= Taskbar Icon
40= Audio CD
You need to reboot after making changes. You may need to delete the hidden file ShellIconCache if after rebooting the desired Icons are not displayed.
You can change the Icons Windows uses for folders, the Start Menu, opened and closed folder in the Explorer, and many more.
1. Open RegEdit
2. Go to
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Icons
3. Add a string value for each Icon you wish to change.
Example: "3" ="C:\Windows\Icons\MyIcon.ico,0" This will change the closed folders in the Explorer to "MyIcon.ico". Here is a complete list for each value.
0= Unknown file type
1= MSN file types
2= Applications Generic
3= Closed Folder
4= Open Folder
5= 5.25" Drive
6= 3.25" Drive
7= Removable Drive
8= Hard Drive
9= NetWork Drive
10= Network Drive Offline
11= CD-ROM Drive
12= RAM Drive
13= Entire Network 14= Network Hub
15= My Computer
16= Printer
17= Network Neighborhood
18= Network Workgroup
19= Start Menu's Program Folders
20= Start Menu's Documents
21= Start Menu's Setting
22= Start Menu's Find
23= Start Menu's Help
24= Start Menu's Run
25= Start Menu's Suspend
26= Start Menu's PC Undock
27= Start Menu's Shutdown 28= Shared
29= Shortcut Arrow
30= (Unknown Overlay)
31= Recycle Bin Empty
32= Recycle Bin Full
33= Dial-up Network
34= DeskTop
35= Control Panel
36= Start Menu's Programs
37= Printer Folder
38= Fonts Folder
39= Taskbar Icon
40= Audio CD
You need to reboot after making changes. You may need to delete the hidden file ShellIconCache if after rebooting the desired Icons are not displayed.
Multiple Columns For the Start Menu
Multiple Columns For the Start Menu
To make Windows use multiple Start Menu Columns instead of a single scrolling column, like Windows 9x had, Also if you are using Classic Mode in XP
1. Open RegEdit
2. Go to the key
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
3. Create a string value "StartMenuScrollPrograms"
4. Right click the new string value and select modify
5. Set the value to "FALSE"
To make Windows use multiple Start Menu Columns instead of a single scrolling column, like Windows 9x had, Also if you are using Classic Mode in XP
1. Open RegEdit
2. Go to the key
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
3. Create a string value "StartMenuScrollPrograms"
4. Right click the new string value and select modify
5. Set the value to "FALSE"
Disable the Outlook Express Splash Screen
Disable the Outlook Express Splash Screen
You can make OutLook Express load quicker by disabling the splash screen:
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\Software\Microsoft\OutLook Express
3. Add a string value "NoSplash"
4. Set the value data to 1 as a Dword value
You can make OutLook Express load quicker by disabling the splash screen:
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\Software\Microsoft\OutLook Express
3. Add a string value "NoSplash"
4. Set the value data to 1 as a Dword value
Customize the System Tray
Customize the System Tray
You can add your name or anything you like that consists of 8 characters or less. This will replace the AM or PM next to the system time. But you can corrupt some trial licenses of software that you may have downloaded.
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\Control Panel\International
3. Add two new String values, "s1159" and "s2359"
4. Right click the new value name and modify. Enter anything you like up to 8 characters.
If you enter two different values when modifying, you can have the system tray display the two different values in the AM and PM.
Lock Out Unwanted Users
Want to keep people from accessing Windows, even as the default user? If you do not have a domain do not attempt this.
1. Open RegEdit
2. Go to HKEY_LOCAL_MACHINE\Network\Logon
3. Create a dword value "MustBeValidated"
4. Set the value to 1
This forced logon can be bypassed in Safe Mode on Windows 9x
You can add your name or anything you like that consists of 8 characters or less. This will replace the AM or PM next to the system time. But you can corrupt some trial licenses of software that you may have downloaded.
1. Open RegEdit
2. Go to HKEY_CURRENT_USER\Control Panel\International
3. Add two new String values, "s1159" and "s2359"
4. Right click the new value name and modify. Enter anything you like up to 8 characters.
If you enter two different values when modifying, you can have the system tray display the two different values in the AM and PM.
Lock Out Unwanted Users
Want to keep people from accessing Windows, even as the default user? If you do not have a domain do not attempt this.
1. Open RegEdit
2. Go to HKEY_LOCAL_MACHINE\Network\Logon
3. Create a dword value "MustBeValidated"
4. Set the value to 1
This forced logon can be bypassed in Safe Mode on Windows 9x
Backup / Restore the Registry
Backup / Restore the Registry
To Backup/Restore the Windows Registry: Windows 9x For XP 2000 click here
If you are in MSDOS, at the C:\Windows prompt type
Attrib -s -r -h C:\Windows\System.dat (press Enter)
Attrib -s -r -h C:\Windows\User.dat (press Enter)
To make the backup copies type:
copy C:\Windows\System.dat C:\Windows\System.000 (press Enter)
copy C:\Windows\User.dat C:\Windows\user.000 (press Enter)
To Restore the Registry
copy C:\Windows\System.000 C:\Windows\System.dat (press Enter)
copy C:\Windows\User.000 C:\Windows\user.dat (press Enter)
Add Open With to all files
You can add "Open With..." to the Right click context menu of all files.This is great for when you have several programs you want to open the same file types with. I use three different text editors so I added it to the ".txt" key.
1. Open RegEdit
2. Go to HKEY_CLASSES_ROOT\*\Shell
3. Add a new Key named "OpenWith" by right clicking the "Shell" Key and selecting new
4. Set the (Default) to "Op&en With..."
5. Add a new Key named "Command" by right clicking the "OpenWith" Key and selecting new
6. Set the (Default) to "C:\Windows\rundll32.exe shell32.dll,OpenAs_RunDLL %1", C:\ being your Windows drive. You must enter the "OpenAs_RunDLL %1" exactly this way.
To Backup/Restore the Windows Registry: Windows 9x For XP 2000 click here
If you are in MSDOS, at the C:\Windows prompt type
Attrib -s -r -h C:\Windows\System.dat (press Enter)
Attrib -s -r -h C:\Windows\User.dat (press Enter)
To make the backup copies type:
copy C:\Windows\System.dat C:\Windows\System.000 (press Enter)
copy C:\Windows\User.dat C:\Windows\user.000 (press Enter)
To Restore the Registry
copy C:\Windows\System.000 C:\Windows\System.dat (press Enter)
copy C:\Windows\User.000 C:\Windows\user.dat (press Enter)
Add Open With to all files
You can add "Open With..." to the Right click context menu of all files.This is great for when you have several programs you want to open the same file types with. I use three different text editors so I added it to the ".txt" key.
1. Open RegEdit
2. Go to HKEY_CLASSES_ROOT\*\Shell
3. Add a new Key named "OpenWith" by right clicking the "Shell" Key and selecting new
4. Set the (Default) to "Op&en With..."
5. Add a new Key named "Command" by right clicking the "OpenWith" Key and selecting new
6. Set the (Default) to "C:\Windows\rundll32.exe shell32.dll,OpenAs_RunDLL %1", C:\ being your Windows drive. You must enter the "OpenAs_RunDLL %1" exactly this way.
what is computer viruses
1. What is a computer virus?
A computer virus is a program designed to spread itself by first infecting
executable files or the system areas of hard and floppy disks and then
making copies of itself. Viruses usually operate without the knowledge or
desire of the computer user.
2. What kind of files can spread viruses?
Viruses have the potential to infect any type of executable code, not just
the files that are commonly called 'program files'. For example, some
viruses infect executable code in the boot sector of floppy disks or in
system areas of hard drives. Another type of virus, known as a 'macro'
virus, can infect word processing and spreadsheet documents that use
macros. And it's possible for HTML documents containing JavaScript or other
types of executable code to spread viruses or other malicious code.
Since virus code must be executed to have any effect, files that the
computer treats as pure data are safe. This includes graphics and sound
files such as .gif, .jpg, .mp3, .wav, etc., as well as plain text in .txt
files. For example, just viewing picture files won't infect your computer
with a virus. The virus code has to be in a form, such as an .exe program
file or a Word .doc file, that the computer will actually try to execute.
3. How do viruses spread?
When you execute program code that's infected by a virus, the virus code
will also run and try to infect other programs, either on the same computer
or on other computers connected to it over a network . And the newly
infected programs will try to infect yet more programs.
When you share a copy of an infected file with other computer users,
running the file may also infect their computers; and files from those
computers may spread the infection to yet more computers.
If your computer is infected with a boot sector virus, the virus tries to
write copies of itself to the system areas of floppy disks and hard disks.
Then the infected floppy disks may infect other computers that boot from
them, and the virus copy on the hard disk will try to infect still more
floppies.
Some viruses, known as 'multipartite' viruses, can spread both by infecting
files and by infecting the boot areas of floppy disks.
4. What do viruses do to computers?
Viruses are software programs, and they can do the same things as any other
programs running on a computer. The actual effect of any particular virus
depends on how it was programmed by the person who wrote the virus.
Some viruses are deliberately designed to damage files or otherwise
interfere with your computer's operation, while others don't do anything but
try to spread themselves around. But even the ones that just spread
themselves are harmful, since they damage files and may cause other problems
in the process of spreading.
Note that viruses can't do any damage to hardware: they won't melt down your
CPU, burn out your hard drive, cause your monitor to explode, etc. Warnings
about viruses that will physically destroy your computer are usually hoaxes,
not legitimate virus warnings.
5. What is a Trojan horse program?
A type of program that is often confused with viruses is a 'Trojan horse'
program. This is not a virus, but simply a program (often harmful) that
pretends to be something else.
For example, you might download what you think is a new game; but when you
run it, it deletes files on your hard drive. Or the third time you start
the game, the program E-mails your saved passwords to another person.
Note: simply downloading a file to your computer won't activate a virus or
Trojan horse; you have to execute the code in the file to trigger it. This
could mean running a program file, or opening a Word/Excel document in a
program (such as Word or Excel) that can execute any macros in the document.
6. What's the story on viruses and E-mail?
You can't get a virus just by reading a plain-text E-mail message or Usenet
post. What you have to watch out for are encoded messages containing
embedded executable code (i.e., JavaScript in an HTML message) or messages
that include an executable file attachment (i.e., an encoded program file or
a Word document containing macros).
In order to activate a virus or Trojan horse program, your computer has to
execute some type of code. This could be a program attached to an E-mail, a
Word document you downloaded from the Internet, or something received on a
floppy disk. There's no special hazard in files attached to Usenet posts or
E-mail messages: they're no more dangerous than any other file.
7. What can I do to reduce the chance of getting viruses from E-mail?
Treat any file attachments that might contain executable code as carefully
as you would any other new files: save the attachment to disk and then check
it with an up-to-date virus scanner before opening the file.
If your E-mail or news software has the ability to automatically execute
JavaScript, Word macros, or other executable code contained in or attached
to a message, I strongly recommend that you disable this feature.
My personal feeling is that if an executable file shows up unexpectedly
attached to an E-mail, you should delete it unless you can positively
verify what it is, who it came from, and why it was sent to you.
The recent outbreak of the Melissa virus was a vivid demonstration of the
need to be extremely careful when you receive E-mail with attached files or
documents. Just because an E-mail appears to come from someone you trust,
this does NOT mean the file is safe or that the supposed sender had anything
to do with it.
A computer virus is a program designed to spread itself by first infecting
executable files or the system areas of hard and floppy disks and then
making copies of itself. Viruses usually operate without the knowledge or
desire of the computer user.
2. What kind of files can spread viruses?
Viruses have the potential to infect any type of executable code, not just
the files that are commonly called 'program files'. For example, some
viruses infect executable code in the boot sector of floppy disks or in
system areas of hard drives. Another type of virus, known as a 'macro'
virus, can infect word processing and spreadsheet documents that use
macros. And it's possible for HTML documents containing JavaScript or other
types of executable code to spread viruses or other malicious code.
Since virus code must be executed to have any effect, files that the
computer treats as pure data are safe. This includes graphics and sound
files such as .gif, .jpg, .mp3, .wav, etc., as well as plain text in .txt
files. For example, just viewing picture files won't infect your computer
with a virus. The virus code has to be in a form, such as an .exe program
file or a Word .doc file, that the computer will actually try to execute.
3. How do viruses spread?
When you execute program code that's infected by a virus, the virus code
will also run and try to infect other programs, either on the same computer
or on other computers connected to it over a network . And the newly
infected programs will try to infect yet more programs.
When you share a copy of an infected file with other computer users,
running the file may also infect their computers; and files from those
computers may spread the infection to yet more computers.
If your computer is infected with a boot sector virus, the virus tries to
write copies of itself to the system areas of floppy disks and hard disks.
Then the infected floppy disks may infect other computers that boot from
them, and the virus copy on the hard disk will try to infect still more
floppies.
Some viruses, known as 'multipartite' viruses, can spread both by infecting
files and by infecting the boot areas of floppy disks.
4. What do viruses do to computers?
Viruses are software programs, and they can do the same things as any other
programs running on a computer. The actual effect of any particular virus
depends on how it was programmed by the person who wrote the virus.
Some viruses are deliberately designed to damage files or otherwise
interfere with your computer's operation, while others don't do anything but
try to spread themselves around. But even the ones that just spread
themselves are harmful, since they damage files and may cause other problems
in the process of spreading.
Note that viruses can't do any damage to hardware: they won't melt down your
CPU, burn out your hard drive, cause your monitor to explode, etc. Warnings
about viruses that will physically destroy your computer are usually hoaxes,
not legitimate virus warnings.
5. What is a Trojan horse program?
A type of program that is often confused with viruses is a 'Trojan horse'
program. This is not a virus, but simply a program (often harmful) that
pretends to be something else.
For example, you might download what you think is a new game; but when you
run it, it deletes files on your hard drive. Or the third time you start
the game, the program E-mails your saved passwords to another person.
Note: simply downloading a file to your computer won't activate a virus or
Trojan horse; you have to execute the code in the file to trigger it. This
could mean running a program file, or opening a Word/Excel document in a
program (such as Word or Excel) that can execute any macros in the document.
6. What's the story on viruses and E-mail?
You can't get a virus just by reading a plain-text E-mail message or Usenet
post. What you have to watch out for are encoded messages containing
embedded executable code (i.e., JavaScript in an HTML message) or messages
that include an executable file attachment (i.e., an encoded program file or
a Word document containing macros).
In order to activate a virus or Trojan horse program, your computer has to
execute some type of code. This could be a program attached to an E-mail, a
Word document you downloaded from the Internet, or something received on a
floppy disk. There's no special hazard in files attached to Usenet posts or
E-mail messages: they're no more dangerous than any other file.
7. What can I do to reduce the chance of getting viruses from E-mail?
Treat any file attachments that might contain executable code as carefully
as you would any other new files: save the attachment to disk and then check
it with an up-to-date virus scanner before opening the file.
If your E-mail or news software has the ability to automatically execute
JavaScript, Word macros, or other executable code contained in or attached
to a message, I strongly recommend that you disable this feature.
My personal feeling is that if an executable file shows up unexpectedly
attached to an E-mail, you should delete it unless you can positively
verify what it is, who it came from, and why it was sent to you.
The recent outbreak of the Melissa virus was a vivid demonstration of the
need to be extremely careful when you receive E-mail with attached files or
documents. Just because an E-mail appears to come from someone you trust,
this does NOT mean the file is safe or that the supposed sender had anything
to do with it.
Subscribe to:
Posts (Atom)
