PDA

View Full Version : MS-DOS regedit


louiee
02-20-2001, 08:23 AM
I have a virus that caused a registry change to the Application (.exe, or exefile) filetype. It seems to have affected all the registry info (system.dat and all user.dat files). This virus is so viscious that once I removed the executable, it won't let me run regedit (or any other application) from Win98. Therefore, I'm resorting to regedit from the DOS prompt, but having difficulty in getting the correct registry data files edited. Can anyone help me with the syntax of the MS-DOS regedit command? (I've check TechNet, and the documentation is pretty sparse)

the executable was nqokraed.exe, and I already deleted it from my computer. If anyone has any other suggestions other than manually editing the registry from DOS, I'd appreciate some help.

thanks
reghakr
02-20-2001, 02:35 PM
You can get it work by running this exefix.reg file. You'll need access to anoher computer to make the file with Notepad, then transfer it to yyour computer by floppy.

To restore the EXE association, open Notepad and copy and paste the following between the lines and save the file as exefix.reg. Double-click on the file to merge the contents into the registry.

=========BEGIN CUT==================
REGEDIT4

[HKEY_CLASSES_ROOT\.exe]
"Content Type"="application/x-msdownload"
@="exefile"

[HKEY_CLASSES_ROOT\.exe\ShellEx]

[HKEY_CLASSES_ROOT\.exe\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{88C9E8DE-8D28-11D3-8F3C-00A0249EABF4}"

[HKEY_CLASSES_ROOT\exefile]
"EditFlags"=hex:d8,07,00,00
@="Application"

[HKEY_CLASSES_ROOT\exefile\shell]
@=""

[HKEY_CLASSES_ROOT\exefile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHan dlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHan dlers\{86F19A00-42A0-1069-A2E9-08002B30309D}]
@=""

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
============END CUT=====================

Here's more info so you don't have to search further:

F-Secure Virus Descriptions

NAME: Kak
ALIAS: Wscript.KakWorm, KakWorm

Kak is a worm that - like BubbleBoy - embeds itself without any attachment to every e-mail sent from the infected system. For further information about BubbleBoy, see the description: http://www.microsoft.com/Security/Bulletins/MS99-032faq.asp (http://www.F-Secure.com/v-descs/bubb-boy.htm>http://www.F-Secure.com/v-descs/bubb-boy.htm</a>)

They also have a patch to fix this problem at: http://fileforum.efront.com/download.php3?fid=976920173 (http://www.microsoft.com/security/Bulletins/ms99-032.asp>http://www.microsoft.com/security/Bulletins/ms99-032.asp</a>)
==============================================

OLEXP: Err Msg: Registry Editor: Cannot Import C:\Windows\Kak.reg: Error Opening the File

--------------------------------------------------------------------------------
The information in this article applies to:

Microsoft Outlook Express versions 5, 5.01, 5.5 for Windows 95
Microsoft Outlook Express versions 5, 5.01, 5.5 for Windows 98
Microsoft Outlook Express versions 5.01, 5.5 for Windows 98 Second Edition

--------------------------------------------------------------------------------


SYMPTOMS
When you start your computer, you may receive an error message similar to:

Registry Editor: Cannot import C:\Windows\Kak.reg: Error opening the file. There may be a disk or file system error.
In addition to or instead of the error message, you may see a blank box with the following title:
C:\Windows\Start Menu\Programs\Startup\Kak.hta

CAUSE
This behavior is caused by the Wscript/Kak.worm virus, which uses ActiveX and Windows Scripting Host to spread by using Microsoft Outlook Express 5.

RESOLUTION
There are two methods to remove this virus.

Method 1
Obtain and install an antivirus program that can detect and remove the virus.
Method 2
Manually remove the virus:
Quit Outlook Express.


Install the Microsoft scriptlet.typelib/Eyedog security update. Information about this update is available at the following Microsoft Web site:


http://www.datafellows.com/v-descs/kak.htm (http://www.microsoft.com/technet/security/bulletin/ms99-032.asp>http://www.microsoft.com/technet/security/bulletin/ms99-032.asp</a>
Search)

reghakr