Is this Spyware

Discussion in 'malware problems & news' started by highbids, Oct 18, 2006.

Thread Status:
Not open for further replies.
  1. highbids

    highbids Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    44
    I have tried to remove this twice from the registry & they still keep appearing.


    This was picked up by adware, I have also had Winpatrol warn
    about this of spyware.

    Name:Windows
    Category:Vulnerability
    Object Type:RegData
    Size:15 Bytes
    Location:scrfile\shell\open\command "" (notepad.exe %1)
    Last Activity:10/18/2006
    Relevance:Low
    TAC index:3
    Comment:
    Description:General Windows Security Issue. Your system security may be compromised. The specifics of the possible compromised item are listed in the comments section.

    How do I stop them from appearing & coming back.


    Gary,
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi highbids,

    Can you try something for me?

    Open a command prompt and type this command:

    assoc .scr


    Default system reply would be .scr=scrfile
    But I have a feeling yours will respond with .scr=txtfile

    Let us know.

    Regards,

    Pieter
     
  3. highbids

    highbids Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    44
    I say windows cannot find "assoc" make sure you typed the path correctly.

    Gary,
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    What version of windows are you using?

    Regards,

    Pieter
     
  5. highbids

    highbids Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    44
    I'm using XP, this has appeared on two machines, one a dell & another
    an emachine.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Strange, that should work on XP o_O

    We'll have to take the long way.
    Click Start > Run > and copy this command into the window:
    regedit /e C:\scrfile.txt "HKEY_CLASSES_ROOT\scrfile"
    click OK to execute the command.

    If the key is not empty this will create the file C:\scrfile.txt
    Find that file and post the content.

    Regards,

    Pieter
     
  7. highbids

    highbids Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    44
    This is what appeared.

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\scrfile]
    @="Screen Saver"

    [HKEY_CLASSES_ROOT\scrfile\shell]

    [HKEY_CLASSES_ROOT\scrfile\shell\config]
    @="C&onfigure"

    [HKEY_CLASSES_ROOT\scrfile\shell\config\command]
    @="\"%1\""

    [HKEY_CLASSES_ROOT\scrfile\shell\install]
    @="&Install"

    [HKEY_CLASSES_ROOT\scrfile\shell\install\command]
    @="rundll32.exe desk.cpl,InstallScreenSaver %l"

    [HKEY_CLASSES_ROOT\scrfile\shell\open]
    @="T&est"

    [HKEY_CLASSES_ROOT\scrfile\shell\open\command]
    @="NOTEPAD.EXE %1"

    [HKEY_CLASSES_ROOT\scrfile\shellex]

    [HKEY_CLASSES_ROOT\scrfile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"

    Now Winpatrol is warning about these two files

    Company Name: Microsoft
    regedit.exe %1 Associated with .reg

    Company Name: Microsoft
    notepad.exe %1 Associated with .reg


    Company Name: None
    %1 /s Associated with .scr

    Company Name: Microsoft
    notepad.exe %1 Associated with .scr

    I looks like it is associated with one of the entrys above.

    Gary
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Gary,

    Do you have a program like WormGuard or ScriptSentry installed?
    Programs that intercept calls to run files with "dubious" extensions.

    I'd like you to copy the part in the CODE box below into notepad and save it as ResetExecs.reg
    Set Save as type to "All Files"

    Code:
    REGEDIT4
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\.bat]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.bat]
    @="batfile"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.bat\PersistentHandler]
    @="{5e941d80-bf96-11cd-b579-08002b30bfeb}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\batfile]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile]
    @="MS-DOS Batch File"
    "EditFlags"=hex:30,04,00,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\DefaultIcon]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,\
      68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,31,35,33,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\shell]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\shell\edit]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\shell\edit\command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      4f,54,45,50,41,44,2e,45,58,45,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\shell\open]
    "EditFlags"=hex:00,00,00,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\shell\open\command]
    @="\"%1\" %*"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\shell\print]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\shell\print\command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      4f,54,45,50,41,44,2e,45,58,45,20,2f,70,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\shellex]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\shellex\PropertySheetHandlers]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\shellex\PropertySheetHandlers\PifProps]
    @="{86F19A00-42A0-1069-A2E9-08002B30309D}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page]
    @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\.cmd]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.cmd]
    @="cmdfile"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.cmd\PersistentHandler]
    @="{5e941d80-bf96-11cd-b579-08002b30bfeb}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\cmdfile]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile]
    @="Windows NT Command Script"
    "EditFlags"=hex:30,04,00,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\DefaultIcon]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,\
      68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,31,35,33,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shell]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shell\edit]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shell\edit\command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      4f,54,45,50,41,44,2e,45,58,45,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shell\open]
    "EditFlags"=hex:00,00,00,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shell\open\command]
    @="\"%1\" %*"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shell\print]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shell\print\command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      4f,54,45,50,41,44,2e,45,58,45,20,2f,70,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shellex]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shellex\PropertySheetHandlers]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shellex\PropertySheetHandlers\PifProps]
    @="{86F19A00-42A0-1069-A2E9-08002B30309D}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shellex\PropertySheetHandlers\ShimLayer Property Page]
    @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\.com]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.com]
    @="comfile"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.com\PersistentHandler]
    @="{098f2470-bae0-11cd-b579-08002b30bfeb}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\comfile]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\comfile]
    @="MS-DOS Application"
    "EditFlags"=hex:30,00,00,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\comfile\DefaultIcon]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,\
      68,65,6c,6c,33,32,2e,64,6c,6c,2c,32,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\comfile\shell]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\comfile\shell\open]
    "EditFlags"=hex:00,00,00,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\comfile\shell\open\command]
    @="\"%1\" %*"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\comfile\shellex]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\comfile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\comfile\shellex\PropertySheetHandlers]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\comfile\shellex\PropertySheetHandlers\PifProps]
    @="{86F19A00-42A0-1069-A2E9-08002B30309D}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\.exe]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.exe]
    @="exefile"
    "Content Type"="application/x-msdownload"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.exe\PersistentHandler]
    @="{098f2470-bae0-11cd-b579-08002b30bfeb}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\exefile]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile]
    @="Application"
    "EditFlags"=hex:38,07,00,00
    "TileInfo"="prop:FileDescription;Company;FileVersion"
    "InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile\DefaultIcon]
    @="%1"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open]
    "EditFlags"=hex:00,00,00,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command]
    @="\"%1\" %*"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\runas]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\runas\command]
    @="\"%1\" %*"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shellex]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers\PifProps]
    @="{86F19A00-42A0-1069-A2E9-08002B30309D}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
    @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}]
    @=""
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\.pif]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.pif]
    @="piffile"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\piffile]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile]
    @="Shortcut to MS-DOS Program"
    "EditFlags"=hex:01,00,00,00
    "IsShortcut"=""
    "NeverShowExt"=""
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile\shell]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile\shell\open]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile\shell\open\command]
    @="\"%1\" %*"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile\shellex]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile\shellex\ContextMenuHandlers]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile\shellex\ContextMenuHandlers\Offline Files]
    @="{750fdf0e-2a26-11d1-a3ea-080036587f03}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile\shellex\ContextMenuHandlers\TargetContext]
    @="{90A756E0-AFCF-11CE-927B-0800095AE340}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile\shellex\IconHandler]
    @="{00021401-0000-0000-C000-000000000046}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile\shellex\PropertySheetHandlers]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile\shellex\PropertySheetHandlers\PifProps]
    @="{86F19A00-42A0-1069-A2E9-08002B30309D}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\piffile\shellex\PropertySheetHandlers\ShimLayer Property Page]
    @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\.scr]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.scr]
    @="scrfile"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\scrfile]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\scrfile]
    @="Screen Saver"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\scrfile\shell]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\scrfile\shell\config]
    @="C&onfigure"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\scrfile\shell\config\command]
    @="\"%1\""
    
    [HKEY_LOCAL_MACHINE\Software\Classes\scrfile\shell\install]
    @="&Install"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\scrfile\shell\install\command]
    @="rundll32.exe desk.cpl,InstallScreenSaver %l"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\scrfile\shell\open]
    @="T&est"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\scrfile\shell\open\command]
    @="\"%1\" /S"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\scrfile\shellex]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\scrfile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\.js]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.js]
    @="JSFile"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.js\PersistentHandler]
    @="{5e941d80-bf96-11cd-b579-08002b30bfeb}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\jsfile]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile]
    @="JScript Script File"
    "FriendlyTypeName"=hex(2):40,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,\
      74,65,6d,33,32,5c,77,73,68,65,78,74,2e,64,6c,6c,2c,2d,34,38,30,34,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\DefaultIcon]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,\
      53,63,72,69,70,74,2e,65,78,65,2c,33,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\ScriptEngine]
    @="JScript"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\ScriptHostEncode]
    @="{85131630-480C-11D2-B1F9-00C04F86C324}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\Shell]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\Shell\Edit]
    @="&Edit"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\Shell\Edit\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      6f,74,65,70,61,64,2e,65,78,65,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\Shell\Open]
    @=hex(2):4f,70,65,6e,20,26,77,69,74,68,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,\
      70,74,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\Shell\Open\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,43,\
      53,63,72,69,70,74,2e,65,78,65,20,22,25,31,22,20,25,2a,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\Shell\Open2]
    @=hex(2):26,4f,70,65,6e,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\Shell\Open2\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,\
      53,63,72,69,70,74,2e,65,78,65,20,22,25,31,22,20,25,2a,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\Shell\Print]
    @="&Print"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\Shell\Print\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      6f,74,65,70,61,64,2e,65,78,65,20,2f,70,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\ShellEx]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\ShellEx\DropHandler]
    @="{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\ShellEx\PropertySheetHandlers]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsfile\ShellEx\PropertySheetHandlers\WSHProps]
    @="{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\.jse]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.jse]
    @="JSEFile"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\jsefile]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile]
    @="JScript Script File"
    "FriendlyTypeName"=hex(2):40,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,\
      74,65,6d,33,32,5c,77,73,68,65,78,74,2e,64,6c,6c,2c,2d,34,38,30,35,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\DefaultIcon]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,\
      53,63,72,69,70,74,2e,65,78,65,2c,33,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\ScriptEngine]
    @="JScript.Encode"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\Shell]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\Shell\Edit]
    @="&Edit"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\Shell\Edit\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      6f,74,65,70,61,64,2e,65,78,65,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\Shell\Open]
    @=hex(2):4f,70,65,6e,20,26,77,69,74,68,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,\
      70,74,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\Shell\Open\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,43,\
      53,63,72,69,70,74,2e,65,78,65,20,22,25,31,22,20,25,2a,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\Shell\Open2]
    @=hex(2):26,4f,70,65,6e,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\Shell\Open2\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,\
      53,63,72,69,70,74,2e,65,78,65,20,22,25,31,22,20,25,2a,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\Shell\Print]
    @="&Print"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\Shell\Print\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      6f,74,65,70,61,64,2e,65,78,65,20,2f,70,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\ShellEx]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\ShellEx\DropHandler]
    @="{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\ShellEx\PropertySheetHandlers]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\jsefile\ShellEx\PropertySheetHandlers\WSHProps]
    @="{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\.vbe]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.vbe]
    @="VBEFile"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\vbefile]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile]
    @="VBScript Script File"
    "FriendlyTypeName"=hex(2):40,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,\
      74,65,6d,33,32,5c,77,73,68,65,78,74,2e,64,6c,6c,2c,2d,34,38,30,33,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\DefaultIcon]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,\
      53,63,72,69,70,74,2e,65,78,65,2c,32,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\ScriptEngine]
    @="VBScript.Encode"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\Shell]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\Shell\Edit]
    @="&Edit"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\Shell\Edit\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      6f,74,65,70,61,64,2e,65,78,65,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\Shell\Open]
    @=hex(2):4f,70,65,6e,20,26,77,69,74,68,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,\
      70,74,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\Shell\Open\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,43,\
      53,63,72,69,70,74,2e,65,78,65,20,22,25,31,22,20,25,2a,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\Shell\Open2]
    @=hex(2):26,4f,70,65,6e,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\Shell\Open2\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,\
      53,63,72,69,70,74,2e,65,78,65,20,22,25,31,22,20,25,2a,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\Shell\Print]
    @="&Print"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\Shell\Print\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      6f,74,65,70,61,64,2e,65,78,65,20,2f,70,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\ShellEx]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\ShellEx\DropHandler]
    @="{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\ShellEx\PropertySheetHandlers]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbefile\ShellEx\PropertySheetHandlers\WSHProps]
    @="{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\.vbs]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.vbs]
    @="VBSFile"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.vbs\PersistentHandler]
    @="{5e941d80-bf96-11cd-b579-08002b30bfeb}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\vbsfile]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile]
    @="VBScript Script File"
    "FriendlyTypeName"=hex(2):40,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,\
      74,65,6d,33,32,5c,77,73,68,65,78,74,2e,64,6c,6c,2c,2d,34,38,30,32,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\DefaultIcon]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,\
      53,63,72,69,70,74,2e,65,78,65,2c,32,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\ScriptEngine]
    @="VBScript"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\ScriptHostEncode]
    @="{85131631-480C-11D2-B1F9-00C04F86C324}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\Shell]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\Shell\Edit]
    @="&Edit"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\Shell\Edit\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      6f,74,65,70,61,64,2e,65,78,65,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\Shell\Open]
    @=hex(2):4f,70,65,6e,20,26,77,69,74,68,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,\
      70,74,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\Shell\Open\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,43,\
      53,63,72,69,70,74,2e,65,78,65,20,22,25,31,22,20,25,2a,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\Shell\Open2]
    @=hex(2):26,4f,70,65,6e,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\Shell\Open2\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,\
      53,63,72,69,70,74,2e,65,78,65,20,22,25,31,22,20,25,2a,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\Shell\Print]
    @="&Print"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\Shell\Print\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      6f,74,65,70,61,64,2e,65,78,65,20,2f,70,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\ShellEx]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\ShellEx\DropHandler]
    @="{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\ShellEx\PropertySheetHandlers]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\vbsfile\ShellEx\PropertySheetHandlers\WSHProps]
    @="{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\.wsf]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.wsf]
    @=hex(2):57,53,46,46,69,6c,65,00
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\wsffile]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile]
    @=hex(2):57,69,6e,64,6f,77,73,20,53,63,72,69,70,74,20,48,6f,73,74,20,53,63,72,\
      69,70,74,00
    "FriendlyTypeName"=hex(2):40,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,\
      74,65,6d,33,32,5c,77,73,68,65,78,74,2e,64,6c,6c,2c,2d,34,38,30,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\DefaultIcon]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,\
      53,63,72,69,70,74,2e,65,78,65,2c,32,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\Shell]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\Shell\Edit]
    @="&Edit"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\Shell\Edit\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      6f,74,65,70,61,64,2e,65,78,65,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\Shell\Open]
    @=hex(2):4f,70,65,6e,20,26,77,69,74,68,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,\
      70,74,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\Shell\Open\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,43,\
      53,63,72,69,70,74,2e,65,78,65,20,22,25,31,22,20,25,2a,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\Shell\Open2]
    @=hex(2):26,4f,70,65,6e,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\Shell\Open2\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,\
      53,63,72,69,70,74,2e,65,78,65,20,22,25,31,22,20,25,2a,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\Shell\Print]
    @="&Print"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\Shell\Print\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,4e,\
      6f,74,65,70,61,64,2e,65,78,65,20,2f,70,20,25,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\ShellEx]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\ShellEx\DropHandler]
    @="{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\ShellEx\PropertySheetHandlers]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wsffile\ShellEx\PropertySheetHandlers\WSHProps]
    @="{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\.wsh]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\.wsh]
    @="WSHFile"
    
    
    [-HKEY_LOCAL_MACHINE\Software\Classes\wshfile]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wshfile]
    @="Windows Script Host Settings File"
    "FriendlyTypeName"=hex(2):40,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,\
      74,65,6d,33,32,5c,77,73,68,65,78,74,2e,64,6c,6c,2c,2d,34,38,30,30,00
    "IsShortcut"="Yes"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wshfile\DefaultIcon]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,\
      53,63,72,69,70,74,2e,65,78,65,2c,31,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wshfile\Shell]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wshfile\Shell\Open]
    @="&Open"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wshfile\Shell\Open\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,57,\
      53,63,72,69,70,74,2e,65,78,65,20,22,25,31,22,20,25,2a,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wshfile\Shell\Open2]
    @="Open &with Command Prompt"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wshfile\Shell\Open2\Command]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,43,\
      53,63,72,69,70,74,2e,65,78,65,20,22,25,31,22,20,25,2a,00
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wshfile\ShellEx]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wshfile\ShellEx\DropHandler]
    @="{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wshfile\ShellEx\PropertySheetHandlers]
    
    [HKEY_LOCAL_MACHINE\Software\Classes\wshfile\ShellEx\PropertySheetHandlers\WSHProps]
    @="{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    Doubleclick the file and you will be prompted if you want to merge it with the registry. Confirm.

    That will reset these to default Windows settings.
    You will probably get some alerts from WinPatrol and the program that might have changed the settings.
    It is up to you to decide how you want these. There was nothing wrong with the way they were. It's just not standard, hence the warnings.

    Regards,

    Pieter
     
    Last edited: Oct 21, 2006
  9. highbids

    highbids Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    44
    Hi Pieter,

    I have a number of programs running here they are.

    Winpatrol
    Prevx1 HIPS
    AntiVir Antivirus
    Comodo Firewall

    It looks like Winpatrol is the only one that is protecting
    my registry, which one of these would you recommend
    WormGuard or ScriptSentry, I'm thinking of getting one.

    Do you wan't me to save it in a windows folder, it so which one, give
    me the exact path to save ResetExecs.bat in like c:\windows

    Gary
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Gary,

    It doesn't matter where you save it, as long as you can find it. :)
    I usually save these "run-once" files to my desktop, so I don't forget to remove them when I'm done.

    Both Wormguard and ScriptSentry have advantages over the other. ScriptSentry is free, so you can try that before really deciding.

    Regards,

    Pieter
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Gary,

    Please note that I have changed my earlier post.
    The batfile I made contained an error, so I posted a regfile to correct that error instead.

    Sorry if you already ran the batfile. :oops:

    Regards,

    Pieter
     
  12. highbids

    highbids Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    44
    How do I run the batfile, in the registry please explain how to run it.

    Gary
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hey Gary,

    Copy the text in the CODE box into notepad. (Make sure you get all of it and that nothing is before the R of REGEDIT4 )
    Save the file as ResetExecs.reg to any convenient location.
    Doubleclick that file and Windows will ask you if you are sure you want to merge it with the registry.
    Confirm that and you are done.
    It may require a reboot for the changes to take effect, but I don't think so.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.