Re: Tool to search for changed reg keys

jones.79 wrote:

Sorry, my wrong, I should have told you.

Well, I am talking about settings like


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-100x\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideIcons

or the key, that fixes the background image, usually to a jpg that
says "YOU ARE INFECTED" or stuff like that...

And these values are set by the trojan, and remain, even if
its is removed. So usually I have to enter the symptoms
in a search engine and find the right key, and reset
it manually, but that takes time...

So the question is, is there a tool that resets this
keys. Maybe with a GUI with bottons to mark the
symptom and then reset the values...
Or a regfile to overwrite the settings...

Normally if you remove trojans with the right tools, the registry entries
are fixed by those tools. For instance, the desktop image you talk about
that usually comes from a Smitfraud/Zlob-type of infection will be fixed
when you use SmitfraudFix. BTW, the solutions for that are below.

So no, as I said there is no "one size fits all". As a professional, one
tries to use the correct tool for the job and if all else fails, flatten
the system and reinstall Windows. It is different if you are a malware
researcher and/or it is your own machine and you can spend innumerable
hours working over a system. As I'm sure you know, those of us who do this
for a living can't spend 10 hours on a client's machine - particularly
because it is common for a rootkit to still be alive afterwards and even
then the machine will not be clean. I have one in the shop just like that
now. The only way to ensure the client has a clean machine in cases like
that - and an acceptable bill - is to wipe/reinstall. And that's how you
get a clean registry.

Hope that answered your question.

****
Here's how to get rid of the desktop warning being displayed by malware. Go
to the Display applet in Control Panel and look on the Desktop tab. Click
on Customize Desktop, and then click on the Web tab. You will see that
there are checkmarks next to "My Current Home Page" and probably "Lock
Desktop Items". Uncheck these. By highlighting the "My Current Home Page"
and clicking on the Properties button, you will be able to determine the
name of the file that is the message. It might be called something like
"security.html" or the like.

Click Apply and OK out when you've made your changes. Then you want to find
the *.html malware file and delete it.

If you can't enable desktop backgrounds after a virus, MVP Kelly Theriot has
a fix. Look under Wallpaper-Desktop-Disable Changing here:

http://www.kellys-korner-xp.com/xp_w.htm

If Display tabs are missing, run Kelly's registry edit on line 285,
right-hand side "Restore all display tabs".

Check to see if these Registry entries exist:

HKCU\Software\Microsoft\Windows\CurrentVersion\GroupPolicyobject\{21A7BE9D-5027-49C1-B6F7-757B707E1C94}User\Software\Policies\Microsoft\Windows\System
If "GroupPolicyRefreshTime" and/or "GroupPolicyRefreshTimeOffset" are there,
then delete them.

HKCU\Software\Policies\Microsoft\Windows\System. If "GroupPolicyRefreshTime"
and/or "GroupPolicyRefreshTimeOffset" are there, then delete them and then
run the reg fix from Kelly's page.

A default wallpaper called wp.bmp may be set in
HKCU\Software\Policies\Microsoft\Windows\System created by the smitfraud.c
virus. Remove that and you will be able to choose different wallpapers.

For inability to change wallpaper after malware, here is another key:
Hkey_Current_User/software/Microsoft/Windows/CurrentVersion/Policies/Explorer,

Bogus values will be set to 0. Delete or set to 1.
*****

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ

.