Some malware will disable access to the Registry Editor. To prevent access to the Registry, malware generally does one of the following:
1) Makes changes to the Shell Open Command;
2) Changes system policies (i.e. group policy editor);
3) Drops a bogus regedit.com file
Depending on the method used, this might result in one of the following symptoms:
The registry appears to open but then quickly closes,
or
You receive the error: "Registry editing has been disabled by your administrator"
To regain access to the Registry, try the following:
1) Make sure you have enabled "View hidden files and folders"
2) Download Symantec's free UnHookExec.inf
http://securityresponse.symantec.com/avcenter/UnHookExec.inf
3) Boot into Safe Mode and access regedit from there.
4) If you still can't access then right click the UnHookExec.inf file and select Install.
This tool will correct unwanted modifications to the Shell Open Command and
and it will correct changes to System Policy which may be preventing access to the Registry editor. This tool runs silently - no messages will appear. After running, attempt to access the Registry.
5) If the registry appears to open but then quickly closes, it is likely that the malware has added a bogus regedit.com file to the system. The system will try to load regedit.com first, instead of regedit.exe
To resolve, try each of the following steps in order until resolution:
1) Search for and rename the bogus regedit.com file and see if the valid regedit.exe will now open.
2) Copy the legitimate regedit.exe to another folder and try to run it from the new location.
3) If none of these steps works, boot from a BART PE Recovery CD and open the registry from there.
http://antivirus.about.com/b/2007/11/12/bartpe-bootable-cd-for-windows.htm
4) Once you gained the control of the registry, remove the malware from the system and check the starup points (Previous post) for preventing it to reaffect your system.
No comments:
Post a Comment