scripting

[Guest]

hi! quite a few of our PCs has been infected by trojan and changes has been
made to the registry. Instead of going in to the registry manually, can
anyone assist on automating this process by using a script file? The list
below is the regedit changes that i required. Thanks.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"FS6519" =
"%Windir%\FS6519.dll.vbs"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window Title" =
"TAGA LIPA ARE!"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"EXPLORER" =
"C:\Program Files\Common Files\System\wab32res.exe..."
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\"Start" =
"4"

 

[db]

my suggestion is based
on the following:

the registry can export
keys to a text file as
long as the extension
is .reg

the same is true for
importing.

to get a better feel
of how you should do it, go
into your corrupted registry and
export those corrupt keys.

modify them inside the file(s)
then import them back.

although i am sure there is
a script to do this, it might not
be possible since the method
of creating scripts to automatically
alter the registry is not a well
accepted practice, although it
was a similar method
used by your trojan.

hi! quite a few of our PCs has been infected by trojan and changes has been
made to the registry. Instead of going in to the registry manually, can
anyone assist on automating this process by using a script file? The list
below is the regedit changes that i required. Thanks.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"FS6519"=
"%Windir%\FS6519.dll.vbs"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window Title" =
"TAGA LIPA ARE!"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"EXPLORER" =
"C:\Program Files\Common Files\System\wab32res.exe..."
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\"Start"=
"4"

 

[db]

i should have added
that if your import is
successful via the
reg file having the
corrected key, then you
can use that same
file for the other registries.


hi! quite a few of our PCs has been infected by trojan and changes has been
made to the registry. Instead of going in to the registry manually, can
anyone assist on automating this process by using a script file? The list
below is the regedit changes that i required. Thanks.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"FS6519"=
"%Windir%\FS6519.dll.vbs"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window Title" =
"TAGA LIPA ARE!"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"EXPLORER" =
"C:\Program Files\Common Files\System\wab32res.exe..."
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\"Start"=
"4"

 

[Pegasus]

hi! quite a few of our PCs has been infected by trojan and changes has
been
made to the registry. Instead of going in to the registry manually, can
anyone assist on automating this process by using a script file? The list
below is the regedit changes that i required. Thanks.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"FS6519"
=
"%Windir%\FS6519.dll.vbs"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window Title"
=
"TAGA LIPA ARE!"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"EXPLORER"
=
"C:\Program Files\Common Files\System\wab32res.exe..."
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions"
= "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt"
= "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden"
= "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\"Start"
=
"4"

Do this on a single test machine:
1. Open some test key in regedit.exe.
2. Export that test key to c:\test.reg.
3. Modify some minor detail in c:\test.reg.
4. Run this command to re-import this key:
regedit c:\test.reg or
regedit /s c:\test.reg
5. Check the registry to see that the change has happend.
6. Apply the knowledge you have gained to your own hacks.
Note in particular the structure of c:\test.reg.