Welcome To The Home Of The Visual FoxPro Experts  
home. signup. forum. archives. search. google. articles. downloads. faq. members. weblogs. file info. rss.
 From: Jun Tangunan
  Where is Jun Tangunan?
 Cabanatuan
 Philippines
 Jun Tangunan
 To: Samir H.
  Where is Samir H.?
 Yogyakarta
 Indonesia
 Samir H.
 Tags
Subject: RE: Several programs stopped working
Thread ID: 310985 Message ID: 311129 # Views: 31 # Ratings: 1
Version: Not Applicable Category: Operating Systems
Date: Wednesday, June 29, 2011 12:54:55 AM         
   


> >
> >
> > That is a problem with file association which is caused by viruses tampering with registry entries. You can try to restore those file associations via right-clicking on it, open with, then tick "Always use the selected program to open this kind of file" so the association with the proper app will be reestablished.
> >
> > If that does not fix the problem, try copy-pasting the codes I will show below into notepad then save it with .reg extension (e.g., fixexe.reg). After that double-click it so it can attempt to infuse the proper entries inside registry. As with registry manipulations though, if you are not sure of what will happen, back it up first (before double-clicking these registry entries) so you can go back to the old setting if and when something wrong happens.
> >
> >

> > Windows Registry Editor Version 5.00
> >
> > [HKEY_CLASSES_ROOT\.EXE]
> > @="exefile"
> > "Content Type"="application/x-msdownload"
> >
> > [HKEY_CLASSES_ROOT\.EXE\PersistentHandler]
> > @="{098f2470-bae0-11cd-b579-08002b30bfeb}"
> >
> > [HKEY_CLASSES_ROOT\exefile]
> > @="Application"
> > "EditFlags"=hex:38,07,00,00
> > "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\<br />> > 00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\<br />> > 32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\<br />> > 00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00
> >
> > [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
> > @="%1"
> >
> > [HKEY_CLASSES_ROOT\exefile\shell]
> >
> > [HKEY_CLASSES_ROOT\exefile\shell\open]
> > "EditFlags"=hex:00,00,00,00
> >
> > [HKEY_CLASSES_ROOT\exefile\shell\open\command]
> > @="\"%1\" %*"
> > "IsolatedCommand"="\"%1\" %*"
> >
> > [HKEY_CLASSES_ROOT\exefile\shell\runas]
> >
> > [HKEY_CLASSES_ROOT\exefile\shell\runas\command]
> > @="\"%1\" %*"
> > "IsolatedCommand"="\"%1\" %*"
> >
> > [HKEY_CLASSES_ROOT\exefile\shellex]
> >
> > [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
> > @="{86C86720-42A0-1069-A2E8-08002B30309D}"
> >
> > [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice]
> >

> >
> >
> > That may fix your immediate problem. However if the virus is still there, it may always replace the registry with faulty entries on your next boot again. I am hunting virus components manually for just an immediate cure but there is no substitute for a proper antivirus or anti-spywares.
> >
> > The best you can do is to remove the harddrive from that unit and attach it on another "tested clean" unit with an antivirus installed for proper and effective cleaning.
> >
> >
> > http://sandstorm36.blogspot.com/
> > http://weblogs.foxite.com/sandstorm36/default.aspx
> > http://www.coderisland.com/forum/viewforum.php?f=10
>
>
> > The best you can do is to remove the harddrive from that unit and attach it on another "tested clean" unit with an antivirus installed for proper and effective cleaning.
> Hi Jun
> Yesterday, I had such a case with a harddrive that I suspect has virus. Now, there was some data there I wanted to have back, but I didn't dare to attach the drive to my clean computer (which has antivirus). My worry is that if I attach it to the clean PC, then before the Antivirus has completely loaded and is fully operational I'm afraid that it's already too late, and that malware has already moved from the infected HD to the clean one.
> Can you tell me something about that? Do you think it should be safe to attach an infected drive as a slave to a clean PC?
> PS: I'm using Avira Free AV.
>
> Regards
> Samir


If I will base it on my experiences, then I can say it is safe. Whereas before some viruses are very lethal which tampers boot sectors outright even before Windows is loaded, now I am not able to see those kind. Normal viruses needs to be loaded in the processes first before it can further infect. Since your other unit already has an antivirus like Avira (which is what I am also using these days), then Avira is among the first processes to be loaded onto memory; before detection of that new installed slave drive will commence.

And like Stef says, what most viruses use these days to load itself when you click on a drive is autorun.inf. And I made 2 preventive measures against that here on my end:

1. I have a dummy readwrite/hidden/system autorun.inf empty "folder" in all of my drives. This is to prevent the creation of a file having the same name by viruses.

2. I ensure that autorun is killed on all of the units here. This can be done either on group policy or via manually creating a registry entry.

a. On group policy approach, click run, gpedit.msc,choose Computer Configuration so it will be machine wise, Administrative Templates, System, Turn Off Autoplay entry.

b. If you want a direct registry entry approach, go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer and add NoDriveTypeAutoRun with a Hexadecimal value of ff.

Both needs a good reboot of the machine.

Having autorun killed adds another extra protection on each machine.


If you have that fake autorun.inf folder and autorun is not turned off, Avira will prompt you that it blocks that file for safety measures. That is just okay as you knew that it is a fake autorun.inf to prevent the real autorun.inf.



Another added protection yet is to disable USB Mass Storages. Since here, some staff are plugging their own flash drives or mass storage devices to copy personal files and songs, it sometimes brings with it viruses. To counter that I also killed said access to those USB Mass Storage devices on all of the staff excluding the managers. To disable it, go to HKLM\System\CurrentControlSet\Services\USBSTOR and change the value of Start into 4. After that, they can plug those flash drives and USB Mass Storages and it will be ignored by the machine. To enable it back again, change its value into 3.

Actually you can create your own TweakUI sort of app so you won't have to manually modify those things later. I created one before I named RegTweak.exe.




P.S. You want a very powerful set of tools for troubleshooting purposes? Check one of my favorites: http://www.hiren.info/pages/bootcd

http://sandstorm36.blogspot.com/
http://weblogs.foxite.com/sandstorm36/default.aspx
http://www.coderisland.com/forum/viewforum.php?f=10

ENTIRE THREAD

Several programs stopped working Posted by Ilya Rabyy @ 6/27/2011 10:17:32 PM
RE: Several programs stopped working Posted by Samir H. @ 6/27/2011 11:51:03 PM
RE: Several programs stopped working Posted by James Frye @ 6/28/2011 6:15:08 AM
RE: Several programs stopped working Posted by Ilya Rabyy @ 6/28/2011 10:11:15 PM
RE: Several programs stopped working Posted by Jun Tangunan @ 6/29/2011 1:03:17 AM
RE: Several programs stopped working Posted by Jun Tangunan @ 6/28/2011 8:36:53 AM
RE: Several programs stopped working Posted by Samir H. @ 6/28/2011 9:49:30 AM
RE: Several programs stopped working Posted by Stefan Wuebbe @ 6/28/2011 10:07:23 AM
RE: Several programs stopped working Posted by Samir H. @ 6/28/2011 10:28:40 AM
RE: Several programs stopped working Posted by Jun Tangunan @ 6/29/2011 12:54:55 AM
RE: Several programs stopped working Posted by Ilya Rabyy @ 6/29/2011 4:24:33 PM