Enabling or Disabling the Registry (regedit.exe)

A friend of mine gave me a script on enabling and disabling the registry tool. This VBS script can be very helpful if you’re infected with a certain virus that blocks the registry. You can unblock it using this VBS Script.

Open your NOTEPAD in windows and paste the following script and save it to your desktop or any place as "REGISTRY.VBS" (make sure to put the double quote to make sure that the file will be saved as .VBS file). Double click this file to toggle from ENABLE to DISABLE or vice-versa.

Dim WSHShell, n, MyBox, p, t, mustboot, errnum, vers

Dim enab, disab, jobfunc, itemtype
Set WSHShell = WScript.CreateObject("WScript.Shell")
p = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
p = p & "DisableRegistryTools"
itemtype = "REG_DWORD"
mustboot = "Log off and back on, or restart your pc to" & vbCR & "effect the changes"
enab = "ENABLED"
disab = "DISABLED"
jobfunc = "Registry Editing Tools are now "
‘This section tries to read the registry key value. If not present an
‘error is generated.  Normal error return should be 0 if value is
‘present
t = "Confirmation"
Err.Clear
On Error Resume Next
n = WSHShell.RegRead (p)
On Error Goto 0
errnum = Err.Number
if errnum <> 0 then
‘Create the registry key value for DisableRegistryTools with value 0
 WSHShell.RegWrite p, 0, itemtype
End If
‘If the key is present, or was created, it is toggled
‘Confirmations can be disabled by commenting out
‘the two MyBox lines below
If n = 0 Then
 n = 1
WSHShell.RegWrite p, n, itemtype
Mybox = MsgBox(jobfunc & disab & vbCR & mustboot, 4096, t)
ElseIf n = 1 then
 n = 0
WSHShell.RegWrite p, n, itemtype
Mybox = MsgBox(jobfunc & enab & vbCR & mustboot, 4096, t)
End If

Hope this script help you!

Capiz Forum now Open!

Today I setup a Forum for Capiz, Philippines and Filipinos worldwide. It is found in a free php hosting site and it's address is http://www.capizforum.hyperphp.com/. I used an open source php script called SMF or Simple Machine Forum. At first, I've tried to use phpBB2 but later I decided to change it to SMF. As I explore the features of SMF, I like it compare to phpBB2.

Almost all of the categories and boards were setup on the forum and it's up right now. Register to the forum now and share your ideas to Capiz and Filipinos world wide!

Paradise Philippines on Freeweb7 Offline!

It's really unlucky of me, the first check point of the BayanihanSEO Paradise Philippines Keyword Contest waah and my paradisephilippines.freeweb7.com site is currently offline due to technical problems on the freeweb7.com host. Until now, the service is still not UP. Maybe it's not really for me. I do want to register for a domain and host of my own but  money is really a problem. I don't have a credit card, don't have yet.

Maybe next year if God will allow it I'll try to have my own domain name and paid host registered. Well for now just "MANTINeR!" = a local dialect that means just 'STICK ON IT' because I can't do anything about it, not just yet.

Well that's life!

OpenSuse10.3 KDE

Last week, I just finished setup the file server for our school and I try using other unix-based systems / linux OS like the Ubuntu for Server, PC-BSD1.4 and OpenSuse but still I end up using OpenSuse10.3 KDE. Maybe because it has a friendly interface that is already familiar with me, (specially it's YAST). But the problem I encounter was the OS was not able to detect the SIS Ethernet device (build-in) of the new CPU we buy so I decided to use the old Realtek ethernet card (add-on card) I borrowed from one of the old Pentium IV computer.  I tried searching for solutions on different Suse forums but what I found was the same problem I encountered and there's no solution yet given for this matter. 

10.3 version of OpenSuse can be installed now using one disk installation (unlike previous version 3 disks are needed for the installation. There download site allows you to choose installation with KDE or GNOME environment and provides a build site page that allows you to download other components of the OS that is not included in one disk, like Samba, it's not included on the installation disk so you need to download the RPM. 

Removing SCVHOST.exe or W32/YahLover.Worm.gen

There’s a strain of computer virus/worm that hide itself using the name SCVHOST.EXE or SCVHOSTS.EXE, (don’t mistaken it as SVCHOST.EXE, it’s one of the vital programs of Windows, see the difference in spelling). It was detected as W32/YahLover.Worm.gen of McAfee Antivirus and as Win32/Autorun.R.worm by NOD32. This virus infects your computer by different means.

• One is it install itself in autorun.inf in Open option of the AUTORUN. Once you double click it will run and start spreading itself to your system.

• The other event that I observed is it copy itself through all the shared files of the computers on your network and install itself in the registry entries remotely using a GUEST account (through System:Remote).

Characteristic of the Virus 

•  This virus/worm when blocks the task manager when you press Ctrl+Alt+Del to invoke the task manager
• It blocks the registry  (The worm change the registry to prevent running task manager and registry for harder detection).
• It also restarts the computer when you try to go to the command prompt. (This is based on my experience on this worm/virus when I try to disinfect it manually)
• It copy itself to different folders of drives and uses the name of the folder where it belongs. The copied virus/worm uses a FOLDER icon
• According to McAfee it changes the configuration of your Yahoo Messenger (see McAfee info)
• It autostart via registry keys Windows->Run and add itself to WinNT->WinLogon->Explorer.exe

 To remove the virus manually, (try this it works with my computer but if you can’t try using an ANTI-VIRUS like McAfee or NOD32):

1.  Boot your system in Safe Mode Command Prompt Only (Press F8 when your computer restarts, a menu will be shown and select the option)
2.  After you log-in the command prompt will be opened (LOG-IN AS ADMINISTRATOR).
3. Type CD C:\WINDOWS\SYSTEM32 (assuming that your Windows System files are located at Drive C)
4. Type DIR /AH, this will display all hidden files of this folder. You will see the following file which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
5. Type ATTRIB -H -R -S SCVHOST.EXE
6. Type ATTRIB -H -R -S BLASTCLNNN.EXE
7. Type ATTRIB -H -R -S AUTORUN.INI
8. Type DEL SCVHOST.EXE
9. Type DEL BLASTCLNNNN.EXE
10. Type DEL AUTORUN.INI
11. Type CD\
    
12. Type ATTRIB -H -R -S AUTORUN.INF
13. Type DEL AUTORUN.INF

After removing the virus/worm files, it should be removed from the registry of your system.

1. From the command prompt type REGEDIT.EXE this will run the Registry Editor
2. From the registry, look for the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, you will see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.
3. Look again for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, there’s an entry named: SHELL, it has a value = Explorer.exe SCVHOST.EXE , don’t delete this entry!!! Just edit this entry and REMOVE the SCVHOST.EXE so that Explorer.exe will be the only value that will remain from this registry entry.

I’ve tried this steps and this works. You should try this if you’re only know how to edit registry entries. (try it at your own risk) Hope this will help you.

 Technorati Tags: autorun.inf virus, yahlover virus