Got a request to repair/fix a PC running WindowsXP last week, as expected it was due to viruses and malware attacks. The viruses and malware has already been clean-up but the damages left the windowsXP in quite a bad condition. Although the the owner doesn’t mind re-formatting the PC, but it is better to try to fix it first.

Below are the damages detected when I first check the PC:

  • Several Pop-ups during start-up looking for a non-existing file (virus?)
  • Internet browser point all google and yahoo to http://www.searchweb1.com/
  • Windows Explorer start automatically during start-up
  • Regedit and msconfig command will appear in notepad application
  • defrag command also will appear in notepad application when executed
  • “Folder options” missing from Windows Explorer
  • Task Manager was disabled


Firstly, to fix most of the problem I really need to be able to use regedit – which at that moment is impossible, whenever I run the “regedit” the notepad will open with the regedit executable binary inside it…

As always, Google is the best tools to find the solution, unfortunately all the reference to google search website will be referred back to this http://www.searchweb1.com/ website. I found this problem before, it got to do with the windows hosts file. As suspected, the XP hosts file was modified, only in this case the file is still accessible unlike the other case before this where the permission of the hosts file has been modified to “hidden” and “read-only” and I have to use the windows XP recovery console to replace the hosts file. Since the hosts (c:\windows\system32\drivers\etc\hosts) file now is still in normal mode, all I need to do is just remove all the unwanted entries from the file, and leave only the “127.0.0.1 localhost” line. Below are the infected hosts file:


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
178.162.151.89 www.google.com.tr
178.162.151.89 www.google.co.uk
178.162.151.89 www.google.ca
178.162.151.89 www.google.com.br
178.162.151.89 www.google.co.il
178.162.151.89 www.google.com.ar
178.162.151.89 www.google.com.my
178.162.151.89 www.google.gr
178.162.151.89 www.google.com.ph
178.162.151.89 www.google.com.tw
178.162.151.89 www.google.co.id
178.162.151.89 www.google.co.in
178.162.151.89 www.google.com.au
178.162.151.89 www.google.ru
178.162.151.89 www.google.co.nz
178.162.151.89 www.google.com.pk
178.162.151.89 www.google.dk
178.162.151.89 www.google.pt
178.162.151.89 www.google.es
178.162.151.89 www.google.se
178.162.151.89 www.google.de
178.162.151.89 www.google.com.hk
178.162.151.89 www.google.fr
178.162.151.89 www.google.co.jp
178.162.151.89 www.google.com.mx
178.162.151.89 www.google.com.sa
178.162.151.89 www.google.com.sg
178.162.151.89 www.google.cn
178.162.151.89 www.google.com.eg
178.162.151.89 www.google.com.ba
178.162.151.89 www.google.com.at
178.162.151.89 www.google.be
178.162.151.89 www.google.ch
178.162.151.89 www.google.no
178.162.151.89 www.google.sk
178.162.151.89 www.google.fi
178.162.151.89 search.yahoo.com

After the fix, google is now back in browser. I googled for “regedit open in notepad” and found quite a surprisingly a lot of response, mostly from forums. From the forums I found a link to Vilma’s Registry Explorer, a third party registry editor for XP. Using this tool, I was able to enable back the “Folder options” for Windows Explorer and the “Task Manager”.

With the Task Manager we can check all the running process to see if any suspicious program running in the background. So far so good. I still need to bring the original regedit back. Not an easy things to get, got to go thru all the forums with not much helps. Then found this PcTools forum http://www.pctools.com/forum/showthread.php?t=49374, one of the user suggested a script, but since I always prefer to do it manually, I just take only the required lines and use the Vilma’s Registry Explorer to modify the registry. Below are the line that fix the regedit open in notepad problem:


rg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\"
rg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\"
rg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\"
rg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\"
rg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\"
rg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe\"
rg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\"

I use the manual method instead of running it as script. Explore the registry and manually delete the unwanted entry.

Now the regedit is back on its own.

To be safe, I downloaded and run the Microsoft Windows Malicious Software Removal Tool, and found and removed another 2 more medium risks malware.

Lastly I googled for “my documents opens at startup”, and the first result is from Microsoft himself – http://support.microsoft.com/kb/555294. All I need to do just run the regedit and go to the location:
HKEY_ LOCAL_ MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

and check the value for Userinit on the right panel, the value has been modified, so I just need to put back the original value for the Userinit:

C:\WINDOWS\system32\userinit.exe, (The comma at the end must also be there)

After everything is ok, I tried to run the “Defrag” tool for the boot disk, but to my surprise it open in notepad. So open back the regedit, and explore to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

look for “mmc.exe”, remove the line that have the “mmc” entry. That will solve the problem. As usual, after the defrag on boot disk, I run the “msconfig” to “uncheck” (remove) the unnecessary start-up process to speed up the XP start-up time.

So, after all the clean-up, the windows XP back to normal condition.

Tags: , , , , ,

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>