- Jun 24, 2001
- 24,195
- 857
- 126
OK, I've seen this before. Namely, malware removing any reference of a virus scanner from the registry and causing all programs to no longer function. These people were not running a virus scanner but they managed to piss-off some AIM punk who somehow modified this reg key and now Notepad.exe tries to run every appication that is launched... Causing a hell of a lot of garbage and wordpad prompts at start up as you would imagine.
Of course, running REGEDIT was difficult because it would also launch Notepad instead and pass the intended EXE and a file to open with it. I replaced Notepad.exe with REGEDIT.EXE but that didn't help much... Basically, it considers whatever program I launched a a corrupt REG file after asking if I would like to merge it with the registry (REG files normally open with REGEDIT, but REGEDIT would simply prompt for action and then exit as it does here). I contemplated finding the key elsewhere and renaming the REG file whatever.exe and executing it, but that wasn't necessary (Well, I still need that reg key). I noticed that COMMAND.COM would launch just fine so I renamed REGEDIT.EXE to REGEDIT.COM and that worked fine. Only problem is, I still can't find the registry key. A search for Notepad.exe only returns a myriad of file associations and Explorer integrations (Right-click context commands). I assume that he must have associated a different program that then passes it on to Notepad or whatever. Either that or it's in one of the areas of the registry that typically does not return search results ("Secure" areas I guess).
So what is the key? I have seen it before but I have no idea how I found it back then. Thanks!
EDIT: Oh yeah, and it's a Win98 machine. A quick search since I posted this turns up this result, where they used a similar approach to mine but the link inside is dead.
Of course, running REGEDIT was difficult because it would also launch Notepad instead and pass the intended EXE and a file to open with it. I replaced Notepad.exe with REGEDIT.EXE but that didn't help much... Basically, it considers whatever program I launched a a corrupt REG file after asking if I would like to merge it with the registry (REG files normally open with REGEDIT, but REGEDIT would simply prompt for action and then exit as it does here). I contemplated finding the key elsewhere and renaming the REG file whatever.exe and executing it, but that wasn't necessary (Well, I still need that reg key). I noticed that COMMAND.COM would launch just fine so I renamed REGEDIT.EXE to REGEDIT.COM and that worked fine. Only problem is, I still can't find the registry key. A search for Notepad.exe only returns a myriad of file associations and Explorer integrations (Right-click context commands). I assume that he must have associated a different program that then passes it on to Notepad or whatever. Either that or it's in one of the areas of the registry that typically does not return search results ("Secure" areas I guess).
So what is the key? I have seen it before but I have no idea how I found it back then. Thanks!
EDIT: Oh yeah, and it's a Win98 machine. A quick search since I posted this turns up this result, where they used a similar approach to mine but the link inside is dead.
Facebook
Twitter