Help to finish System repair tools

U.V.K

Ultra Virus Killer (UVK) Developer
Vendor
Reaction score
148
Location
Port-Vendres France
Hi everyone,
Since it became usual on new viruses to damage the executable file extensions I decided to write a tool to solve this problem. It's called ExeFixer (See screenshot below).
ExeFixer.png

Writing this tool became very interesting. Initially it was meant to only fix some file exensions and run executable files even if the .exe extension was deleted. But in the meantime I remembered some other fixes I could add to it, and it became a nice set of tools to fix common issues caused by the latest virus.
It's already working fine, tested it on most OS (x64 and x86) but it's very rare that I have a pc with Windows 2000 to fix and at this moment I don't have anyone. This is where I could use some help.
I'm pretty sure that the extension registry values are the same in windows 2k than in xp, but I wanted to be sure before uploading the tool.
So if anyone of you is willing to export these registry keys from a windows 2000 OS and upload the code I'd be very grateful. by the way, I need the code for these keys:
HKEY_CLASSES_ROOT\.exe
HKEY_CLASSES_ROOT\exefile
HKEY_CLASSES_ROOT\.msi
HKEY_CLASSES_ROOT\Msi.Package
HKEY_CLASSES_ROOT\.reg
HKEY_CLASSES_ROOT\regfile
HKEY_CLASSES_ROOT\.bat
HKEY_CLASSES_ROOT\batfile
HKEY_CLASSES_ROOT\.cmd
HKEY_CLASSES_ROOT\cmdfile
HKEY_CLASSES_ROOT\.com
HKEY_CLASSES_ROOT\comfile
I'm also integrating ExeFixer features in the new version of my virus removal tool: UVK, So I need this code to finish both.
Thanks in advance.
 
a pc with Windows 2000 to fix and at this moment I don't have anyone. This is where I could use some help.
I'm pretty sure that the extension registry values are the same in windows 2k than in xp, but I wanted to be sure before uploading the tool.

I thought that they would be the same also, but I wanted to check anyways. I compared the keys on a 2k machine to some of the file association fixes online and I found there are differences. I checked the exe fixes and listed below in bold what the fixes adds that are not in the 2K keys or that is slightly different.


[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"



[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
Windows 2K has
@=""%1" %*"


[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
Windows 2K has
@=""%1" %*"


[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"


[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"




I also noticed that some other keys might be different like in:

[HKEY_CLASSES_ROOT\Msi.Package\DefaultIcon]

Windows XP has
@="C:\\WINDOWS\\System32\\msiexec.exe,0"

and Windows 2K has
@="C:\\WINNT\\System32\\msiexec.exe,0"

The fixes have a hex value like
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
32,00,5c,00,6d,00,73,00,69,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,34,\
00,00,00
@="Windows Installer Package"

Being a hex value does the fix point to the right file if it is in windows or the older winnt?
 
Thank you both for your replies.

Well the values @="\"%1\" %*" and @=""%1" %*" both do the same, \ is the escape character in regedit 5. Thus, both values will give "%1" %*. Fortunately!

Being a hex value does the fix point to the right file if it is in windows or the older winnt?

This hex value means @%SystemRoot%\System32\msi.dll,-34, the same as in xp. Thanks.

What intrigues me is this key:
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHan dlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"


This key and value don't exist neither in xp or other higher OS. I'll add it only for 2k.

That was a hell of a hand, thank you very much. If you notice any other diferences, please post :)
 
And I forgot to mention: The C:\Windows or C:\Winnt don't make any difference, because the tool automatically writes the right path to windows root folder.
 
This hex value means @%SystemRoot%\System32\msi.dll,-34, the same as in xp. Thanks.
So if I make a reg file for Windows 2K do I put:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Msi.Package]

"EditFlags"=hex:00,00,10,00
"FriendlyTypeName"="@%SystemRoot%\System32\msi.dll,-34"


or do I put:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Msi.Package]

"EditFlags"=hex:00,00,10,00
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
32,00,5c,00,6d,00,73,00,69,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,34,\
00,00,00
@="Windows Installer Package"


or how do I do that.

I need to learn about writing hex values like the one for FriendlyTypeName, any suggestion where I can get more information?


What intrigues me is this key:
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHan dlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"


This key and value don't exist neither in xp or other higher OS. I'll add it only for 2k.
This key was not in 2K it was in XP fixes, I did not find it in Vista or 7 fixes either.
 
Sorry, I wrote the "@" by mistake. Please ignore it

It's a REG_EXPAND_SZ value, so you must put the hex data:
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00, 73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00 ,74,00,65,00,6d,00,33,00,\
32,00,5c,00,6d,00,73,00,69,00,2e,00,64,00,6c,00,6c ,00,2c,00,2d,00,33,00,34,\
00,00,00

But if you edit or create this value in regedit, you must enter the string:
%SystemRoot%\System32\msi.dll ,-34
Regedit will automatically convert it to hex data.

This is why it's called REG_EXPAND_SZ, because the string will be expanded to C:\Windows\System32\msi.dll ,-34 (If windows is installed on C:)

A normal string (REG_SZ) can't be expanded.
 
This key was not in 2K it was in XP fixes, I did not find it in Vista or 7 fixes either.

So it's not a native windows value, cause I've never seen it on xp. It's great! That means the registry values are the same in Win 2k than in XP!

I guess I'll compile the tool and upload it. I'll leave a link here afterwords.
 
Sorry to go slightly off topic but why the big deal about 2000? Ms don't support it, I don't, most of the anti virus companies aren't interested? Just interested to know.
 
Hi, Martyn

In fact, I'm writing this tool to work in all OS since 2000, and I just wanted to be sure that it will create the right registry values if anyone runs it on windows 2k.
 
why the big deal about 2000? Ms don't support it
Also hasn't Microsoft stopped supporting XP with SP1 and SP2. I think that they tried to stop supporting XP completely on 4/14/2009 but so many people complained so they extended support for XP pro with SP3 till 4/8/2014. Also haven't they stop supporting Vista with SP1.

Fred I think its good that you are writing tools to work with all OS's since 2000. I have always liked 2K, I know XP had a better GUI but isn't the core of the two OS's the same. But then again I like Vista also, so many people hate it but I think if you put it on a fast machine and keep it up to date it seems to work well.

I don't live where you guys live, people here don't have the latest OS running on cutting edge machines, most people around here have XP and the lucky ones have Vista. I have one customer that has windows 98 first edition, I also had someone bring in an ME a while back and I got a call just the other day with someone with a 95 machine.
 
I don't live where you guys live, people here don't have the latest OS running on cutting edge machines, most people around here have XP and the lucky ones have Vista. I have one customer that has windows 98 first edition, I also had someone bring in an ME a while back and I got a call just the other day with someone with a 95 machine.

Fair comment. In 8 months I've only seen one computer before xp.
 
I assume this is a false positive?

Of course it is! This software doesn't do anything unless you tell it to.

Well, the portable version performs a silent install and then runs UVK.

Maybe it's because of that?

Can you tell me if it does the same with the setup version?

Thanks. Fred

Note that I'm still working on the new version and it's not available yet.
 
I sent them this message:

I was told that Prevx is blocking my virus removal tool UVK, downloadable at http://www.carifred.com/uvk/ ironically saying it's a "High risk cloaked malware".

This isn't true and I think you should review your malware detection method.

Please whitelist it as soon as possible.

Thanks. Fred

We'll see what they say. These guys use heuristic methods that aren't worth a sh... They probably don't detect the new viruses but they detect the tools to delete them. Isn't it ironic?
 
Can you tell me if it does the same with the setup version?

Thanks. Fred

Yes the setup version is also blocked. I'm also running Eset and MBAM (on demand), neither detect any problems.

I had a similar issue with Prevx and Internet Download Manager recently but to their credit Prevx did address it reasonably quickly.

Good luck with the software - I'm looking forward to trying the new version.
 
Good luck with the software - I'm looking forward to trying the new version.

Thank you. I think you've made a good choice.

I'm inserting a lot of new features:

==> Add new items to context menu in the Process explorer and Startup items screens like File properties, Open File location, and all the options on the buttons in the lower pane.

==> Add a new list view with the scheduled tasks, active drivers and image hijacks on the Startup items screen.

==> Add more scanned areas and the option to hide Microsoft signed files on UVK scan screen. This will make easier to analyze the log.

Add all ExeFixer features plus a button to flush dns and clear hosts file and Enable & repair windows update.

And this is not all. It's almost ready but I need to test it in several windows versions and archs aun update the site before I upload it.

I think it will make a good tool.
 
Virus total shows clean on all bar
K7AntiVirus - which i've never heard of anyway. Prevx shows clean.

Thanks for the tool, will have a look at it when I get a quiet moment later on in the week.
 
ExeFixer is available

Well, ExeFixer is available.

To launch the tool if the .exe extension has been deleted, use the context menu Open With from another file (e.g. a text file) and choose to open it with ExeFixer.

It's possible that if user account control is enabled, this must be done in safe mode.

Anyway, all instructions and download can be found here: ExeFixer.

I hope some of you find it usefull. And please post if you find any bugs.:)


I've integrated all ExeFixer tools and some others into the new UVK version.

The new version is ready, but I still have to update the site before upload it.

It will also be available in a couple of days. I'll post when it does
 
Back
Top