Viruses altering Registry Runxxx keys

[jnicks]

Various viruses and worms put themselves in the registry for starting on re-boot.

I thought about this for a bit and discovered it is pretty easy to use RegEdit to first save the keys, and then on boot:

1. Delete the vulnerable keys
2. Replace them from a small small.

Which can be done in about a second on a system that allows a Pre-Windows phase, like AUTOEXEC.BAT in 9x.

Not at all as good as an updated A-V and signature file, but it is so easy and fast it might be of some use.

I put up a HOW TO at

http://www.roninsg.com/regrepl.htm

 

[AVChap]

Problem with this solution is some legit programs are being initialized from the RUN key. Deleting this and replacing them with a blank key will only create more problems.

I don't have a better way so I'm not going to suggest one.

AVChap

 

[hnd]

There is a tool on a german site to enforce the "Run part" of the registry, and the Windows init files. It gives a Alarm if something changes there.

You may download Trojancheck from:

http://www.trojancheck.de/download.html

The program is shareware, but the private use is free.
hnd
hasso55@yahoo.com

 

[jnicks]

A misunderstanding, as it does not replace with blank keys. The Before you run it you use Regedit to store the original keys in a file.

Any programs that you had, that stored pre-load, service or run will still be there. Additions will be removed.

Not a problem.