Created
July 13, 2009 11:56
-
-
Save dennyhalim/146062 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Version] | |
Signature="$Chicago$" | |
Provider=DennyHalim.com | |
[informasi] | |
license=http://creativecommons.org/licenses/by-nc-sa/3.0/ | |
usage=http://wiki.dennyhalim.com/fixing-windows-registry | |
installservice=rundll32.exe setupapi,InstallHinfSection InstallService 128 regfix.inf | |
[DefaultInstall] | |
DelReg=hapus,hapuscu | |
AddReg=ganti,ganticu | |
CopyFiles=@regfix.inf | |
CopyINF=regfix.inf | |
PerUserInstall=PerUserInstall | |
[ServicesRun] | |
DelReg=hapus | |
AddReg=ganti | |
PerUserInstall=PerUserInstall | |
[PerUserInstall] | |
StubPath=rundll32.exe setupapi,InstallHinfSection UsersRun 128 %10%\regfix.inf | |
[UsersRun] | |
DelReg=hapuscu | |
AddReg=ganticu | |
[InstallService] | |
AddReg=RegfixService | |
PerUserInstall=PerUserInstall | |
CopyFiles=@regfix.inf | |
CopyINF=regfix.inf | |
[RegfixService] | |
;add regfix to startup to fix stubborn malware | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, regfix,,"rundll32.exe setupapi,InstallHinfSection ServicesRun 128 %10%\regfix.inf" | |
[DestinationDirs] | |
DefaultDestDir=10 ;windows | |
[ganti] | |
;shell | |
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,"Shell",,""Explorer.exe"" | |
HKLM, SYSTEM\ControlSet001\Control\SafeBoot,"AlternateShell",,""cmd.exe"" | |
HKLM, SYSTEM\ControlSet002\Control\SafeBoot,"AlternateShell",,""cmd.exe"" | |
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot,"AlternateShell",,""cmd.exe"" | |
;files | |
HKCR, .bat,,,"batfile" | |
HKCR, .cmd,,,"cmdfile" | |
HKCR, .js,,,"jsfile" | |
HKCR, .vbs,,,"VBSfile" | |
HKCR, .reg,,,"regfile" | |
HKCR, .exe,,,"exefile" | |
HKCR, .scr,,,"scrfile" | |
HKCR, .com,,,"comfile" | |
HKCR, .pif,,,"piffile" | |
HKCR, batfile, AlwaysShowExt | |
HKCR, cmdfile, AlwaysShowExt | |
HKCR, comfile, AlwaysShowExt | |
HKCR, exefile, AlwaysShowExt | |
HKCR, jsfile, AlwaysShowExt | |
HKCR, piffile, AlwaysShowExt | |
HKCR, regfile, AlwaysShowExt | |
HKCR, scrfile, AlwaysShowExt | |
HKCR, vbsfile, AlwaysShowExt | |
HKCR, batfile\shell\open\command,,,"""%1"" %*" | |
HKCR, comfile\shell\open\command,,,"""%1"" %*" | |
HKCR, exefile\shell\open\command,,,"""%1"" %*" | |
HKCR, piffile\shell\open\command,,,"""%1"" %*" | |
HKCR, regfile\shell\open\command,,,"regedit.exe "%1"" | |
HKCR, lnkfile\shell\open\command,,,"""%1"" %*" | |
HKCR, scrfile\shell\open\command,,,"""%1"" %*" | |
HKLM, SOFTWARE\Classes\exefile,,,"Application" | |
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*" | |
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*" | |
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*" | |
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*" | |
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe ""%1""" | |
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" /S" | |
HKLM, Software\CLASSES\scrfile\shell\config\command,,0,"%1" | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, UncheckedValue,0×00010001,0 | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,CheckedValue,0×00010001,1 | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,DefaultValue,0×00010001,1 | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0×00010001,1 | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue,0×00010001,0 | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, DefaultValue,0×00010001,0 | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, type,0, "checkbox" | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, type,0, "checkbox" | |
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, userinit,0,"%11%\Userinit.exe," | |
;replace with your info | |
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, "myPolaris.com" | |
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner ,0, "DennyHalim.com" | |
;safer msie | |
;http://blogs.msdn.com/michael_Howard/archive/2005/01/31/363985.aspx | |
;HKLM, SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths\{effd8629-e248-4c3c-a06b-c178921c6745}, Description,0,"Internet Explorer" | |
;HKLM, SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths\{effd8629-e248-4c3c-a06b-c178921c6745}, ItemData,0,"C:\\Program Files\\Internet Explorer" | |
;HKLM, SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths\{effd8629-e248-4c3c-a06b-c178921c6745}, SaferFlags,0x10000,0 | |
[ganticu] | |
;current users | |
HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, "http://sn.im/safebrowser" | |
HKCU, Software\Microsoft\Internet Explorer\Main, Search Page,0, "about:blank" | |
HKCU, Control Panel\International, s1159,0, "AM" | |
HKCU, Control Panel\International, s2359,0, "PM" | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden,0×00010001,1 | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden,0×00010001,1 | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt,0×00010001,0 | |
[hapus] | |
;remove known malicious image file execution options | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears-CLN.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears-RTP.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe,debugger" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe, debugger" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe,debugger" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe" | |
;remove all unknown malicious image file execution options | |
;http://www.avertlabs.com/research/blog/index.php/2008/12/09/image-file-execution-options/ | |
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | |
;remove disablilities | |
HKCR, exefile, NeverShowExt | |
HKCR, batfile, NeverShowExt | |
HKCR, cmdfile, NeverShowExt | |
HKCR, VBSFile, NeverShowExt | |
HKCR, JSFile, NeverShowExt | |
HKCR, exefile, NeverShowExt | |
HKCR, comfile, NeverShowExt | |
HKCR, pifile, NeverShowExt | |
HKCR, scrfile, NeverShowExt | |
HKLM, SOFTWARE\Classes\exefile, NeverShowExt | |
HKLM, SOFTWARE\Classes\scrfile, NeverShowExt | |
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableConfig | |
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableSR | |
HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, DisableMSI | |
HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, LimitSystemRestoreCheckpointing | |
HKLM, Software\Policies\Microsoft\Windows\System, DisableCMD | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableMsConfig | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoControlPanel | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoSetFolders | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoLogOff | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoClose | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoStartMenuMorePrograms | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewContextMenu | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoTrayContextMenu | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewOnDrive | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoWinKeys | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced, Hidden | |
;remove some known malicious apps on startup | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PaRaY_VM | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ConfigVir | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NviDiaGT | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NarmonVirusAnti | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AVManager | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, def | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, SysRestore | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Ageia | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Systemdir | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Run, spoolsv.exe | |
HKLM, Software\Microsoft\Windows\CurrentVersion\Run, svchost.exe | |
;remove ALL startup | |
;warning: this could/might also remove your antivirus from startup | |
;http://www.bleepingcomputer.com/tutorials/tutorial44.html | |
;HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run | |
;misc | |
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Winlogon,LegalNoticeCaption | |
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Winlogon,LegalNoticeText | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, dl | |
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, ds | |
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, TcpNumConnections | |
[hapuscu] | |
HKCU, Software\Policies\Microsoft\Windows\System, DisableCMD | |
HKCU, software\microsoft\windows\currentversion\policies\system, DisableRegistryTools | |
HKCU, software\microsoft\windows\currentversion\policies\system, DisableTaskMgr | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableMsConfig | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoControlPanel | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoSetFolders | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoLogOff | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoClose | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoStartMenuMorePrograms | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewContextMenu | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoTrayContextMenu | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewOnDrive | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoWinKeys | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced, Hidden | |
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title, | |
HKCU, Control Panel\Desktop, SCRNSAVE.EXE | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, spoolsv.exe | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, svchost.exe | |
;remove ALL startup | |
;warning: this could/might also remove your antivirus from startup | |
;http://www.bleepingcomputer.com/tutorials/tutorial44.html | |
;HKCU, SOFTWARE\Microsoft\Windows\CurrentVersion\Run | |
;misc | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, dl | |
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, ds | |
;first, copy this file to cdrom/usb flashdisk as autorun.inf | |
[AUTORUN] | |
shell\Open\Default=1 | |
Open=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf | |
shell\Open\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf | |
shell\Explore\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf | |
shell\Copy\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf | |
shell\AutoPlay\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf | |
shell\Eject\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf | |
shell\Properties\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf | |
ShellExecute=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf | |
ShellEx=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf | |
shell\regfix=Fix Registry | |
shell\regfix\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf | |
shell\install=Install | |
shell\install\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment