Skip to content

Instantly share code, notes, and snippets.

@dennyhalim
Created July 13, 2009 11:56
Show Gist options
  • Save dennyhalim/146062 to your computer and use it in GitHub Desktop.
Save dennyhalim/146062 to your computer and use it in GitHub Desktop.
[Version]
Signature="$Chicago$"
Provider=DennyHalim.com
[informasi]
license=http://creativecommons.org/licenses/by-nc-sa/3.0/
usage=http://wiki.dennyhalim.com/fixing-windows-registry
installservice=rundll32.exe setupapi,InstallHinfSection InstallService 128 regfix.inf
[DefaultInstall]
DelReg=hapus,hapuscu
AddReg=ganti,ganticu
CopyFiles=@regfix.inf
CopyINF=regfix.inf
PerUserInstall=PerUserInstall
[ServicesRun]
DelReg=hapus
AddReg=ganti
PerUserInstall=PerUserInstall
[PerUserInstall]
StubPath=rundll32.exe setupapi,InstallHinfSection UsersRun 128 %10%\regfix.inf
[UsersRun]
DelReg=hapuscu
AddReg=ganticu
[InstallService]
AddReg=RegfixService
PerUserInstall=PerUserInstall
CopyFiles=@regfix.inf
CopyINF=regfix.inf
[RegfixService]
;add regfix to startup to fix stubborn malware
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, regfix,,"rundll32.exe setupapi,InstallHinfSection ServicesRun 128 %10%\regfix.inf"
[DestinationDirs]
DefaultDestDir=10 ;windows
[ganti]
;shell
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,"Shell",,""Explorer.exe""
HKLM, SYSTEM\ControlSet001\Control\SafeBoot,"AlternateShell",,""cmd.exe""
HKLM, SYSTEM\ControlSet002\Control\SafeBoot,"AlternateShell",,""cmd.exe""
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot,"AlternateShell",,""cmd.exe""
;files
HKCR, .bat,,,"batfile"
HKCR, .cmd,,,"cmdfile"
HKCR, .js,,,"jsfile"
HKCR, .vbs,,,"VBSfile"
HKCR, .reg,,,"regfile"
HKCR, .exe,,,"exefile"
HKCR, .scr,,,"scrfile"
HKCR, .com,,,"comfile"
HKCR, .pif,,,"piffile"
HKCR, batfile, AlwaysShowExt
HKCR, cmdfile, AlwaysShowExt
HKCR, comfile, AlwaysShowExt
HKCR, exefile, AlwaysShowExt
HKCR, jsfile, AlwaysShowExt
HKCR, piffile, AlwaysShowExt
HKCR, regfile, AlwaysShowExt
HKCR, scrfile, AlwaysShowExt
HKCR, vbsfile, AlwaysShowExt
HKCR, batfile\shell\open\command,,,"""%1"" %*"
HKCR, comfile\shell\open\command,,,"""%1"" %*"
HKCR, exefile\shell\open\command,,,"""%1"" %*"
HKCR, piffile\shell\open\command,,,"""%1"" %*"
HKCR, regfile\shell\open\command,,,"regedit.exe "%1""
HKCR, lnkfile\shell\open\command,,,"""%1"" %*"
HKCR, scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Classes\exefile,,,"Application"
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe ""%1"""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" /S"
HKLM, Software\CLASSES\scrfile\shell\config\command,,0,"%1"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, UncheckedValue,0×00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,CheckedValue,0×00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,DefaultValue,0×00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0×00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue,0×00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, DefaultValue,0×00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, type,0, "checkbox"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, type,0, "checkbox"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, userinit,0,"%11%\Userinit.exe,"
;replace with your info
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, "myPolaris.com"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner ,0, "DennyHalim.com"
;safer msie
;http://blogs.msdn.com/michael_Howard/archive/2005/01/31/363985.aspx
;HKLM, SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths\{effd8629-e248-4c3c-a06b-c178921c6745}, Description,0,"Internet Explorer"
;HKLM, SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths\{effd8629-e248-4c3c-a06b-c178921c6745}, ItemData,0,"C:\\Program Files\\Internet Explorer"
;HKLM, SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths\{effd8629-e248-4c3c-a06b-c178921c6745}, SaferFlags,0x10000,0
[ganticu]
;current users
HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, "http://sn.im/safebrowser"
HKCU, Software\Microsoft\Internet Explorer\Main, Search Page,0, "about:blank"
HKCU, Control Panel\International, s1159,0, "AM"
HKCU, Control Panel\International, s2359,0, "PM"
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden,0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden,0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt,0×00010001,0
[hapus]
;remove known malicious image file execution options
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears-CLN.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears-RTP.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe,debugger"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe, debugger"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe,debugger"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe"
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe"
;remove all unknown malicious image file execution options
;http://www.avertlabs.com/research/blog/index.php/2008/12/09/image-file-execution-options/
HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
;remove disablilities
HKCR, exefile, NeverShowExt
HKCR, batfile, NeverShowExt
HKCR, cmdfile, NeverShowExt
HKCR, VBSFile, NeverShowExt
HKCR, JSFile, NeverShowExt
HKCR, exefile, NeverShowExt
HKCR, comfile, NeverShowExt
HKCR, pifile, NeverShowExt
HKCR, scrfile, NeverShowExt
HKLM, SOFTWARE\Classes\exefile, NeverShowExt
HKLM, SOFTWARE\Classes\scrfile, NeverShowExt
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableConfig
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableSR
HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, DisableMSI
HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, LimitSystemRestoreCheckpointing
HKLM, Software\Policies\Microsoft\Windows\System, DisableCMD
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableMsConfig
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoControlPanel
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoSetFolders
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoLogOff
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoClose
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoStartMenuMorePrograms
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewContextMenu
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoTrayContextMenu
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewOnDrive
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoWinKeys
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced, Hidden
;remove some known malicious apps on startup
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PaRaY_VM
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ConfigVir
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NviDiaGT
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NarmonVirusAnti
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AVManager
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, def
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, SysRestore
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Ageia
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Systemdir
HKLM, Software\Microsoft\Windows\CurrentVersion\Run, spoolsv.exe
HKLM, Software\Microsoft\Windows\CurrentVersion\Run, svchost.exe
;remove ALL startup
;warning: this could/might also remove your antivirus from startup
;http://www.bleepingcomputer.com/tutorials/tutorial44.html
;HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run
;misc
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Winlogon,LegalNoticeCaption
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Winlogon,LegalNoticeText
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, dl
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, TcpNumConnections
[hapuscu]
HKCU, Software\Policies\Microsoft\Windows\System, DisableCMD
HKCU, software\microsoft\windows\currentversion\policies\system, DisableRegistryTools
HKCU, software\microsoft\windows\currentversion\policies\system, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableMsConfig
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoControlPanel
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoSetFolders
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoLogOff
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoClose
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoStartMenuMorePrograms
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewContextMenu
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoTrayContextMenu
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewOnDrive
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoWinKeys
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced, Hidden
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title,
HKCU, Control Panel\Desktop, SCRNSAVE.EXE
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, spoolsv.exe
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, svchost.exe
;remove ALL startup
;warning: this could/might also remove your antivirus from startup
;http://www.bleepingcomputer.com/tutorials/tutorial44.html
;HKCU, SOFTWARE\Microsoft\Windows\CurrentVersion\Run
;misc
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, dl
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, ds
;first, copy this file to cdrom/usb flashdisk as autorun.inf
[AUTORUN]
shell\Open\Default=1
Open=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf
shell\Open\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf
shell\Explore\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf
shell\Copy\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf
shell\AutoPlay\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf
shell\Eject\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf
shell\Properties\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf
ShellExecute=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf
ShellEx=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf
shell\regfix=Fix Registry
shell\regfix\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf
shell\install=Install
shell\install\command=rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 /regfix.inf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment