Virus Threats and Removal Tools

Tools to reset shell\open\command\registry keys

Provided by Symantec Security Response

As part of their routine, many viruses, worms, spyware and Trojans make changes to the registry. Some of them change one or more of the shell\open \command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files.

For example, if the \exefile\shell\open

\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this.

They may also change a registry value so that you cannot run the Registry Editor at all.

Symantec Security Response has created a tool to reset these registry values to their default settings.

WARNING: Do not use this tool unless:

• A technician or document in this site directs you to do so.
• After reading the removal instructions in the writeup, you are sure that the tool is required.

FOLLOW THESE STEPS:

1. Download the file UnHookExec.inf and save it to your Windows desktop.

(If you cannot connect to the Internet from the infected computer, download to an uninfected computer then save it to a floppy disk. Then take the floppy disk and insert it in the floppy disk drive of the infected computer.)

Note: The tool has a .inf file extension.

2. Locate the download file, either on the Windows desktop or the floppy disk.

3. Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)

4. Follow any other instructions for the threat that you are trying to remove.