How to treat viruses, the universal instruction

On the page:




How to treat viruses, the universal instruction

1. disconnect the computer from the network ( sometimes the software does not extinguish the network - pull out the Ethernet cords )

2. Using Autoruns & Process Explorer to remove unnecessary processes from memory + any rubbish from autorun
(Just remove the jackdaws from anything other than userinit, exploer, ctfmon )
Http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

3. Do not reboot! Turn on the recovery system (if it was disabled) only on the system partition . Manually create a rollback point - it is important for us to keep the registry

4. Run AVZ -> File -> System Restore -> select items 1-4, 6, 8-13, 16-17. We perform. Do not reboot.

5. Download, burn to a blank WinPEmini, boot from the compact
(If the SATA screw - either disable AHCI or use Alkid liveCD)

6. on all disks clean up all the rollback points ( System Volume Information ) except 2-3 last ones

7. manually clean the tempo (temporary files folder)
% Temp%
C: \ Documents and Setting \ account_name \ Local Settings \ Temp and Temporarly Internet Files

8. from under WinPEmini run a full scan of CureIt's http://www.freedrweb.com/cureit/?lng=en
(!) Cunning = ekzeshnik launch.exe you need to unpack to a separate folder and run _start.exe

9. it is important !!! At the end of the scan, do not rush to reboot!
You need to write to the list of deleted eksteshnikov and dlok from the folder Windows & Windows \ system32
(In case they were corrupted / infected system files and cureit demolished them - Windows will not boot)

10. compare the list of deleted with dllcache. If necessary - just from the liveSD from the cache in system32

11. After stripping we try to load in "Safe Mode"

    - if booted, run TrojanRemover ttp: //www.simplysup.com/tremover/download.html
    To neutralize the residual effect of Trojans
    (!) If it swears on userinit - exclude (add to the exception)

    - If you do not boot, remember about such a thing as ERDCommander (raising Windows is already a separate topic, if I find the time - I'll sign it)

12. We are loaded in the normal mode and we demolish the pierced defense, we look the euventologist, we put patches
(See below the 2nd post in this thread)



Clean the registry


If after the treatment the axis is loaded, but the taskbar is not loaded and only the background of the desktop is visible ...

Ctrl + Alt + Del (Ctrl + Shift + Esc) -> new task (Run) -> regedit ->
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ Image File Execution Options \

In this section we search for the explorer.exe hive, select it, in the right part of the window there will be an option
Debugger (C: \ Program Files \ Microsoft \ Common \ wuauclt.exe)
Remove this parameter, close regedit, restart the task manager and start explorer

In addition, after stripping or in the process (if the scan from the live SD for the same reasons is not possible)
I advise you to pay attention to the following registry hives:

From under alkid live cd check the registry hives that are responsible for shell and startup

HKEY_LOCAL_MASHINE \ Software \ Microsoft \ Windows NT \ Currentversion \ Image File Execution Options
- search for "daddy" with the name explorer.exe , select it, in the right part of the window there will be a key "Debugging options" or "Debug" -> select it or press Del

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
* Shell should be just Explorer.exe without prefixes and add -ins like csrsc, etc.

In addition, in the process of mopping up the next company, a mutant version of the author was found, which prescribed instead of a nonsense in another registry key
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogo2
If such a partition (I mean "Win2") exists - find there the shell parameter and make sure it is equal to explorer.exe

Also check entries in the bushes
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run

Pokolduy with the registry:

1. copy the current registry into a separate folder
( C: \ Windows \ system32 \ config
Files without extension
Default
Sam
Security
Software
System )

2. replace the current registry so that it is in the folder
C: \ Windows \ Repair
- boot naked Windows (!), This is the registry at the time of installation
Do It Sfc / scannow
To restore system files, then from under live CD
Again return the work registry and try to load


After cleansing it is recommended



- Start -> Run -> sfc / scannow
- CCleaner http://www.ccleaner.com/download/builds/downloading-slim
- data backup
- Opera / FireFox rather than IE
- disconnection of the author (actual for flashes)
- common sense, i.e. Use the latest version of the antivirus and update it


(!) In a timely manner, do not climb on sites from the risk group



Part two :) The final


1. one by one to disconnect the car from the network ( physically pulling out the ezernetovsky lace )
2. Autoruns & Process Explorer - remove unnecessary from the RAM and autoload ( so that later did not swear )
3. AVZ -> File -> System Restore -> select items 1-4, 6, 8-13, 16-17
4. Loaded from under the LiveCD ( Mini XP / WinPE mini ) And wagging the pace + kickbacks, after a full scan CureIt `Ohm
(!) There is one small feature - to run Cureit you need its ekzeshnik ( launch.exe )
Unzip to a separate folder and start from this folder _start.exe
5. Then in SafeMode run KidoKiller , after him TrojanRemover
6. will boot into the normal, casper demolish nafig, put patches from Kido ( links see below )
7. if necessary - additionally profiling the system Hijack This
8. check if the Windows services are functioning properly ( Services.msc) And whether there are errors in the euventologist ( Eventvwr.msc )
9. put a normal antivirus. If the internet does not go through the server / gateway - also put the firewall
( EAV v 4.0.417 + Outpost 2009 or ESS )
10. (!) Only after the execution of the leading items the computer can be put into the network / inet
11. If there are problems with the TCP / IP stack - WinsockXPFix
12. (!) Repulse the hands of those who use IE and disable autorun from flash and network drives
13 . Kill the admin who allowed the rampant virai

REG files just in case


"Press once to show the spoiler - click again to hide ..."
Disable autorun
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer]
"NoDriveTypeAutoRun" = dword: 000000ff

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Cdrom]
"AutoRun" = dword: 00000000


Restore_safe_mod.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot]
"AlternateShell" = "cmd.exe"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal]

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ AppMgmt]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ Base]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ Boot Bus Extender]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ Boot file system]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ CryptSvc]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ DcomLaunch]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ dmadmin]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ dmboot.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ dmio.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ dmload.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ dmserver]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ EventLog]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ File system]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ Filter]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ HelpSvc]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ Netlogon]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ PCI Configuration]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ PlugPlay]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ PNP Filter]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ Primary disk]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ RpcSs]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ SCSI Class]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ sermouse.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ sr.sys]
@ = "FSFilter System Recovery"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ SRService]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ System Bus Extender]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ vga.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ vgasave.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ WinMgmt]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {36FC9E60-C465-11CF-8056-444553540000}]
@ = "Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E965-E325-11CE-BFC1-08002BE10318}]
@ = "CD-ROM Drive"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318}]
@ = "DiskDrive"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E969-E325-11CE-BFC1-08002BE10318}]
@ = "Standard floppy disk controller"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E96A-E325-11CE-BFC1-08002BE10318}]
@ = "Hdc"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E96B-E325-11CE-BFC1-08002BE10318}]
@ = "Keyboard"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E96F-E325-11CE-BFC1-08002BE10318}]
@ = "Mouse"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E977-E325-11CE-BFC1-08002BE10318}]
@ = "PCMCIA Adapters"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E97B-E325-11CE-BFC1-08002BE10318}]
@ = "SCSIAdapter"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E97D-E325-11CE-BFC1-08002BE10318}]
@ = "System"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E980-E325-11CE-BFC1-08002BE10318}]
@ = "Floppy disk drive"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@ = "Volume"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@ = "Human Interface Devices"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network]

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ AFD]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ AppMgMt]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlset \ Control \ SafeBoot \ Network \ Base]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ Boot Bus Extender]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ Boot file system]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ Browser]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ CryptSvc]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ DcomLaunch]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ Dhcp]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ dmadmin]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ dmboot.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ dmio.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ dmload.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ dmserver]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ DnsCache]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ EventLog]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ File system]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ Filter]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ HelpSvc]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ ip6fw.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ ipnat.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ LanmanServer]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ LanmanWorkstation]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ LmHosts]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ Messenger]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ NDIS]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ NDIS Wrapper]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ Ndisuio]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ NetBIOS]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ NetBIOSGroup]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ NetBT]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ NetDDEGroup]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ Netlogon]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ NetMan]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ Network]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ NetworkProvider]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ nm]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ nm.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ NtLmSsp]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ PCI Configuration]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ PlugPlay]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ PNP Filter]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ PNP_TDI]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ Primary disk]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ rdpcdd.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ rdpdd.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ rdpwd.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ rdsessmgr]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ RpcSs]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ SCSI Class]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ sermouse.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ SharedAccess]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ sr.sys]
@ = "FSFilter System Recovery"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ SRService]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ Streams Drivers]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ System Bus Extender]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ Tcpip]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ TDI]
@ = "Driver Group"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ tdpipe.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ tdtcp.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ termervice]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ vga.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ vgasave.sys]
@ = "Driver"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ WinMgmt]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ WZCSVC]
@ = "Service"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {36FC9E60-C465-11CF-8056-444553540000}]
@ = "Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E965-E325-11CE-BFC1-08002BE10318}]
@ = "CD-ROM Drive"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318}]
@ = "DiskDrive"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E969-E325-11CE-BFC1-08002BE10318}]
@ = "Standard floppy disk controller"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E96A-E325-11CE-BFC1-08002BE10318}]
@ = "Hdc"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E96B-E325-11CE-BFC1-08002BE10318}]
@ = "Keyboard"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E96F-E325-11CE-BFC1-08002BE10318}]
@ = "Mouse"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E972-E325-11CE-BFC1-08002BE10318}]
@ = "Net"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E973-E325-11CE-BFC1-08002BE10318}]
@ = "NetClient"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E974-E325-11CE-BFC1-08002BE10318}]
@ = "NetService"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E975-E325-11CE-BFC1-08002BE10318}]
@ = "NetTrans"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E977-E325-11CE-BFC1-08002BE10318}]
@ = "PCMCIA Adapters"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E97B-E325-11CE-BFC1-08002BE10318}]
@ = "SCSIAdapter"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E97D-E325-11CE-BFC1-08002BE10318}]
@ = "System"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E980-E325-11CE-BFC1-08002BE10318}]
@ = "Floppy disk drive"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@ = "Volume"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@ = "Human Interface Devices"

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa]
"Authentication Packages" = hex (7): 6d, 00,73,00,76,00,31,00,5f, 00,30,00,00,00,00, \
00


Restore_hidden.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden]
"Text" = "@ shell32.dll, -30499"
"Type" = "group"
"Bitmap" = hex (2): 25.00.53,00.79,00.73,00.74,00.65,00.6d, 00.52.00.6f, 00.6f, 00.74 , \
00.25.00.5c, 00.73.00.79.00.73,00.74,00.65.00.6d, 00.33,00.32,00.5c, 00.53.00, \
48.00.45.00.4c, 00.4c, 00.33.00, 32.00.2e, 00.64.00.6c, 00.6c, 00.2c, 00.34.00,00, \
00
"HelpID" = "shell.hlp # 51131"

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ NOHIDDEN]
"RegPath" = "Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Explorer \\ Advanced"
"Text" = "@ shell32.dll, -30501"
"Type" = "radio"
"CheckedValue" = dword: 00000002
"ValueName" = "Hidden"
"DefaultValue" = dword: 00000002
"HKeyRoot" = dword: 80000001
"HelpID" = "shell.hlp # 51104"

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL]
"RegPath" = "Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Explorer \\ Advanced"
"Text" = "@ shell32.dll, -30500"
"Type" = "radio"
"CheckedValue" = dword: 00000001
"ValueName" = "Hidden"
"DefaultValue" = dword: 00000002
"HKeyRoot" = dword: 80000001
"HelpID" = "shell.hlp # 51105"


Restore_regedit.reg
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System]
"DisableRegistryTools" = dword: 0


Restore_taskmgr.reg
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System]
"DisableTaskMgr" = dword: 0