Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

exe = "%1" %*

865 views
Skip to first unread message

tomd

unread,
Apr 12, 2000, 3:00:00 AM4/12/00
to
"Win95 4.00.950 B

One of the 18 machines I deal with lost its Norton definition files
and got nailed with PrettyPark last weekend.

From Symantec:
"
PrettyPark.Worm is a worm that performs similarly to Happy99.Worm.
This worm was originally spread through mass emailings that originated
from France. The program file attached to these emails is named
PrettyPark.exe. When PrettyPark.exe is executed, it may display the
Windows 3D Pipes screen saver. It also does the following:

Creates a file named Files32.vxd in the \Windows\System folder.
Modifies the (Default) value from "%1" %* to FILES32.VXD "%1" %* in
the following registy key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
"

The fix is to replace the key value with the original value, delete
the exe and vxd files and live happily ever after. There are also many
*.reg fixes out there like this one:

>CleanPPark.reg:
>REGEDIT4
>[HKEY_CLASSES_ROOT\exefile\shell\open\command]
>@="\"%1\" %*"
>[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
>@="\"%1\" %*”

In all cases, it doesn't solve the following:

When I open Explorer on any other machine, all exe files are listed as

Name whatever.exe
Type Application

When I open this Explorer (which will only open through a right-click
on Start) all exe files are listed as
Name whatever.exe
Type "%1" %*

When I open View > Options > File Types on any other machine, there is
a registered file type
Application
Extension: EXE
Content Type(MIME): application/x-msdowmload
Opens with: [EXECUTABLE]

When I open View > Options > File Types on this machine, there is a
registered file type
"%1" %*
Extension: EXE
Content Type(MIME): application/x-msdowmload
Opens with:
is blank instead of [EXECUTABLE]

"%1" %* being the value that gets corrected in any of the 'fix'
methods

I've done all the above fix methods several times each,done each
manually, compared the entries on other machines, and it all looks
like it should be fine. Other than that nothing works. Among the wierd
things is that programs won't run from desktop icons, won't run by
double-clicking the program in Explorer, but will run from a
double-click on an output file (ie: a Word document will open the
program, and Excel spreadsheet will open the program, but the program
will not open on its own.)

It's as if it's picking up the file registration info from the wrong
step in the HKEY: losing
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile
(Default) "Application"

and picking up the value
command
(Default) ""%1" %*"
instead.

I've got a string going on alt.comp.virus called
in which I've been advised to check the [boot] section of system.ini
for
shell=Explorer.exe
which is there ok.I've also searched for any reference to pretty* or
files32.vxd in win.ini, system.ini, autoexec.*, config.*, the Registry
on the assumption that maybe something was buried somewhere, but found
nothing. I tried replacing the explorer.exe program file with one
copied from another machine thinking that maybe the file had been
damaged somehow, but that didn't have any effect either.

I'm now wondering if the problem is that because explorer.exe itself
is now associated with the "%1" %* filetype, Windows can't 'find' it
and that's the cause of the problem ???

tomd

unread,
Apr 13, 2000, 3:00:00 AM4/13/00
to

tomd

unread,
Apr 13, 2000, 3:00:00 AM4/13/00
to
Axel Pettinger
Graham Sargent
Norman L. DeForest
Zvi Netiv
Tom Moore
Mike Donnelly
Steve Sellers
and all the kind folks at
<http://www.allexperts.com/Board.asp?Category=1061>

I'm writing to thank you all for your help with this challenge- every
little bit of help counted, and I can guarantee you that I now know a
_lot_ more about the Registry now than when I started :-)

The trick that fixed it all came from Alan Edwards, who responded to
my plea on comp.os.ms-windows.win95.misc as follows:

<begin>
Try the whole exe association from this:
(check manually as well to ensure there is nothing else of any
consequence)

Make up a file from the lines below. Copy into a file called fix.reg
which should be created in Notepad. Do not retype, copy in case of
errors. The 1st line in the file is the line REGEDIT4
The last line must be blank.
Make sure your mail or news reader does not add any spaces to the end
of a line.
Doubleclick to restore the association.

-----copy below this line fix.reg------------
REGEDIT4

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:d8,07,00,00

[HKEY_CLASSES_ROOT\exefile\shell]
@=""

[HKEY_CLASSES_ROOT\exefile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{86F19A00-42A0-1069-A2E9-08002B30309D}]
@=""

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

---- end file above here
<end>

and that fixed it all. Again, thanks to all- and Alan- I'm going to
print it and frame it for my office wall and a second copy for my
General Manager, since it was his machine . . .
<G>

Tom

and The Geek shall inherit the earth . . .
Axel Pettinger
Graham Sargent
Norman L. DeForest
Zvi Netiv
Tom Moore
Mike Donnelly
Steve Sellers
and all the kind folks at
<http://www.allexperts.com/Board.asp?Category=1061>

I'm writing to thank you all for your help with this challenge- every
little bit of help counted, and I can guarantee you that I now know a
_lot_ more about the Registry now than when I started "-)

The trick that fixed it all came from Alan Edwards, who responded to
my plea on comp.os.ms-windows.win95.misc as follows:

<begin>
Try the whole exe association from this:
(check manually as well to ensure there is nothing else of any
consequence)

Make up a file from the lines below. Copy into a file called fix.reg
which should be created in Notepad. Do not retype, copy in case of
errors. The 1st line in the file is the line REGEDIT4
The last line must be blank.
Make sure your mail or news reader does not add any spaces to the end
of a line.
Doubleclick to restore the association.

-----copy below this line fix.reg------------
REGEDIT4

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:d8,07,00,00

[HKEY_CLASSES_ROOT\exefile\shell]
@=""

[HKEY_CLASSES_ROOT\exefile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{86F19A00-42A0-1069-A2E9-08002B30309D}]
@=""

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

---- end file above here
<end>

and that fixed it all. Again, thanks to all- and Alan- I'm going to
print it and frame it for my office wall and a second copy for my
General Manager, since it was his machine . . .
<G>

Tom

and The Geek shall inherit the earth . . .


0 new messages