Malware can load from a variety of different places on your PC. In addition to the more common modifications to Windows auto start entry points, malware may leverage the shell open command. This allows it to register itself as the handler for certain file types and thus the virus, worm or Trojan loads when any of these file types are called. (The 2001 Sircam worm was one of the earliest examples of widespread malware using this technique).
Following are the keys typically targeted:
The default value for each of these should be "%1" %*. If malware has registered itself as the handler, the value would appear similar to the following:
<malware> %1
where <malware> represents the filename of the malicious program.
When manually attempting removal of a virus, worm, Trojan or other malware that has registered itself as the handler in this manner, you must correct the registry value before you attempt to delete the copy of the malware. Otherwise, when you reboot your system you will not have a valid handler for these file types and the system will not load Windows.
To correct the handler value, replace the contents with:
"%1" %*
Symantec also provides a free tool to reset shell\open\command registry keys.
