BACKGROUND
Back in October last year I installed an anti-ransomware application called CryptoPrevent on the recommendation of a security blog called KrebsOnSecurity.com. At the time a malicious file called CryptoLocker was doing the rounds and Krebs recommended CryptoPrevent to prevent the ransomware from doing its dirty work.
At the time I was also using the free version of Malwarebytes which didn’t include anti-exploit protection against ransomware and therefore CryptoPrevent seemed to be the ideal solution.
Some time after that CryptoPrevent was revised to include antivirus as well for the premium version which I decided to purchase. A few weeks later Malwarebytes introduced its latest version to include AV and anti-exploit/anti-ransomware together with a lifetime license for about $25 if my memory serves me correctly. Considering the Malwarebytes deal was better than the CryptoPrevent package which had to be renewed annually I uninstalled the latter.
CURRENT PROBLEM
I frequent Martin Brinkman’s ghacks.net site a lot and this morning he published an article concerning HP installing telemetry on users system. In the article Martin advised running appwiz.cpl to open Programs and Features to check whether the HP application had been installed. It’s at this particular juncture that all my troubles have started. The OS displays an error message that appwiz.cpl can’t be found even though it’s present in c:\windows\system32. Trying to run any .cpl file in the System32 directory results in the OS requesting which program the user wants to use to open it. Here’s an image of the choices and the clue is the one at the top needless to say: https://imgbox.com/IQde3dHY
I’ve been through the registry already and I think the culprit is this one: https://imgbox.com/9aWBchx7 But deleting the CryptoPrevent registry key shown in the top of the image only serves to cause the OS to display a message that it can’t find a file or a program to perform the task of running appwiz.cpl (I ran System Restore after that). I thought about using the value shown in the bottom of the image, but I’m not sure if that would be the correct value or not.
Although I regularly create system images I don’t have one anymore which dates from 2016 unfortunately i.e. before installing CryptoPrevent.
Neither sfc /scannow or DISM.exe/Online /Cleanup-image /Scanhealth results in a fix and both commands return a “no corruption found” result.
The registry hives shown in the image came from these two locations: HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command
HKEY_CLASSES_ROOT\cplfile\shell\open\command
I ran “wmic product get > C:\InstalledPrograms.txt” hoping to get a CLSID GUID, but to no avail since the culprit isn’t present anymore: it’s just its d**n registry keys which have been left behind which are screwing with my system.
So any suggestions on how to rectify this anomaly guys?
