Tutorial Most important areas in registry to check for viruses?

Ali80

Level 5
Thread author
Nov 13, 2014
218
Regedit is a file that runs the Registry Editor on computers that run the Microsoft Windows operating system. The Registry Editor stores settings and values for the computer's operating system, hardware, software and users. The file regedit.exe is located in the Windows directory on the hard disk when viewing the contents of My Computer. Regedit allows a user to view registry entries as well as edit and make changes to various registry values. Viruses in the registry, as well as the memory and file system structure of a computer, can eventually spread, and catastrophically and adversely affect the performance of software, files and devices connected to the computer. Detecting viruses as soon as possible decreases the risk of irreversible damage to the system registry and prevents viruses from replicating to other areas of the computer and causing the same potentially irreversible damage.

Most important areas in registry to check if you think that malware is in your system are:

1) StartUp

C:\windows\start menu\programs\startup

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
"Anything over here execute when you start up your computer"

2) Windows Scheduler

Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt.

3) c:\windows\winstart.bat

It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer.

4) Registry

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

5) Autoexec.bat

Autoexec.bat is a system file that was originally on DOS-type operating systems. It is a plain-text batch file in the root directory of the boot device. The name of the file is an abbreviation of "automatic execution", which describes its function in automatically executing commands on system startup; the filename was coined in response to the 8.3 filename limitations of the FAT file system family.


6) These reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by malware.

[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the
server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed.

7) Explorer start-up

The problem with these operating systems is that they look for a file called "explorer.exe" whenever you start up your computer, that file is basically the one that you see all the time but don’t realize it is there , if you go to your taskmaganer you can see it, you can even kill it and you will see that everything in your computer that belongs to Microsoft will disappear, except for the extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone. As you can see this is dangerous because it also means that if somebody modify your explorer.exe file then your computer will be corrupted. In fact, to change the name of the start bottom, has to be done by modifying the explorer.exe file, so there is a clue of a small difference that can have an effect in your computer. Here is the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

If a Trojan changes that to a path of another "infected explorer.exe file" your computer will start up the file the Trojan told it to and not the one used by Microsoft.

8) Active-X Component

[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]
StubPath=C:\PathToFile\Filename.exe

This key is great because it starts the program that it has in its path BEFORE the explorer.exe file and any other program starts in your computer, so if you can understand why your antivirus can't detect the virus when you boot up, it is maybe because your "virus" is taking care of it before it starts up. It could even kill your antivirus before your antivirus starts up.

Have you scanned your PC with your current AV?

I recommend you to download and install Malwarebytes Anti-Malware:
http://www.malwarebytes.org/mwb-download/
(after you run the program - you must UPDATE it's database...then scan your PC)

I recommend you to download, unzip, and run Emsisoft Emergency Kit:
http://www.emsisoft.com/en/software/eek/

If it find something it's good, if not...I recommend you to download and run Kaspersky TDSS Killer Utility:
http://support.kaspersky.com/viruses/disinfection/5350#block1

If it find something it's good, if not...you can download and run Norton Power Eraser:
https://security.symantec.com/nbrt/npe.aspx

If it find something it's good, if not...I recommend you to download, create and run Kaspersky Rescue Disk:

1. Download Kaspersky Rescue Disk from here:
http://support.kaspersky.com/viruses/rescuedisk#downloads

2. On the same page you can find User Guide - How to create Kaspersky Rescue Disk;

3. When CD-DVD is created, put your CD in and restart your PC - it will automatically boot from CD, just read and follow instructions (I assume that this will run automatically as most laptops boot priority is set to CD/DVD first);

4. If your rescue CD won't start, then you must change boot priority in BIOS:

- Restart your PC, and when first screen image appear press DEL.
- Find something like Boot priority and change it by setting CD or DVD at the first place.
- Save settings and restart your PC again.
- CD should Run now - then just read and follow instructions.

These tools are higly recommended for such cases.
 
Last edited:

Cats-4_Owners-2

Level 39
Verified
Helper
Top poster
Well-known
Dec 4, 2013
2,799
Thank you for a thorough tutoral, Ali.:) I was all set to download Emsisoft Emergency Kit, but then I realized I was on Firefox on linux!:confused: ;):p
This shall be placed on my To Do list!:D
 
  • Like
Reactions: Ali80 and Surtur

Ali80

Level 5
Thread author
Nov 13, 2014
218
Thank you @Cats-4_Owners-2 and @ahmad123 for your comments :)
I cannot find my old textbook in which I have described in detail the management and handling of registry entries (it was written for XP) - however basics are the same for almost all Microsoft Operating Systems. This section was written by Norton - Symantec and it can help in finding of potential hazards. When I find my old tutorial I will amend this article.
 
  • Like
Reactions: Cats-4_Owners-2