Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
Most important areas in registry to check for viruses?
Message
<blockquote data-quote="Ali80" data-source="post: 313053" data-attributes="member: 30688"><p><span style="color: rgb(64, 64, 64)"><strong>Regedit</strong></span> is a file that runs the Registry Editor on computers that run the Microsoft Windows operating system. The Registry Editor stores settings and values for the computer's operating system, hardware, software and users. The file regedit.exe is located in the Windows directory on the hard disk when viewing the contents of My Computer. Regedit allows a user to view registry entries as well as edit and make changes to various registry values. <span style="color: rgb(64, 64, 64)"><u>Viruses in the registry, as well as the memory and file system structure of a computer, can eventually spread, and catastrophically and adversely affect the performance of software, files and devices connected to the computer.</u></span> Detecting viruses as soon as possible decreases the risk of irreversible damage to the system registry and prevents viruses from replicating to other areas of the computer and causing the same potentially irreversible damage.</p><p></p><p><span style="color: rgb(255, 0, 0)"><u>Most important areas in registry to check if you think that malware is in your system are:</u></span></p><p></p><p><span style="color: rgb(255, 0, 0)"> 1) StartUp</span></p><p></p><p>C:\windows\start menu\programs\startup</p><p></p><p>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]</p><p>Startup="C:\windows\start menu\programs\startup"</p><p>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]</p><p>Startup="C:\windows\start menu\programs\startup"</p><p>[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]</p><p>"Common Startup"="C:\windows\start menu\programs\startup"</p><p>[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]</p><p>"Common Startup"="C:\windows\start menu\programs\startup"</p><p>"Anything over here execute when you start up your computer"</p><p></p><p><span style="color: rgb(255, 0, 0)"> 2) Windows Scheduler</span></p><p></p><p>Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt.</p><p></p><p><span style="color: rgb(255, 0, 0)">3) c:\windows\winstart.bat</span></p><p></p><p>It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer.</p><p></p><p><span style="color: rgb(255, 0, 0)">4) Registry</span></p><p></p><p>[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]</p><p>"Whatever"="c:\runfolder\program.exe"</p><p>[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]</p><p>"Whatever"="c:\runfolder\program.exe"</p><p>[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]</p><p>"Whatever"="c:\runfolder\program.exe"</p><p>[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]</p><p>"Whatever"="c:\runfolder\program.exe"</p><p>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]</p><p>"Whatever"="c:\runfolder\program.exe"</p><p>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]</p><p>"Whatever"="c:\runfolder\program.exe"</p><p>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]</p><p>"Whatever"="c:\runfolder\program.exe"</p><p></p><p><span style="color: rgb(255, 0, 0)">5) Autoexec.bat</span></p><p><span style="color: rgb(255, 0, 0)"></span></p><p><span style="color: rgb(255, 0, 0)"><span style="color: rgb(64, 64, 64)">Autoexec.bat is a system file that was originally on </span><a href="http://en.wikipedia.org/wiki/DOS" target="_blank"><span style="color: rgb(64, 64, 64)">DOS</span></a><span style="color: rgb(64, 64, 64)">-type operating systems. It is a plain-text </span><a href="http://en.wikipedia.org/wiki/DOS_batch_file" target="_blank"><span style="color: rgb(64, 64, 64)">batch file</span></a><span style="color: rgb(64, 64, 64)"> in the </span><a href="http://en.wikipedia.org/wiki/Root_directory" target="_blank"><span style="color: rgb(64, 64, 64)">root directory</span></a><span style="color: rgb(64, 64, 64)"> of the </span><a href="http://en.wikipedia.org/wiki/Boot_device" target="_blank"><span style="color: rgb(64, 64, 64)">boot device</span></a><span style="color: rgb(64, 64, 64)">. The name of the file is an abbreviation of "automatic execution", which describes its function in automatically executing </span><a href="http://en.wikipedia.org/wiki/Command_(computing)" target="_blank"><span style="color: rgb(64, 64, 64)">commands</span></a><span style="color: rgb(64, 64, 64)"> on system startup; the filename was coined in response to the </span><a href="http://en.wikipedia.org/wiki/8.3_filename" target="_blank"><span style="color: rgb(64, 64, 64)">8.3 filename</span></a><span style="color: rgb(64, 64, 64)"> limitations of the </span><a href="http://en.wikipedia.org/wiki/File_Allocation_Table" target="_blank"><span style="color: rgb(64, 64, 64)">FAT</span></a><span style="color: rgb(64, 64, 64)"> file system family.</span></span></p><p><span style="color: rgb(255, 0, 0)"></span></p><p><span style="color: rgb(255, 0, 0)">6) These reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by malware.</span></p><p><span style="color: rgb(255, 0, 0)"></span></p><p>[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"</p><p>[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"</p><p>[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"</p><p>[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"</p><p>[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"</p><p>[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"</p><p>[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"</p><p>[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"</p><p>[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"</p><p>[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"</p><p>The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the</p><p>server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed.</p><p></p><p><span style="color: rgb(255, 0, 0)"> 7) Explorer start-up</span></p><p></p><p>The problem with these operating systems is that they look for a file called "explorer.exe" whenever you start up your computer, that file is basically the one that you see all the time but don’t realize it is there , if you go to your taskmaganer you can see it, you can even kill it and you will see that everything in your computer that belongs to Microsoft will disappear, except for the extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone. As you can see this is dangerous because it also means that if somebody modify your explorer.exe file then your computer will be corrupted. In fact, to change the name of the start bottom, has to be done by modifying the explorer.exe file, so there is a clue of a small difference that can have an effect in your computer. Here is the key:</p><p></p><p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</p><p></p><p>If a Trojan changes that to a path of another "infected explorer.exe file" your computer will start up the file the Trojan told it to and not the one used by Microsoft.</p><p></p><p><span style="color: rgb(255, 0, 0)"> 8) Active-X Component</span></p><p><span style="color: rgb(255, 0, 0)"></span></p><p>[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]</p><p>StubPath=C:\PathToFile\Filename.exe</p><p></p><p>This key is great because it starts the program that it has in its path BEFORE the explorer.exe file and any other program starts in your computer, so if you can understand why your antivirus can't detect the virus when you boot up, it is maybe because your "virus" is taking care of it before it starts up. It could even kill your antivirus before your antivirus starts up.</p><p></p><p><span style="color: rgb(255, 0, 0)"><strong><span style="color: rgb(64, 64, 64)">Have you scanned your PC with your current AV?</span></strong></span></p><p></p><p>I recommend you to download and install <span style="color: rgb(0, 179, 89)"><strong>Malwarebytes Anti-Malware</strong></span>:</p><p><a href="http://www.malwarebytes.org/mwb-download/" target="_blank"><u>http://www.malwarebytes.org/mwb-download/</u></a></p><p>(after you run the program - you must UPDATE it's database...then scan your PC)</p><p></p><p>I recommend you to download, unzip, and run <strong><span style="color: rgb(0, 179, 89)">Emsisoft Emergency Kit</span></strong>:</p><p><a href="http://www.emsisoft.com/en/software/eek/" target="_blank"><u>http://www.emsisoft.com/en/software/eek/</u></a></p><p></p><p>If it find something it's good, if not...I recommend you to download and run <strong><span style="color: rgb(0, 179, 89)">Kaspersky TDSS Killer Utility</span></strong>:</p><p><a href="http://support.kaspersky.com/viruses/disinfection/5350#block1" target="_blank"><u>http://support.kaspersky.com/viruses/disinfection/5350#block1</u></a></p><p></p><p>If it find something it's good, if not...you can download and run <strong><span style="color: rgb(0, 179, 89)">Norton Power Eraser</span></strong>:</p><p><a href="https://security.symantec.com/nbrt/npe.aspx" target="_blank"><u>https://security.symantec.com/nbrt/npe.aspx</u></a></p><p></p><p>If it find something it's good, if not...I recommend you to download, create and run <strong><span style="color: rgb(0, 179, 89)">Kaspersky Rescue Disk</span></strong>:</p><p></p><p>1. Download Kaspersky Rescue Disk from here:</p><p><a href="http://support.kaspersky.com/viruses/rescuedisk#downloads" target="_blank"><u>http://support.kaspersky.com/viruses/rescuedisk#downloads</u></a></p><p></p><p>2. On the same page you can find User Guide - How to create Kaspersky Rescue Disk;</p><p></p><p>3. When CD-DVD is created, put your CD in and restart your PC - it will automatically boot from CD, just read and follow instructions (I assume that this will run automatically as most laptops boot priority is set to CD/DVD first);</p><p></p><p>4. If your rescue CD won't start, then you must change boot priority in BIOS:</p><p></p><p> - Restart your PC, and when first screen image appear press DEL.</p><p> - Find something like Boot priority and change it by setting CD or DVD at the first place.</p><p> - Save settings and restart your PC again.</p><p> - CD should Run now - then just read and follow instructions.</p><p></p><p><strong><span style="color: rgb(64, 64, 64)"> These tools are higly recommended for such cases.</span></strong></p></blockquote><p></p>
[QUOTE="Ali80, post: 313053, member: 30688"] [COLOR=rgb(64, 64, 64)][B]Regedit[/B][/COLOR] is a file that runs the Registry Editor on computers that run the Microsoft Windows operating system. The Registry Editor stores settings and values for the computer's operating system, hardware, software and users. The file regedit.exe is located in the Windows directory on the hard disk when viewing the contents of My Computer. Regedit allows a user to view registry entries as well as edit and make changes to various registry values. [COLOR=rgb(64, 64, 64)][U]Viruses in the registry, as well as the memory and file system structure of a computer, can eventually spread, and catastrophically and adversely affect the performance of software, files and devices connected to the computer.[/U][/COLOR] Detecting viruses as soon as possible decreases the risk of irreversible damage to the system registry and prevents viruses from replicating to other areas of the computer and causing the same potentially irreversible damage. [COLOR=rgb(255, 0, 0)][U]Most important areas in registry to check if you think that malware is in your system are:[/U][/COLOR] [COLOR=rgb(255, 0, 0)] 1) StartUp[/COLOR] C:\windows\start menu\programs\startup [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] Startup="C:\windows\start menu\programs\startup" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders] Startup="C:\windows\start menu\programs\startup" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders] "Common Startup"="C:\windows\start menu\programs\startup" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders] "Common Startup"="C:\windows\start menu\programs\startup" "Anything over here execute when you start up your computer" [COLOR=rgb(255, 0, 0)] 2) Windows Scheduler[/COLOR] Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt. [COLOR=rgb(255, 0, 0)]3) c:\windows\winstart.bat[/COLOR] It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer. [COLOR=rgb(255, 0, 0)]4) Registry[/COLOR] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Whatever"="c:\runfolder\program.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] "Whatever"="c:\runfolder\program.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Whatever"="c:\runfolder\program.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Whatever"="c:\runfolder\program.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Whatever"="c:\runfolder\program.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Whatever"="c:\runfolder\program.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] "Whatever"="c:\runfolder\program.exe" [COLOR=rgb(255, 0, 0)]5) Autoexec.bat [COLOR=rgb(64, 64, 64)]Autoexec.bat is a system file that was originally on [/COLOR][URL='http://en.wikipedia.org/wiki/DOS'][COLOR=rgb(64, 64, 64)]DOS[/COLOR][/URL][COLOR=rgb(64, 64, 64)]-type operating systems. It is a plain-text [/COLOR][URL='http://en.wikipedia.org/wiki/DOS_batch_file'][COLOR=rgb(64, 64, 64)]batch file[/COLOR][/URL][COLOR=rgb(64, 64, 64)] in the [/COLOR][URL='http://en.wikipedia.org/wiki/Root_directory'][COLOR=rgb(64, 64, 64)]root directory[/COLOR][/URL][COLOR=rgb(64, 64, 64)] of the [/COLOR][URL='http://en.wikipedia.org/wiki/Boot_device'][COLOR=rgb(64, 64, 64)]boot device[/COLOR][/URL][COLOR=rgb(64, 64, 64)]. The name of the file is an abbreviation of "automatic execution", which describes its function in automatically executing [/COLOR][URL='http://en.wikipedia.org/wiki/Command_(computing)'][COLOR=rgb(64, 64, 64)]commands[/COLOR][/URL][COLOR=rgb(64, 64, 64)] on system startup; the filename was coined in response to the [/COLOR][URL='http://en.wikipedia.org/wiki/8.3_filename'][COLOR=rgb(64, 64, 64)]8.3 filename[/COLOR][/URL][COLOR=rgb(64, 64, 64)] limitations of the [/COLOR][URL='http://en.wikipedia.org/wiki/File_Allocation_Table'][COLOR=rgb(64, 64, 64)]FAT[/COLOR][/URL][COLOR=rgb(64, 64, 64)] file system family.[/COLOR][/COLOR] [COLOR=rgb(255, 0, 0)] 6) These reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by malware. [/COLOR] [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed. [COLOR=rgb(255, 0, 0)] 7) Explorer start-up[/COLOR] The problem with these operating systems is that they look for a file called "explorer.exe" whenever you start up your computer, that file is basically the one that you see all the time but don’t realize it is there , if you go to your taskmaganer you can see it, you can even kill it and you will see that everything in your computer that belongs to Microsoft will disappear, except for the extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone. As you can see this is dangerous because it also means that if somebody modify your explorer.exe file then your computer will be corrupted. In fact, to change the name of the start bottom, has to be done by modifying the explorer.exe file, so there is a clue of a small difference that can have an effect in your computer. Here is the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell If a Trojan changes that to a path of another "infected explorer.exe file" your computer will start up the file the Trojan told it to and not the one used by Microsoft. [COLOR=rgb(255, 0, 0)] 8) Active-X Component [/COLOR] [HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName] StubPath=C:\PathToFile\Filename.exe This key is great because it starts the program that it has in its path BEFORE the explorer.exe file and any other program starts in your computer, so if you can understand why your antivirus can't detect the virus when you boot up, it is maybe because your "virus" is taking care of it before it starts up. It could even kill your antivirus before your antivirus starts up. [COLOR=rgb(255, 0, 0)][B][COLOR=rgb(64, 64, 64)]Have you scanned your PC with your current AV?[/COLOR][/B][/COLOR] I recommend you to download and install [COLOR=rgb(0, 179, 89)][B]Malwarebytes Anti-Malware[/B][/COLOR]: [URL='http://www.malwarebytes.org/mwb-download/'][U]http://www.malwarebytes.org/mwb-download/[/U][/URL] (after you run the program - you must UPDATE it's database...then scan your PC) I recommend you to download, unzip, and run [B][COLOR=rgb(0, 179, 89)]Emsisoft Emergency Kit[/COLOR][/B]: [URL='http://www.emsisoft.com/en/software/eek/'][U]http://www.emsisoft.com/en/software/eek/[/U][/URL] If it find something it's good, if not...I recommend you to download and run [B][COLOR=rgb(0, 179, 89)]Kaspersky TDSS Killer Utility[/COLOR][/B]: [URL='http://support.kaspersky.com/viruses/disinfection/5350#block1'][U]http://support.kaspersky.com/viruses/disinfection/5350#block1[/U][/URL] If it find something it's good, if not...you can download and run [B][COLOR=rgb(0, 179, 89)]Norton Power Eraser[/COLOR][/B]: [URL='https://security.symantec.com/nbrt/npe.aspx'][U]https://security.symantec.com/nbrt/npe.aspx[/U][/URL] If it find something it's good, if not...I recommend you to download, create and run [B][COLOR=rgb(0, 179, 89)]Kaspersky Rescue Disk[/COLOR][/B]: 1. Download Kaspersky Rescue Disk from here: [URL='http://support.kaspersky.com/viruses/rescuedisk#downloads'][U]http://support.kaspersky.com/viruses/rescuedisk#downloads[/U][/URL] 2. On the same page you can find User Guide - How to create Kaspersky Rescue Disk; 3. When CD-DVD is created, put your CD in and restart your PC - it will automatically boot from CD, just read and follow instructions (I assume that this will run automatically as most laptops boot priority is set to CD/DVD first); 4. If your rescue CD won't start, then you must change boot priority in BIOS: - Restart your PC, and when first screen image appear press DEL. - Find something like Boot priority and change it by setting CD or DVD at the first place. - Save settings and restart your PC again. - CD should Run now - then just read and follow instructions. [B][COLOR=rgb(64, 64, 64)] These tools are higly recommended for such cases.[/COLOR][/B] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
