Regedit stored on hard drive or memory

[Holly]

Hi everyone I have a registry virus half my registry is locked by owner creator and will take me for ever to unlock all the registry along with having locked system32/drivers I was just wondering where the registry aka regedit is locked memory or hard drive because I want to get a new hard drive but I don't want my computer to get infected again if it is located in the memory.

 

[Ali80]

Hello Holly

Regedit is a file that runs the Registry Editor on computers that run the Microsoft Windows operating system. The Registry Editor stores settings and values for the computer's operating system, hardware, software and users. The file regedit.exe is located in the Windows directory on the hard disk when viewing the contents of My Computer. Regedit allows a user to view registry entries as well as edit and make changes to various registry values. Viruses in the registry, as well as the memory and file system structure of a computer, can eventually spread, and catastrophically and adversely affect the performance of software, files and devices connected to the computer. Detecting viruses as soon as possible decreases the risk of irreversible damage to the system registry and prevents viruses from replicating to other areas of the computer and causing the same potentially irreversible damage.

Most important areas in registry to check if you think that malware is in your system are:

1) StartUp
C:\windows\start menu\programs\startup
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
"Anything over here execute when you start up your computer"

2) Windows Scheduler
Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt.

3) c:\windows\winstart.bat
It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer.

4) Registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

5) Autoexec.bat

6) These reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by malware.
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the
server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed.

7) Explorer start-up
The problem with these operating systems is that they look for a file called "explorer.exe" whenever you start up your computer, that file is basically the one that you see all the time but don’t realize it is there , if you go to your taskmaganer you can see it, you can even kill it and you will see that everything in your computer that belongs to Microsoft will disappear, except for the extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone. As you can see this is dangerous because it also means that if somebody modify your explorer.exe file then your computer will be corrupted. In fact, to change the name of the start bottom, has to be done by modifying the explorer.exe file, so there is a clue of a small difference that can have an effect in your computer.
here is the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
if a Trojan changes that to a path of another "infected explorer.exe file" your computer will start up the file the Trojan told it to and not the one used by Microsoft.

8) Active-X Component
[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]
StubPath=C:\PathToFile\Filename.exe
This key is great because it starts the program that it has in its path BEFORE the explorer.exe file and any other program starts in your computer, so if you can understand why your antivirus can't detect the virus when you boot up, it is maybe because your "virus" is taking care of it before it starts up. It could even kill your antivirus before your antivirus starts up.

Have you scanned your PC with your current AV?

I recommend you to download and install Malwarebytes Anti-Malware:
http://www.malwarebytes.org/mwb-download/
(after you run the program - you must UPDATE it's database...then scan your PC)

I recommend you to download, unzip, and run Emsisoft Emergency Kit:
http://www.emsisoft.com/en/software/eek/

If it find something it's good, if not...I recommend you to download and run Kaspersky TDSS Killer Utility:
http://support.kaspersky.com/viruses/disinfection/5350#block1

If it find something it's good, if not...you can download and run Norton Power Eraser:
https://security.symantec.com/nbrt/npe.aspx

If it find something it's good, if not...I recommend you to download, create and run Kaspersky Rescue Disk:

1. Download Kaspersky Rescue Disk from here:
http://support.kaspersky.com/viruses/rescuedisk#downloads

2. On the same page you can find User Guide - How to create Kaspersky Rescue Disk;

3. When CD-DVD is created, put your CD in and restart your PC - it will automatically boot from CD, just read and follow instructions (I assume that this will run automatically as most laptops boot priority is set to CD/DVD first);

4. If your rescue CD won't start, then you must change boot priority in BIOS.

- Restart your PC, and when first screen image appear press DEL.
- Find something like Boot priority and change it by setting CD or DVD at the first place.
- Save settings and restart your PC again.
- CD should Run now - then just read and follow instructions.

These tools are higly recommended for such cases.
I'm sorry if you do not understand something, I wrote this very quickly

 

[Surtur]

You can try Windows Repair (All In One). There is an option --> Reset Registry Permissions. That little portable tool saved my ass a few times.
Here is the link: http://www.bleepingcomputer.com/download/windows-repair-all-in-one/

 

[frogboy]

I have also used Tweaking,com Windows repair tool on some PC's with good results mostly.

 

[Ink]

@Holly I'm not completely sure about your reason to get a new HDD/SSD.. Would it be to gain storage capacity / increased performance? To remove the Windows OS infection? Or both?

 

[donetao]

Love the cross your fingers part. It is a bit like that for sure. It can turn out to be .

Yupers it can be @frogboy . I have the CD and I have booted with it(I think). Wasn't impressed all that much. It did have some good features. I'm going to boot with it again and see if I missed some thing. May have to edit this reply! I'm thinking it had malwarebytes, which is good! I try very hard to make a good hand here on MT.

Tweaking.com - Windows Repair is an all-in-one repair tool to help fix a large majority of known Windows problems including registry errors and file
permissions as well as issues with Internet Explorer, Windows Update, Windows Firewall and more. Malware and installed programs can modify your default settings. With Tweaking.com - Windows Repair you can restore Windows original settings.

 

[donetao]

I'm not completely sure about your reason to get a new HDD/SSD.. Would it be to gain storage capacity / increased performance? To remove the Windows OS infection? Or both?

Hi I also am confused about this. I think more information would help Huracan to assist you.
Also make and model would be helpful. Do you have a recovery CD?? Do you have a OME disk. Do you have a hidden back to factory partition?
Sorry, But all these things would help Huracan with your issue! W7 W8 XP Vista?? Sorry if this information is already posted!

 

[donetao]

Hi! Sorry I had a sever brain fart! Windows Repair all in one does not require you to burn A ISO file( Also called a Live boot able CD some times)
I have so many live CD's, that my brain gets confused. I will bow out and let @Huracan and others help you! Here's what you can expect to see with that software!
Good luck with your issue. Sorry if I have confused you!

 

[frogboy]

Hi! Sorry I had a sever brain fart! Windows Repair all in one does not require you to burn A ISO file( Also called a Live boot able CD some times)
I have so many live CD's, that my brain gets confused. I will bow out and let @Huracan and others help you!

No just software but you were right about it coming with MalwareAntibytes which is a good thing.

 

[donetao]

No just software but you were right about it coming with MalwareAntibytes which is a good thing.

I'm going to blame this all on senility my friend. I would like to thank you for all the likes you have clicked on my replies.
I will try my best to return the favor. Yuppers It's just software.. I hope the OP gets all this sorted out.
I wish MT had more members with these kinds of issues(Software and back ups is where I'm better able to asset) . We might be able to help or get lucky my friend @frogboy !
Back up your OS! NOW and you will not have to worry about these problems later!
When will they ever learn my friend??
http://windows.microsoft.com/en-us/windows/back-up-programs-system-settings-files#1TC=windows-7

 

[Surtur]

She could try the options shown in the picture. (01.02,03,04)

 

[Ink]

Off-Topic posts removed, please use the PM for general chit-chat.

RE: "Regedit stored on hard drive or memory"

 

[Holly]

You can try Windows Repair (All In One). There is an option --> Reset Registry Permissions. That little portable tool saved my ass a few times.
Here is the link: http://www.bleepingcomputer.com/download/windows-repair-all-in-one/

Awesome I will try that

I have a windows 7 disk an drivers disk they came with comp

Hi I also am confused about this. I think more information would help Huracan to assist you.
Also make and model would be helpful. Do you have a recovery CD?? Do you have a OME disk. Do you have a hidden back to factory partition?
Sorry, But all these things would help Huracan with your issue! W7 W8 XP Vista?? Sorry if this information is already posted!

It would be to remove viruses

@Holly I'm not completely sure about your reason to get a new HDD/SSD.. Would it be to gain storage capacity / increased performance? To remove the Windows OS infection? Or both?

[/QUOTE]

I will try this thank u

She could try the options shown in the picture. (01.02,03,04)
View attachment 36258

Yupers it can be @frogboy . I have the CD and I have booted with it(I think). Wasn't impressed all that much. It did have some good features. I'm going to boot with it again and see if I missed some thing. May have to edit this reply! I'm thinking it had malwarebytes, which is good! I try very hard to make a good hand here on MT.

Tweaking.com - Windows Repair is an all-in-one repair tool to help fix a large majority of known Windows problems including registry errors and file
permissions as well as issues with Internet Explorer, Windows Update, Windows Firewall and more. Malware and installed programs can modify your default settings. With Tweaking.com - Windows Repair you can restore Windows original settings.

Is it free

Dell Inspiron n5050

I have a windows 7 disk an drivers disk they came with comp

 

[donetao]

Hi Holly! I don't want to interfere here! What exactly are you wanting to do??
If you have the windows 7 disc, you could try a repair with it if all else fails.
You might give this a look. Be sure you save all your important data first!
http://www.dell.com/support/article/us/en/19/DSN_362066?c=us&s=dhs&cs=19&l=en

 

[Surtur]

@Holly Yes Windows Repair (All In One) is free to use.

 

[Holly]

She could try the options shown in the picture. (01.02,03,04)
View attachment 36258

Is it free

 

[donetao]

Hi You could give it a try. Personalty if my registry was messed up. I would save my data and restore back to factory.
I have done that before. A lot of work, but you have a brand new clean OS, it's like the day you took it out of the box!
You never know about computers until you try. Personally I hate Computers.

 

[frogboy]

Hi You could give it a try. Personalty if my registry was messed up. I would save my data and restore back to factory.
I have done that before. A lot of work, but you have a brand new clean OS, it's like the day you took it out of the box!
You never know about computers until you try. Personally I hate Computers.

Yes i have done it in the last week. A brand new PC and yes computers are a love hate relationship for sure.

 

[Holly]

Yes i have done it in the last week. A brand new PC and yes computers are a love hate relationship for sure.

I've tried factory restore doesn't fix my issue I think I have a bios virus

 

[Vasudev]

Use Ubuntu livecd or UBCD or HBCD to wipe your whole drive though you will lose your OEM's recovery partition & its utilities.