Monday, June 25, 2012

Tech Tip of the Day: Using the Windows Registry Editor: Part 4 - Removing virus entries

One of the most common ploys of modern Trojan infections is that they hijack the program executable function of the PC. In such cases, all attempts at launching programs either produce no results or they start of series of popup windows urging the user to buy a phony anti-virus program. Even attempts at anti-virus scans are in vain. The reason for this problem is that the Trojan has written a few simple values into the Windows Registry to redirect program behavior. Fortunately, there is a relatively simple way to restore the proper values and return the PC to proper functionality.

Launching the Windows Registry in Safe Mode

To get around the problem of the Trojan blocking programs, the computer can be started in "Safe Mode," which is a low level of Windows designed to run without conflicting programs starting up. To do this, reboot the PC and tap the "F8" key repeatedly, until the "Windows Advanced Options Menu" (a black text screen) appears. Use the arrow keys to highlight "Safe Mode," then hit Enter. Wait for the minimal set of drivers to load, select your own user account, and then the Windows "Safe Mode" screen will appear.

Now, launch the Windows Registry Editor by going to Start, (click "Run" in Windows XP), typing in "regedit" in the search box, and hit Enter. If the Registry Editor starts, you may proceed to the next step. If it does NOT start, reboot the machine, use "F8" to get into the "Windows Advanced Options Menu" again, only this time choose "Safe Mode with Command Prompt." At the DOS-like prompt, type "regedit.exe" and hit "Enter." The Registry Editor should appear on the screen.

Searching for and changing hijacked ".exe" values

You will want to navigate (in the left side panel of the Registry Editor) to this location:
HKEY_CLASSES_ROOT\.exe
It should look something like the picture, below:

picture

In this example of an infected Registry, notice that the Data value in the (Default) entry reads, “secfile.” (NOTE: Your infected computer may have a different Data value.) This value in the Registry should always read, "exefile," and nothing else. If it does NOT read "exefile," then a malicious program has changed it so that executable programs cannot operate normally. So, the objective is to change this Data value back to the proper entry.

Double-clicking the "(Default)" entry (highlighted in blue with a single mouse click) will bring up an editing window where you can type in the proper value...

from this: 
from this

to this:
to this

Simply click “OK” to save your changes, and proceed to the next step.

Searching for and changing hijacked "exefile" values

The search for hijacked entries is not complete. For the next step, navigate
further down in the Registry Editor to the following two adjoining keys:
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\runas\command
Values in these keys will also determine how - and if - programs run normally in Windows. For each of these values, make sure that the only Data value (in the right-side panel) is listed as: "%1" %*"

In the example below, the Data value has been changed by a Trojan whose filename is "pqx.exe," located in the hidden "C:\Users\<YourUsername>\AppData\Local" folder. What this insertion in the registry accomplishes is that, for every program that is attempted to be launched on this machine, the Trojan is launched instead.

filename


At this point, the Data value must be edited to delete the information inserted by the Trojan. Once again, double-click the "(Default)" entry and simply delete all of the data except for the portion that reads: "%1" %*" When finished editing, click the "save" button, and the data for both the "(Default)" entry and the "IsolatedCommand" entry should read the same. Before leaving this area of the Registry, also check the adjacent "run as" folder for a hijacked value and change that value in the same manner if it has been altered.

Searching for additional Trojan entries

Unfortunately, if a Trojan has written one value into the Registry, it has likely written several more. Based on the information found in the "exefile" data, above, a search should be done to clean out all other matching entries. In this example, a search for "pqx.exe" will locate all places in the registry
where references to the Trojan program file need to be deleted.

Please note that the Trojan could be named anything other than "pqx.exe" (which is only my example) as they usually randomly generate their own file names and those file names may vary from PC to PC. The important point, here, is to identify the file listed in the "exefile" Data, and then search (using "Ctrl-F" to start the search string, and "F3" to continue the search) for all other instances of that file reference and remove them, one by one.

Finishing up the Trojan removal

Removing infected Data values from the Windows Registry is just the first step in removing a Trojan or virus. The following steps should be taken in order to get the best chance of recovering from an infection:
  1. Search for all instances of the actual Trojan file on the hard drive and delete them. Instances of the file may also be in the C:\Windows\Prefetch folder.
  2. Scan the entire computer with a good cleanser, such as Malwarebytes. This program can be downloaded (in "Safe mode with networking"), installed, updated and run, ALL in "Safe Mode."
  3. Scan the entire computer with a full-featured anti-virus program (if installed). The question to ask is why the Trojan made it past an installed anti-virus program in the first place. Do you have an anti-virus program installed? Is it a good one, or just one of the "free" (meaning, mostly ineffective) programs? Time to get good protection!
When finished editing the Registry and scanning for Trojan removal, always reboot your computer to make sure it is functioning properly.

For more assistance contact Technical Support here.

Wednesday, June 20, 2012

Tech Tip of the Day: Using the Windows Registry Editor: Part 3 - A fix for CD/DVD drives

One problem sometimes encountered by Windows PC users is the sudden failure of the DVD and/or CD (or "optical") drive. Optical drives do fail in time (as the lasers fail), but sudden failures are often the result of an easily fixed problem in the Windows registry. One symptom of the failure is the disappearance of the optical drive (and its drive letter) altogether from the list of drives under "Computer" (Windows Vista and Windows 7) or "My Computer" (for Windows XP).

Another symptom of the failure is evident in the Windows "Device Manager" (right-click "Computer"/"My Computer," > "Manage" > "Device Manager"). The drive(s) may appear, but are listed with a failed or missing driver. The problem of missing drives typically occurs after the installation of an application such as disk burning or photo editing software, or an MP3 manager. The key, here, is that the drive disappears suddenly. If this is your problem, a simple fix using the Registry Editor may be the solution.

Locating the DVD Key in the Registry

Here are the steps for fixing the problem in the Registry. They essentially involve deleting the "Lower Filters" and "Upper Filters" values:

  1. Start the Windows registry editor by typing "regedit" in the search or Run window, and hit "Enter." (It would be beneficial to expand the window to full screen if it is not already expanded in order to see as much of the information as possible.)

  2. In the left panel, navigate down the list (by double-clicking) to this location:
  3. HKEY_LOCAL_MACHINE
    SYSTEM
    CurrentControlSet
    Control
    Class
    {4D36E965-E325-11CE-BFC1-08002BE10318}
    You should see a screen that looks very similar to the picture above. Make sure that you see "DVD/CD-ROM drives" under the Data column in the upper right corner.

  4. Now, to protect yourself against failure with this method, right-click the folder in the left column that reads "{4D36E965-E325-11CE-BFC1-08002BE10318}." Click "Export" in the drop-down menu, give this file a name, and then save it in some location that you will remember (the desktop is a good place). Once you've backed up this key, you may safely delete entries without fear of corrupting the any Windows functionality.

  5. Now, look for the entries in the right column that read "Lower Filters" and "Upper Filters." Single-click (to highlight in blue) each one of these values and then delete them (either by using the "delete" key or by right-clicking the mouse and choosing "delete" in the drop-down menu).

  6. Once the values have been deleted, close the Registry and reboot your computer. Look to see if your optical drives have re-appeared in the list of drives, and test them by reading a disk. If they work, the fix was successful.

  7. If this fix did not work, then the problem lies elsewhere and cannot be fixed by editing Registry keys. It is probably wise to restore the Registry to its prior condition, which can be simply done by double-clicking the saved Registry backup file from step #3. Other diagnostics will have to be performed to determine how to fix your optical drive problem.

For more assistance contact Technical Support here.

Wednesday, June 13, 2012

Tech Tip of the Day: Using the Windows Registry Editor: Part 2 - Cleaning up old programs

As noted in the first edition of "Using the Windows Registry Editor," making changes to the Registry is not for the faint of heart. But, it is not as risky a proposition as some make it out to be. If careful backup procedures are followed, editing the Registry harbors little risk of losing Windows function. Please refer to the first of this series for instructions to back up portions of the Registry before changes are made.

Removing that which "uninstall" does not remove

It is a common fact in computing that when a program is uninstalled not all of the program is truly uninstalled. Nearly every uninstall program leaves "residue" behind - folders and files in the "Program Files" of Windows, drivers and ".dll" files in Windows folders, and - of particular concern, here - entries in the Windows Registry. At best, these items are merely clutter on the computer hard drive. But at worst, they can provide conflicts when installing other programs.

The first step in program or application removal is the "orthodox" method. Either find the uninstall program in the Windows "Startup" folder for that program, or go to "Add or Remove Programs" (Windows XP) or "Remove or Change a Program" (Windows Vista or Windows 7) and remove it there. A reboot of the computer is usually advised.

At this point, I never trust the program to be fully removed. If a special removal tool is available for any particular piece of software, I recommend that you use that utility tool as a second step. Nowhere is the use of such a tool more important than in the case of anti-virus programs. These programs cause serious conflicts with each other when installed together on one machine. But just as important is the clean uninstall of an anti-virus program before updating it to a new version. An exhaustive list of the various uninstallers is available at the site of an exceptionally good anti-virus vendor, named ESET. You may find that list currently at:

http://kb.eset.com/esetkb/index?page=content&id=SOLN146&searchid=1331938080830

There are removal tools for other programs as well, including Microsoft Office and various Adobe products. Those removal tools can be found at their respective vendors' web sites.

The third step in the careful and complete removal of a program is to utilize the Windows Registry Editor. After the regular uninstall, and even after the use of a targeted removal tool, there is usually some "residue" of that program in the Registry. Now, this "residue" (entries that make references to the program and its files, even after the program has been mostly removed) may or may not cause problems. But, too many leftover entries may clog up the Registry and may even contribute to a slowdown of a PC in general.

Searching for leftover fragments of programs

In order to utilize the power of the Registry Editor, the search function must be used. The steps listed below may be followed to find and delete any unneeded Registry entry:
  1. Start the Registry Editor in the usual way (again, refer to the first article in this series if you are unfamiliar with this step).

  2. Highlight the very top level category in the left column (named either "Computer" or "My Computer") and use the keystroke combination "Ctrl-F" to bring up a search window that will look like this:

    Ctrl-F

  3. Now, type in a search string (a word, part of a word, or word combination) for the items you want to remove. For example, let's say you needed to remove remnants of an old version of ESET NOD32 anti-virus that was corrupted by the accidental installation of a McAfee VirusScan program, rendering the usual uninstall routine for ESET useless. To manually remove ESET from the Registry, simply enter the string, ESET, in the "Find what" window, and hit "Enter."

  4. When a search result is found, that item will also be highlighted in blue (whether in the left or the right column), as in the illustration below. If the item truly belongs to the program which you want to remove, simply right-click that item and delete it. (If in doubt, you may always do a backup of that portion of the Registry before altering it, again as detailed in part one of this series).

    program

  5. Using the "F3" key will cause the Editor to jump to the next instance of your designated search string, and you may continue searching all the way through the entire Registry using the "F3" key. But use caution - search results may lead to items that are NOT a part of the program you wish to remove, as in the following item found in the right column of the Registry:

    right column

    In this case, a search for the string "ESET" also located the string in an entry for "RESET." This program entry has nothing to do with the ESET NOD32 anti-virus program which you are seeking to remove. Care must be taken not to delete just any item that is found through the search method. Remember: once you delete an item, it is permanent...unless you've done a prior backup.

  6. One key to successful searching is to use search terms that are narrow and unique to the program for which you are searching. For example, if you need to remove Adobe Photoshop entries, searches for "Adobe" will give results for Adobe Acrobat, Adobe Air, Adobe Flash, and any other Adobe program. It would be better to search just for "Photoshop" in this case.

  7. A second key to successful searching is to use the "Match whole string only" search parameter, a check-box that appears in the original "Find" box, as seen below:

    Match whole string only

    By limiting searches to strings that stand alone exactly as typed, a search for "ESET" will eliminate results that include "RESET," or "servicesetting," or "valueset," and the like.

  8. A third key to successful searching is to try compound words both with and without a space between them. For example, if you are trying to remove the pesky marketing intruder named "My Web Search," it is useful to search for it as "My Web Search" (with spaces) as well as "MyWebSearch" (without spaces). Remember, a space is considered a character in the computer.
Registry cleaning software utilities

Let's finish with an addendum about "Registry Cleaner" software. A lot of this type of program is offered on the internet, many of them free of charge. What most users don't realize is that the free programs actually come with a hidden cost, namely, advertising for other programs with endless popup windows. Now, some of these programs can do some good (CCleaner from Piriform.com is one of the few good offerings). But be forewarned - they often cause the opposite of the intended effect, namely, that of speeding up your computer. Instead, they invariably slow a computer down. Whether it's a cleaner, booster, fixer or cure, the program most likely needs to start up in order to prevent other start-up programs - a real paradox. They also take very generalist approaches to cleaning the Registry, rather than a targeted, "surgical" approach which has been outlined above.

For more assistance contact Technical Support here.

Friday, June 8, 2012

Tech Tip of the Day: Using the Windows Registry Editor: Part 1 - Backing up before editing

What is the registry?

Many computer users have heard about the Windows Registry but are afraid to make changes for fear of making a critical mistake. It is true that the Registry Editor must be handled with care, for changes that are made are permanent as soon as the changes are keyed in. A "spoiled" Registry entry that is critical to Windows operation may make the computer unusable, and force the user to re-install Windows altogether. However, it is a simple matter to back up the Registry, in part or in whole, so that the risk of making errors is almost completely eliminated.

The importance of the Windows Registry cannot be underestimated. First, it is a repository - some 200 million bytes long, on average - of all the data Windows uses to orient itself both at bootup and when programs are launched. It is really a database of configurations, settings, locations and history of every piece of hardware and software installed in that particular machine. When the computer boots up, Windows reads through the entire list of commands and environment settings written in the Registry. Windows will not work without its Registry, and will not work with conflicts created by the Registry.

Clutter (from old, poorly uninstalled programs, for example) in the Registry can slow down a computer. Extraneous values in the Registry will cause annoying popup error messages. Conflicting commands in the Registry can cause Windows to lock up. And, viruses (which must also play by the rules of the Windows environment) write commands for their automatic startup in the Registry. In fact, one of the first tasks of a virus is to write changes to the Registry in order to preserve itself. For all these reasons, editing the Registry may be a valuable troubleshooting and corrective tool for the serious computer user. Fortunately, the Registry Editor offers a way to "get under the hood" of the system.

Exploring the Registry

You will not find an icon for the Registry Editor ("regedit.exe") in the list of startup programs of Windows...but it's there. Microsoft was wise to "hide" this utility, as there are many users who might use it carelessly with the result of corrupting their operating systems. This small program is located in the Windows root folder. Starting the program is simple:

1) In Windows XP, click on "Start," then click on "Run," type "regedit" in the box, and then hit "Enter"
2) In both Windows Vista and Windows 7, click "Start," type "regedit" in the search box and hit "Enter."

This is what you will see:

Registry Editor

It may not look like much at this point - just five folders in the navigation pane. But, click on the first "+" and you will see just how extensive the Registry is! Now, don't worry...if you don't intentionally delete or add any values or strings, nothing will change before you exit the program.

Most of the work that users will do in Registry editing is in the first three of the five folders. HKEY_CLASSES_ROOT largely tells Windows how to handle the differing file types (by extension), and with what program it associates various files. HKEY_CURRENT_USER contains configurations for programs for the presently logged in user (assuming there is more than one user account on the machine). HKEY_LOCAL_MACHINE contains configurations for programs that pertain to every user account on the machine.

Before editing, back it up!

The most important element in safe Registry editing is to have a failsafe plan. Not only can the Registry be searched (using Ctrl-F) and edited (using a mouse to highlight and delete keys), it also can be easily backed up - in whole or in part. Registry backup is done through an "export" feature, accessed with a single mouse click via a drop-down menu:

export

Here are the actual steps to take in backing up and restoring Registry keys:
  1. Start the Registry Editor (As noted above for the different Windows operating systems)
  2. Locate the branch or key that contains the value that you want to edit(NOTE: start the search function by using the key combination, Ctrl-F)
  3. Right-click on the folder or key and choose "Export"
  4. In the "Save in" box, select a location where you want to
    save the backup file
    (NOTE: It will save as a ".reg" file).
  5. Type a file name for your backup, and then click "Save" (NOTE: Save the .reg file in a location easily remembered in case you want to undo the changes you're planning to make.)
In the event that mistakes are made while editing the registry, or if the desired results are lacking, all a user has to do is double-click the exported Registry file and that portion of the Registry will be restored to its prior condition. Thus, careful backup measures take the risk out of Registry editing.

For more assistance contact Technical Support here.

Friday, June 1, 2012

Tech Tip of the Day: Don't pick a printer by Duty Cycle ratings

Duty Cycle vs. Recommended Monthly Volume

Duty Cycle vs. Recommended Monthly Volume

Selecting a new printer? Great!

Setting your expectations about how many pages you can print based on the "Duty Cycle" spec? Not so great...

Calculating "Duty Cycle" is a process printer manufacturers go through to stress the printer to the point of failure. It's not meant to be the "run it all the time at this rate" number - sort of like being able to drive your car at 7,000 RPMs for a SHORT period of time.

If you're looking to keep your printer for an extended period of time (I have a friend who has printed 1.5 million pages since 1990 on his laser printer), the "Recommended Monthly Volume" figure is the spec you should use, but be prepared for reverse sticker shock.

For example:

The specs on a name brand laser printer say 21 pages per minute (ppm), 40,000 pages Monthly Duty Cycle, and recommended of 1,000 to 2,500 pages per month. But wait..... do the math: 21PPM x 60 minutes x 24 hours x 30 days is 907,200 pages.

Let's first account for the difference between 40,000 pages and 907,200 pages, which brings us back to "Duty Cycle". Duty Cycle is the percentage of time a device is "on" or "doing" compared to "off" or "not doing". An easy example is to think of a water pump rated at 30% duty cycle --- for every 10 minutes, it's running for 3 minutes. In this printer's case, running it 40,000 pages per month is the "failure point"; just as running the water pump over 30% will cause premature failure.

But back to the spec you care about - the Recommended Monthly Volume. We've all seen ads for cars that show owners with over 1,000,000 miles on their car, meant to convince us to buy a certain make or use a certain motor oil. How many of those owners do you think were driving with the tach in the red zone?

"Recommended Monthly Volume" may not be the number you want to hear, but it's the number your printer can live with for an extended period of time.

For more assistance contact Technical Support here.