Tech Tip of the Day: Using the Windows Registry Editor: Part 4 - Removing virus entries

One of the most common ploys of modern Trojan infections is that they hijack the program executable function of the PC. In such cases, all attempts at launching programs either produce no results or they start of series of popup windows urging the user to buy a phony anti-virus program. Even attempts at anti-virus scans are in vain. The reason for this problem is that the Trojan has written a few simple values into the Windows Registry to redirect program behavior. Fortunately, there is a relatively simple way to restore the proper values and return the PC to proper functionality.

Launching the Windows Registry in Safe Mode

To get around the problem of the Trojan blocking programs, the computer can be started in "Safe Mode," which is a low level of Windows designed to run without conflicting programs starting up. To do this, reboot the PC and tap the "F8" key repeatedly, until the "Windows Advanced Options Menu" (a black text screen) appears. Use the arrow keys to highlight "Safe Mode," then hit Enter. Wait for the minimal set of drivers to load, select your own user account, and then the Windows "Safe Mode" screen will appear.

Now, launch the Windows Registry Editor by going to Start, (click "Run" in Windows XP), typing in "regedit" in the search box, and hit Enter. If the Registry Editor starts, you may proceed to the next step. If it does NOT start, reboot the machine, use "F8" to get into the "Windows Advanced Options Menu" again, only this time choose "Safe Mode with Command Prompt." At the DOS-like prompt, type "regedit.exe" and hit "Enter." The Registry Editor should appear on the screen.

Searching for and changing hijacked ".exe" values

You will want to navigate (in the left side panel of the Registry Editor) to this location:

HKEY_CLASSES_ROOT\.exe

It should look something like the picture, below:



In this example of an infected Registry, notice that the Data value in the (Default) entry reads, “secfile.” (NOTE: Your infected computer may have a different Data value.) This value in the Registry should always read, "exefile," and nothing else. If it does NOT read "exefile," then a malicious program has changed it so that executable programs cannot operate normally. So, the objective is to change this Data value back to the proper entry.

Double-clicking the "(Default)" entry (highlighted in blue with a single mouse click) will bring up an editing window where you can type in the proper value...

from this: 

to this:

Simply click “OK” to save your changes, and proceed to the next step.

Searching for and changing hijacked "exefile" values

The search for hijacked entries is not complete. For the next step, navigate
further down in the Registry Editor to the following two adjoining keys:

HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\runas\command

Values in these keys will also determine how - and if - programs run normally in Windows. For each of these values, make sure that the only Data value (in the right-side panel) is listed as: "%1" %*"

In the example below, the Data value has been changed by a Trojan whose filename is "pqx.exe," located in the hidden "C:\Users\<YourUsername>\AppData\Local" folder. What this insertion in the registry accomplishes is that, for every program that is attempted to be launched on this machine, the Trojan is launched instead.




At this point, the Data value must be edited to delete the information inserted by the Trojan. Once again, double-click the "(Default)" entry and simply delete all of the data except for the portion that reads: "%1" %*" When finished editing, click the "save" button, and the data for both the "(Default)" entry and the "IsolatedCommand" entry should read the same. Before leaving this area of the Registry, also check the adjacent "run as" folder for a hijacked value and change that value in the same manner if it has been altered.

Searching for additional Trojan entries

Unfortunately, if a Trojan has written one value into the Registry, it has likely written several more. Based on the information found in the "exefile" data, above, a search should be done to clean out all other matching entries. In this example, a search for "pqx.exe" will locate all places in the registry
where references to the Trojan program file need to be deleted.

Please note that the Trojan could be named anything other than "pqx.exe" (which is only my example) as they usually randomly generate their own file names and those file names may vary from PC to PC. The important point, here, is to identify the file listed in the "exefile" Data, and then search (using "Ctrl-F" to start the search string, and "F3" to continue the search) for all other instances of that file reference and remove them, one by one.

Finishing up the Trojan removal

Removing infected Data values from the Windows Registry is just the first step in removing a Trojan or virus. The following steps should be taken in order to get the best chance of recovering from an infection:

1. Search for all instances of the actual Trojan file on the hard drive and delete them. Instances of the file may also be in the C:\Windows\Prefetch folder.
2. Scan the entire computer with a good cleanser, such as Malwarebytes. This program can be downloaded (in "Safe mode with networking"), installed, updated and run, ALL in "Safe Mode."
3. Scan the entire computer with a full-featured anti-virus program (if installed). The question to ask is why the Trojan made it past an installed anti-virus program in the first place. Do you have an anti-virus program installed? Is it a good one, or just one of the "free" (meaning, mostly ineffective) programs? Time to get good protection!

When finished editing the Registry and scanning for Trojan removal, always reboot your computer to make sure it is functioning properly.

For more assistance contact Technical Support here.