Launching the Windows Registry in Safe Mode
Now, launch the Windows Registry Editor by going to Start, (click "Run" in Windows XP), typing in "regedit" in the search box, and hit Enter. If the Registry Editor starts, you may proceed to the next step. If it does NOT start, reboot the machine, use "F8" to get into the "Windows Advanced Options Menu" again, only this time choose "Safe Mode with Command Prompt." At the DOS-like prompt, type "regedit.exe" and hit "Enter." The Registry Editor should appear on the screen.
Searching for and changing hijacked ".exe" values
HKEY_CLASSES_ROOT\.exeIt should look something like the picture, below:
In this example of an infected Registry, notice that the Data value in the (Default) entry reads, “secfile.” (NOTE: Your infected computer may have a different Data value.) This value in the Registry should always read, "exefile," and nothing else. If it does NOT read "exefile," then a malicious program has changed it so that executable programs cannot operate normally. So, the objective is to change this Data value back to the proper entry.
Double-clicking the "(Default)" entry (highlighted in blue with a single mouse click) will bring up an editing window where you can type in the proper value...
Simply click “OK” to save your changes, and proceed to the next step.
Searching for and changing hijacked "exefile" values
further down in the Registry Editor to the following two adjoining keys:
HKEY_CLASSES_ROOT\exefile\shell\open\commandValues in these keys will also determine how - and if - programs run normally in Windows. For each of these values, make sure that the only Data value (in the right-side panel) is listed as: "%1" %*"
In the example below, the Data value has been changed by a Trojan whose filename is "pqx.exe," located in the hidden "C:\Users\<YourUsername>\AppData\Local" folder. What this insertion in the registry accomplishes is that, for every program that is attempted to be launched on this machine, the Trojan is launched instead.
At this point, the Data value must be edited to delete the information inserted by the Trojan. Once again, double-click the "(Default)" entry and simply delete all of the data except for the portion that reads: "%1" %*" When finished editing, click the "save" button, and the data for both the "(Default)" entry and the "IsolatedCommand" entry should read the same. Before leaving this area of the Registry, also check the adjacent "run as" folder for a hijacked value and change that value in the same manner if it has been altered.
Searching for additional Trojan entries
where references to the Trojan program file need to be deleted.
Please note that the Trojan could be named anything other than "pqx.exe" (which is only my example) as they usually randomly generate their own file names and those file names may vary from PC to PC. The important point, here, is to identify the file listed in the "exefile" Data, and then search (using "Ctrl-F" to start the search string, and "F3" to continue the search) for all other instances of that file reference and remove them, one by one.
Finishing up the Trojan removal
- Search for all instances of the actual Trojan file on the hard drive and delete them. Instances of the file may also be in the C:\Windows\Prefetch folder.
- Scan the entire computer with a good cleanser, such as Malwarebytes. This program can be downloaded (in "Safe mode with networking"), installed, updated and run, ALL in "Safe Mode."
- Scan the entire computer with a full-featured anti-virus program (if installed). The question to ask is why the Trojan made it past an installed anti-virus program in the first place. Do you have an anti-virus program installed? Is it a good one, or just one of the "free" (meaning, mostly ineffective) programs? Time to get good protection!
For more assistance contact Technical Support here.