Tech Tip of the Day: Using the Windows Registry Editor: Part 4 - Removing virus entries

One of the most common ploys of modern Trojan infections is that they hijack the program executable function of the PC. In such cases, all attempts at launching programs either produce no results or they start of series of popup windows urging the user to buy a phony anti-virus program. Even attempts at anti-virus scans are in vain. The reason for this problem is that the Trojan has written a few simple values into the Windows Registry to redirect program behavior. Fortunately, there is a relatively simple way to restore the proper values and return the PC to proper functionality.

Launching the Windows Registry in Safe Mode

To get around the problem of the Trojan blocking programs, the computer can be started in "Safe Mode," which is a low level of Windows designed to run without conflicting programs starting up. To do this, reboot the PC and tap the "F8" key repeatedly, until the "Windows Advanced Options Menu" (a black text screen) appears. Use the arrow keys to highlight "Safe Mode," then hit Enter. Wait for the minimal set of drivers to load, select your own user account, and then the Windows "Safe Mode" screen will appear.

Now, launch the Windows Registry Editor by going to Start, (click "Run" in Windows XP), typing in "regedit" in the search box, and hit Enter. If the Registry Editor starts, you may proceed to the next step. If it does NOT start, reboot the machine, use "F8" to get into the "Windows Advanced Options Menu" again, only this time choose "Safe Mode with Command Prompt." At the DOS-like prompt, type "regedit.exe" and hit "Enter." The Registry Editor should appear on the screen.

Searching for and changing hijacked ".exe" values

You will want to navigate (in the left side panel of the Registry Editor) to this location:

HKEY_CLASSES_ROOT\.exe

It should look something like the picture, below:



In this example of an infected Registry, notice that the Data value in the (Default) entry reads, “secfile.” (NOTE: Your infected computer may have a different Data value.) This value in the Registry should always read, "exefile," and nothing else. If it does NOT read "exefile," then a malicious program has changed it so that executable programs cannot operate normally. So, the objective is to change this Data value back to the proper entry.

Double-clicking the "(Default)" entry (highlighted in blue with a single mouse click) will bring up an editing window where you can type in the proper value...

from this: 

to this:

Simply click “OK” to save your changes, and proceed to the next step.

Searching for and changing hijacked "exefile" values

The search for hijacked entries is not complete. For the next step, navigate
further down in the Registry Editor to the following two adjoining keys:

HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\runas\command

Values in these keys will also determine how - and if - programs run normally in Windows. For each of these values, make sure that the only Data value (in the right-side panel) is listed as: "%1" %*"

In the example below, the Data value has been changed by a Trojan whose filename is "pqx.exe," located in the hidden "C:\Users\<YourUsername>\AppData\Local" folder. What this insertion in the registry accomplishes is that, for every program that is attempted to be launched on this machine, the Trojan is launched instead.




At this point, the Data value must be edited to delete the information inserted by the Trojan. Once again, double-click the "(Default)" entry and simply delete all of the data except for the portion that reads: "%1" %*" When finished editing, click the "save" button, and the data for both the "(Default)" entry and the "IsolatedCommand" entry should read the same. Before leaving this area of the Registry, also check the adjacent "run as" folder for a hijacked value and change that value in the same manner if it has been altered.

Searching for additional Trojan entries

Unfortunately, if a Trojan has written one value into the Registry, it has likely written several more. Based on the information found in the "exefile" data, above, a search should be done to clean out all other matching entries. In this example, a search for "pqx.exe" will locate all places in the registry
where references to the Trojan program file need to be deleted.

Please note that the Trojan could be named anything other than "pqx.exe" (which is only my example) as they usually randomly generate their own file names and those file names may vary from PC to PC. The important point, here, is to identify the file listed in the "exefile" Data, and then search (using "Ctrl-F" to start the search string, and "F3" to continue the search) for all other instances of that file reference and remove them, one by one.

Finishing up the Trojan removal

Removing infected Data values from the Windows Registry is just the first step in removing a Trojan or virus. The following steps should be taken in order to get the best chance of recovering from an infection:

1. Search for all instances of the actual Trojan file on the hard drive and delete them. Instances of the file may also be in the C:\Windows\Prefetch folder.
2. Scan the entire computer with a good cleanser, such as Malwarebytes. This program can be downloaded (in "Safe mode with networking"), installed, updated and run, ALL in "Safe Mode."
3. Scan the entire computer with a full-featured anti-virus program (if installed). The question to ask is why the Trojan made it past an installed anti-virus program in the first place. Do you have an anti-virus program installed? Is it a good one, or just one of the "free" (meaning, mostly ineffective) programs? Time to get good protection!

When finished editing the Registry and scanning for Trojan removal, always reboot your computer to make sure it is functioning properly.

For more assistance contact Technical Support here.

Computer Viruses and How to Avoid Them

What is the difference between "malware" and a virus?

Malware is shorthand for "malicious software" and is used to describe an entire group of programs that includes advertising, tracking, key-logging, ID or credit theft or that cause other bad or undesirable activity. Simply explained, a "virus" is a computer program that invades or infects a user's computer by replication from another source (a disk, a USB flash drive, a network or the Internet), and then performs malicious functions on the new host computer. It's the malicious functionality that poses the problem, and for that reason viruses could be also called "malware."

 

A virus is just one type of Malware.


There are many different undesirable things that computer malware does. Earlier viruses simply performed mischievous tasks, such as deleting data or program files. But the authors of newer malware are driven by the desire to steal enough sensitive data in order to eventually steal money. Some are thus designed to scan and send information from a victim’s computer back to the author of the malware. Still others keep track of actual keystrokes typed by an unsuspecting user. Some plant annoying "popup" advertisements on a computer. There are a few types of malware that will perform any of the above, but also attach themselves to email addresses so that they get automatically sent to the user’s address list to replicate on an ever growing number of systems. Sophisticated malware might even install itself on the hidden "boot sector" of a computer hard drive, or try to make a network server vulnerable to a hacker (a person who gains unauthorized access to a computer network). But, the most common type of malware, by far, is the malicious program that deceitfully disguises itself as a good or useful program, seeking to get results which the user did not intend.

The fact is that malware has caused billions of dollars in losses to computer users. People have lost valuable data and have had personal and financial identities stolen. Whole companies have been compromised or crippled by malware infections. At the very least, the average user suffers from the slowdown or complete hijacking of their system through a malware infection. It is therefore imperative for computer users to know some basics about viruses, or "malware," in order to protect themselves.

Types of malware

1. Virus - The original malware. Malicious code attaches itself to other program files so that the execution of the host file also executes the malicious code. The malicious code also causes the virus to replicate itself by copying its code onto removable media or other computers in a network. Back in the 1980s, the first "in the wild" viruses spread themselves mostly through shared floppy disks, and performed everything from pranks to data destruction. By the 1990s, Internet "bulletin boards" were unwitting spreaders of viruses. Today, very little malware is of the virus type.
2. Trojan - These comprise 75% or more of all malware, according to security experts. As the name from classical Greek mythology suggests, Trojans operate by deceit, tricking a computer user to trust a fraudulent program. Most Trojans are actually a complex of files - pop-ups that steer the unsuspecting user to a harmful website, or just install more malware, even when clicked to shut down; downloaders that bring in supporting malware programs; hijackers that shut down operating system functions and security; bots that may use the host computer as a slave to the malware author’s intentions; backdoors that make an infected computer open to free scanning by the malware author. Trojans operate independently of other programs, and thus do not need to attach themselves to other executable files as a classic virus does. The most popular Trojans, these days, masquerade ironically as anti-virus programs. The user experiences sudden low computer performance, and then sees a pop-up offer with a phony virus scan report, urging the user to purchase the program offered as a solution to the computer problems they are experiencing. Naive and unsuspecting users then type personal information into the form provided (including name, address and credit card info). This information is never used to purchase the phony software. Rather, the Trojan authors use the stolen info to open new credit card accounts in the user’s name, and then sell those accounts on the underground market within minutes of receiving it.
3. Worm - A Trojan that has the capacity to infect computers from other infected systems by scanning for IP addresses on vulnerable computers on the Internet or within a network, then replicating itself. Many phony anti-virus programs start out as a worm infection. Worms are also notorious for attaching themselves to email address lists. Users falsely believe that Trojan infections come mostly from certain "dangerous" or risky websites. In truth, worms may employ any website that users visit as stepping stones to their computers.
4. Spyware - Software programs that "spy" on users, observing data, keystrokes, screens and/or web sites visited. This is a broad category of malware and includes everything from adware to keyloggers (see below). Unlike viruses, Trojans and worms, spyware typically does not self-replicate by infecting other computers or removable media, but is downloaded through Internet connections.
5. Keylogger - A particular type of spyware that is designed to steal "live" information. It secretly keeps track of such things as the user’s keyboard keystrokes, video screens, or streaming network data, and transmits that information back to the malware author. This malware attack is more rare, but it poses the serious risk of loss of private identity information, including credit cards, bank account info, Social Security numbers, and computer passwords.
6. Rootkit - A stealth program that allows continual unauthorized access to a computer by a person unknown to the user. This malware replicates itself on a victim’s computer usually as a worm or a Trojan. It quickly shuts down user account controls and security designed to prevent unauthorized access. It can then steal and transmit info or simply provide a "back door" for a hacker. Rootkits are usually quite sophisticated, and often include the ability to deflect detection from weaker and more modest anti-virus programs.
7. Phishing - Typically an email message that is "fishing" for personal information. The victim receives a randomly sent message that appears to be an official request from an Internet service provider, a bank or some other service or organization. The graphics in the message typically look professional and authentic, though the grammar in the message is sometimes suspiciously bad. An appeal is made to the user to provide "lost" information. However, NO organization or bank will ever seek information this way. Such fraud should always be reported to the organization or service that is being used as a cover.
8. Adware - The most benign of all types of malware, it can still annoy users with commercially-charged pop-ups and reduced system performance. Adware often gets installed without user’s consent, and often when downloading program updates, trial software and games or other services. Some adware functions as spyware by tracking the user’s favorite web sites and targeting the user with advertising that is likely to be the most appealing. Adware can hijack web-search functions. The most common form of adware is the browser "toolbar," which ostensibly provides services such as search windows and quick-access icons. These toolbars slow computer and Internet performance, take screen space from web pages, and can even be a conduit for more serious malware.

 

Prevent and cure

How to Prevent Malware Infections

The best way to be free of malware infections is to take preventative measures rather than relying upon removal after infection. Once infected, a computer is often very difficult to clean. Some malware will destroy a computer’s operating system, or make it so difficult to recover that wiping the hard drive and reinstalling the operating system, programs and data is the only solution. This is usually quite a chore, may be expensive if the user does not have the technical know-how and may be personally costly if the user’s own data has not been previously backed up. There are several preventive measures that every computer user can take:

1. Utilize a good anti-virus program. There is no substitute for this measure. Avoid the seduction of free anti-virus programs and the ones that come with Internet service providers, as they only do a mediocre job of prevention. A $40 to $50 investment in a good anti-virus program with an annual license to update itself regularly is pretty inexpensive insurance.
2. Manually scan your computer with an anti-virus program. All good anti-virus programs come with manual scanning features. Most will let you set a schedule for automatic scanning. This is good to do once a week, or every month, and especially if you see any suspicious activity on the computer screen.
3. Update key programs every time. The Ziff-Davis network cited a study done in Denmark earlier in 2011 utilizing results from half a million computers. The conclusion of the study was that some 99% of common malware infections could be avoided simply by updating Windows security patches, Internet Explorer, Java, Adobe Flash and Adobe Reader. The reason? Malware authors attempt to gain access to computers through weaknesses which the updates are written to prevent.
   (See: ZDNet - The Ed Bott Report, Oct 7, 2011. Summary: Want to avoid being attacked by viruses and other malware? Two recent studies reveal the secret: regular patching. A fully patched system with a firewall enabled offers almost complete protection against drive-by attacks and outside intruders.
   www.zdnet.com/blog/bott/if-your-pc-picks-up-a-virus-whose-fault-is-it/4039)
4. Use a hardware firewall. The SPI (Stateful Packet Inspection) firewalls that come with most newer routers is a great way to close unused ports and prevent hackers from intrusion. Even single computer homes and offices can benefit greatly from the use of a router. While utilizing a router’s hardware firewall, you may also use your operating system’s software firewall. Beware of using third-party software firewalls (such as those included with anti-virus software) which serve to slow down a computer. If you’re using a wireless router, make sure to encrypt your network with WPA or WPA2 level encryption, never the older and simpler WEP encryption.
5. Uninstall browser toolbars. Toolbars are the quarter-inch wide strips that layer near the top of a web browser. While some toolbars may be useful on a limited basis, they all steal screen space and clog up your Internet bandwidth only to provide revenue for the author. By definition, toolbars communicate with their authors, thus opening a vulnerability "hole" while the PC user is online. Utilizing the add/remove function in Windows machines is the best way to rid a computer of these browser plugins. Some of the most common toolbars include: AIM, AOL, Ask, Bing, Crawler, Dogpile, eBay, Google, My Way, My Search, My Web Search, Yahoo, etc.
6. Regularly delete browser cookies and "Temporary Internet Files." This is performed from within the browsers, themselves. Malware can hide amongst these files.
7. Do not click on pop-ups - shut them down alternatively. If you DO get a suspicious pop-up window, try using the "Alt-F4" combination to get rid of it rather than clicking on it and risking an unintended installation of a virus. If that combination does not work to close a window, use the Microsoft Windows "Task Manager" ("Ctrl-Shift-Esc") and the "Applications" tab. Simply click once on the listed application and then click the "End Task" button. After a forced-close, some browsers will attempt to recover the last page you were on the next time you restart. Select "No" or have it go to your Home Page instead.
8. Use an Anti-Malware application and keep it updated. While Anti-Virus applications will detect and block viruses, worms, and other programs that spread by design, they do not always detect or block programs that you allow to install on the computer. Clicking on pop-up advertising windows, opening, email or Instant messaging attachments, or downloading and installing games or other programs can trigger the installation of an undesirable application. Using a program to scan your computer periodically for programs your antivirus may miss is recommended. Programs like MalewareBytes, Spy Sweeper, or SuperAntiSpyware may catch and remove malware.

Security and Urban Legends

While it is important to be informed about the facts regarding malware, methods of infection, and methods of prevention, it is also just as important to know that there are some common public beliefs that are just not true. Here are some common "urban legends" that are patently false:

1. Anti-virus software companies conspire to write viruses so they can stay in business. Many computer users are tempted to believe this falsehood, but only because they do not understand how lucrative the criminal activity of malware authoring has become. If legitimate software companies were the actual criminals, someone would have blown the whistle years ago. The actual malware criminals enjoy both anonymity (they attack unseen from anywhere in the world) and impunity (there are limited resources and jurisdiction for prosecuting them, even when observed).
2. Viruses come mostly from questionable web sites. Computer users also typically believe that infections are the result of using social, illegal downloading or pornographic web sites. However, the fact is that malware infections such as worms and Trojans can attack from anywhere, and may use any legitimate and otherwise well-guarded web site as a stepping stone from one infected PC to another.
3. Free anti-virus programs are just as good as the paid-for programs. This is demonstrably not true. Observe the results of serious testing labs. If ever there were a good application of the "you-get-what-you-pay-for" principle, it would apply with anti-virus programs. Simply put, you pay for regular and effective program and virus definition updates. Licensed programs are anxious to push out good updates - often daily - to their customers. They want our business year after year, and therefore work hard to distribute good products, and largely succeed at it.
   (See: AV Comparatives - Independent Tests of Anti-Virus Software. www.av-comparatives.org)

Summary

Don’t let the threat of malware infections stop you from using the rich resources of computing. Just use your computer wisely. Utilize the measures outlined above. And exercise a healthy dose of suspicion about what you see on your computer screen, short of being paranoid. There is no reason why the careful computer user cannot buy things with a credit card, do banking and investments, and send critical business data over the Internet If possible, encrypt the data you are sending or utilize a VPN (Virtual Private Network). Certainly, you should never carry out financial transactions over a public wireless network. In spite of the risks - which are present primarily in the midst of carelessness - computers provide a powerful tool for use both on and off the Internet

For more assistance contact Technical Support here.

Virus ALERT: Palladium Pro and System Tool

The "Palladium Pro" and "System Tool" are the latest versions of more fake anti-virus programs similar to  "Security Tool". Both programs pretend to operate as a virus scan, but in effect, install a computer virus which takes over your system’s processes.

Palladium Pro Program

The Palladium Pro virus works by launching a bogus Microsoft Security Essentials alerts and stating that the system requires a virus scan. Once the virus scan is initiated, Palladium Pro installs the malware onto your system. To remove the Palladium virus, you will need to terminate the application’s process and install Malwarebytes to remove the program.

To Remove Palladium Pro:

1. Start the Windows Task Manager by clicking Ctrl, Alt, Delete together.
   
   
   
   
   
2. Click on the Processes tab.
3. Locate the Palladium program named “palladium.exe”.
4. Select the palladium.exe process and click End Process. This will suspend the Palladium Pro software.
5. In the Windows Task Manager, go to File » New Task.
6. Type in “explorer.exe” in the Open field, then click OK. This will open your Windows desktop.
7. Download a copy of Malwarebytes software here » http://www.malwarebytes.org
   
   
   
   
   
   
8. Follow the instructions to run a system scan and file removal.

System Tools Program

The System Tools program is associated with the same family of fake anti-virus programs as Security Tool. This software floods the system with false virus alerts and instructs the user to run the virus scan.

To Remove System Tools:

1. Start the Windows Task Manager by clicking Ctrl, Alt, Delete together.
2. Click on the Processes tab.
3. Locate the program file. It is usually represented by a set of random characters followed by the ".exe" extension.
4. Download a copy of Malwarebytes software here »http://www.malwarebytes.org
   If your computer prevents you from downloading the file, you can download Malwarebytes from another system and copy the file to your infected system to install. Or, you will need to update the Internet Options in Internet Explorer by modifying the default LAN settings to NOT use a proxy server for your LAN settings.
5. Follow the instructions given by Malwarebytes to run a system scan and file removal.

IMPORTANT: Never install any program or run a virus scan without verifying the source. If you suspect that your system is infected, use industry-approved programs such as ESET, McAfee, Symantec or Webroot. If you need further assistance, contact Micro Center Tech Support at www.mctsol.com.


Reference:
Bleepingcomputer.com. Palladium Pro Removal
http://www.bleepingcomputer.com/virus-removal/remove-palladium-pro

Bleepingcomputer.com. System Tool Removal
http://www.bleepingcomputer.com/virus-removal/remove-system-tool

Microsoft Support Forum. Palladium Removal.
http://social.answers.microsoft.com/Forums/en/msescan/thread/6e837554-4374-4709-8e51-e878ac8817e1

Microsoft Support. Microsoft Windows Malicious Software Removal Tool.
http://support.microsoft.com/kb/890830

How to Run the ESET Online Anti-Virus Scanner

If a working Anti Virus program is not available on a computer, the ESET Online Scanner can be used to detect and remove virus infections. To use the ESET Online Scanner, take the following steps:

1. Go to the page: http://www.eset.com/online-scanner.
2. Click on the ESET Online Scanner button.
   
   
   
   
   
3. Check the box by "Yes, I accept the Terms of Use" and Click the Start Button.
4. Allow the program to run if prompted by Windows User Account Control.
5. The default setting is to remove found threats. The following Advanced settings are available:
   
   
   • Select the type of applications scanned
   • Select the target drive(s) to be scanned
   • Use Customer Proxy Settings
   • Show a list of other installed Anti Virus software installed on system
   
   
   
   
   
6. Once the desired settings have been made, Click on the Start Button.
7. During the scan, threats that are found will be displayed.
   
   
   
   
   
8. Once the scan is complete, there is the option to "Uninstall application on close" by placing a check in the box. This will require the files to be downloaded again the next time ESET Online Scanner is run.
9. Click Finish.

Reference:
ESET. Online Anti-Virus Scan.
http://www.eset.com/online-scanner

UPDATE: ESET Renewal Setup

This guide will walk through the first step in renewing the ESET NOD32 or ESET Smart Security program. First determining whether you have ESET NOD32 or ESET Smart Security, and then proceeding to purchase the renewal.

Determine the ESET Program Version:

1. Close all open windows and programs on your computer. Be sure to save any work in open documents or files.
2. Click on the Start button in the bottom left corner of your screen.
   
   
   
   
   
3. Open All Programs, located just above the start button.
4. Select the ESET folder and open up the ESET Antivirus program. Write down whether it says ‘ESET NOD32’ or ‘ESET Smart Security’, you will need this later.
   
   
   

Locate ESET Username or Serial Number:
Note that only one of the two is necessary. If you already have your “EAV” username or your ESET Serial Number, proceed to Step 3.

1. The ESET Serial Number located inside the ESET CD case, opposite the CD. If this information is not available, proceed to the next sub-step to find the username.
2. On the new ESET window, click Protection Status in the top left. A message will display detailing the expiration date and the ESET Username. Write down the case-sensitive ESET Username and include the dash when writing; this will be used later on.
   
   
   
   
   
3. The ESET Username begins with “EAV-“, followed by eight numbers.
4. If the “Your license will run out shortly” message does not appear and the Protection Status is green and on Maximum Protection, you do not need to renew your ESET program yet. The program will notify you when you are within 10 to 14 days of renewal.
5. Click on the link that says Click Here to Open the Purchase Page.

Choose Renewal Option:

1. On the new web page that appears, enter the ESET username in to the ‘Username’ field and click Submit.
   
   
   
   
2. If the username is not available, enter the Serial number. Do not enter both the username and the serial number.
   
   
   
   
   Note that the username and serial number in these examples are fictitious and will not work for renewal.
3. The next page contains renewal options for ESET NOD32 and ESET Smart Security, separated by program. Whether it is ESET NOD32 or ESET Smart Security depends on what you wrote down earlier.
   
   
   
   
   
   
4. Choose the license based on how many computers (listed as “Users”) the program will be used on and how many years the renewal will be good for. Example: If you want a one year license for three computers, get a 3 User, 1 Year item.
5. Once you pick the package, click Add to Cart for that item.

Buy Your Renewal:

1. On the Shopping Cart screen, click on Checkout on the right side.
2. Enter the information as with any online purchase.
3. Note that while it appears an item will be physically shipped, the digital download only copy of the ESET software does not ship a physical item.
4. Click the Accept button to finalize the order.

Once you’re finished here and you see the “Order Confirmation” page, keep that window open and go to the next part of the tutorial – ESET Renewal, Step 2.

ESET NOD32/Smart Security Protection Status

This article contains an explanation of the different colors of the protection status icons of the ESET NOD32/Smart Security antivirus software. If you have questions about what the icon color means for the protection of your system, use this article as a quick reference for interpreting the protection status icon.

1. Green (NOD32) Blue (Smart Security)
A green status icon (or blue for Smart Security) indicates that your computer is currently under the maximum amount of protection offered by the software. The production is updating correctly and the program is functioning optimally. In the main program window, reached by double clicking the protection status icon, you will see checkmarks next to the critical protection modules, they are:

• Antivirus protection
• Antispyware protection
• (Smart Security only, in addition to the two listed above) Personal firewall
• Antispam protection

2. Yellow
A yellow status icon with a white exclamation point (both NOD32 and Smart Security) indicates the program needs user attention and that the computer may not be ensured to maximum protection. The computer is still being protected, but one or more of the critical protection modules may be disabled which is putting the computer at risk. Some of the reasons for a yellow status are:

• Virus signature database is unable to update.
• The latest Windows updates are unable to update. (Note: Version 4 only.)
• The ESET license is within 15 days of expiring and will need to be renewed before protection can update.
• Document protection, Email client protection, and/or Web access protection is disabled.
• "Block all network traffic" on the ESET Personal firewall has been selected. The computer will not be at risk, but services, such as updates, will not be able to run.

Typically, the issues can be corrected these issues by following the actions that software recommends.

3. Red
A red status icon with a white exclamation point indicates that the computer is not ensured maximum protection and is vulnerable to threats. Usually, an alert message will explain why this status is active. One or more of the critical protection modules may have red exclamation points next to them. Reasons for a red status are:

• If the protection status icon turns red immediately after install, recheck the username and password associated with the product. A typo in those fields will keep the product from updating.
• One of the critical protection modules (antivirus protection, antispyware protection) is disabled.
• Real-time file system protection is disabled. This can be remedied by clicking Setup » Antivirus and antispyware protection » Real-time file system protection » Enable.
• The protection icon will turn red after the product license has expired.
• The personal firewall is disabled. This can be remedied by clicking Setup » Personal firewall » Network traffic filtering » Switch to filtering mode.

Reference:
ESET. Knowledge Base.
http://bit.ly/gZRcTo