Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Finding Malware in RegEdit


  • Please log in to reply
6 replies to this topic

#1 Fire4Effect

Fire4Effect

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 02 August 2017 - 01:26 PM

Hello all,

 

I know there are a ton of tools to scan and clean the reg in Windows. I was wondering if there was complied list of all the spots that various malware and viruses like to hang out in the reg. I have not been able to find a recent list and checking out a few key areas would be cool before running some of the more invasive tools. Thanks in advance for any additional information! 


Edited by hamluis, 07 August 2017 - 05:11 PM.
Moved from Win 7 to Gen Security to AII - Hamluis.


BC AdBot (Login to Remove)

 


#2 Win7wiz

Win7wiz

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:14 PM

Posted 04 August 2017 - 03:23 AM

It can't be done that way, there is no such list, and don't use any tool that supposedly cleans the registry.  Even if reg cleaners did work, they're not looking for malware, but for inconsistencies and outdated entries. 

 

The tools most of us use are not invasive.

 

First, run a complete scan with your anti-virus.

Then run MalwareBytes Anti-Malware.

Adwcleaner, also from MalwareBytes.

 

I run them periodically if something doesn't look right. MB also makes a paid AntiMalware that runs in the background rather than on demand. When you run those programs, they'll eliminate both the malware files and any entries added to the registry.

 

If you have anything those programs can't handle, then go to the Security Forum.

https://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/


Edited by Win7wiz, 04 August 2017 - 03:31 AM.


#3 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:04:14 AM

Posted 06 August 2017 - 09:13 PM

(1) RegScanner. http://www.nirsoft.net/utils/regscanner.html can be used to scan the registry for malware registry key entries.

(2) Create a batch script that scans for malware registry key entries, after saving the full registry with this command-line: regedit /E allregistry.reg

You'll have to compile the malware registry key entries list.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:09:14 AM

Posted 07 August 2017 - 09:50 AM

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

Why you should not use Registry Cleaners and Optimization Tools

There are numerous programs which purport to improve system performance, make repairs and tune up a computer. Many of them include such features as a registry cleaner, registry optimizer, disk optimizer, etc. Some of these programs even incorporate optimization and registry cleaning features alongside anti-malware capabilities. These registry cleaners and optimizers claim to speed up your computer by finding and removing orphaned and corrupt registry entries that are responsible for slowing down system performance. There is no statistical evidence to back such claims. Advertisements to do so are borderline scams intended to goad users into using an unnecessary and potential dangerous product.

Credit for this goes to Quietman7, one of our Global Moderators.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:09:14 AM

Posted 07 August 2017 - 09:59 AM

If you believe that your computer is infected I would suggest running the suggested scans below.  After you have run these scans post their logs in your topic.  Because these tool should only be used in the A I Infected, What Do I Do forum.  After you have posted these logs a moderator will move this topic to this forum.
 
 
Please download Malwarebytes Anti-Malware 2.2.

1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.

2)  Malwarebytes will automatically open, click on Update Now to update to the newest definitions.

3)  Click on Settings, when Settings opens click on Detection and Protection, then under Non-Malware Protection, click on the down arrow for PUP (Potentially Unwanted Programs) detections and select Treat detections as malware.  Under Detection Options place a check in the box for Scan for rootkits

4)  Click on Scan (next to Settings), then click on Scan Now.  The scan will automatically run now.

5)  When the scan is complete the results will be displayed.  Click on Delete All.

6)  Please post the Malwarebytes log.

To find the Malwarebytes log do the following.  Copy and paste the log in your topic.

*Open Malwarebytes Anti-Malware.
*Click the Scan Tab at the top.
*Click the View detailed log link on the right.
*Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
*Alternatively, you can click Export and save the log as a .txt file on yout Desktop or another location.
*Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system. 
 
 
Please download Malwarebytes Antirootkit, follow the prompts to install it.

In the introduction page you will be asked to agree on the license agreement, by clicking Next you will be agreeing to the terms of the license.

You will be prompted to update the database, click on Update, then Next.

To start the scan click on Scan.

When the scan has completed it will display either Scan Finished: No malware found, or Malware Found.  Click on Next to continue.  

Be sure that each check box has a check in it, and make sure there is a check mark in the Create Restore point box.  Click on Cleanup.  Please click on Yes to restart the computer.
 
 
Please run AdwCleaner

Please download AdwCleaner and install it.

When AdwCleaner opens click on Scan to start the scan.

Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.

If there are no malicious programs are found you will receive a message informing you of this.  
 
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  
 
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
 
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.


Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to allow this to run
till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need
to download the Eset Smartinstaller.***

ESET Online Scanner

  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that
    here
    .
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • If threats are found click on Save to text file in Documents.
  • Open Documents, find the report, copy and paste it in your topic.

Edited by dc3, 07 August 2017 - 10:10 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 PM

Posted 09 August 2017 - 03:38 PM

Take a look at Microsoft Sysinternals' autoruns https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Fire4Effect

Fire4Effect
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 09 August 2017 - 06:22 PM

Thank you everyone for the responses.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users