#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2010
    Posts
    3
    Rep Power
    0

    Basic Registry editing advice needed


    I'm removing the Antivirlock Security Suite mess and going by the guides of various sites listing which registry entries are troublesome. I don't want to download and use these sites' removal tools either.

    So my question is, do we have to delete every listed entry or do some of them just need editing? I ask because:

    1)Were these entries already present, but only modified by the malware? If so, would removing them cause issue?

    2) A registry entry listed on guide might not be exactly the same value as that in my registry. For instance, a guide may tell you to delete this:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"

    But what if your registry's entry is a 0 instead of a 1?

    The blatantly obvious entries that were clearly specific to Antivirlock I deleted without hesistancy, but there are some ambiguous ones I'm concerned about (like above) so I came here.

    Here's a list of targeted registries that we're told to delete (at least, these are the ones I'm unsure about):

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter “Enabled” = “0′
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache “%UserProfile%\Desktop\flash_player_installer\flash_player_installer.exe”
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” =”1′
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1′
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = “no”
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ?ProxyOverride” = “”
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation? = “1′


    Any help would be appreciated, thanks!
  2. #2
  3. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,428
    Rep Power
    4539
    I don't have a definitive answer for you, sorry, but what you posted is a good example of why I recommend wiping a disk, reformatting and reinstalling after a virus infection. I am not convinced antivirus/antimalware programs really identify all possible alterations to a registry or filesystem, and if one bad guy is missed and left behind after cleanup it may be enough to open your machine back up to new infections. And if you have gotten a rootkit there is no guarantee at all that your a/v cleanup is working right.
    [
    ======
    Doug G
    ======
    Bartender to Rene Descartes "have another beer?" Descartes: "I think not" and he vanished.
    --Alfred Bester
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2010
    Posts
    3
    Rep Power
    0
    Originally Posted by Doug G
    I don't have a definitive answer for you, sorry, but what you posted is a good example of why I recommend wiping a disk, reformatting and reinstalling after a virus infection. I am not convinced antivirus/antimalware programs really identify all possible alterations to a registry or filesystem, and if one bad guy is missed and left behind after cleanup it may be enough to open your machine back up to new infections. And if you have gotten a rootkit there is no guarantee at all that your a/v cleanup is working right.
    [
    Thanks for the reply, Doug. None of the registry listings I pasted were results pulled from antivirus programs, but from various sites that have posted guides for manually removing the virus.

    I've tried other sites asking if these entries should be outright deleted or do the values just need altering, but no dice.

    Again I don't want to remove registry listings that were previously there before the virus. I suppose I could check another computer which never had this virus (or any of it's variants) to see if the listings I pasted are present there as well (and therefore maybe legit/necessary) , or if not present and I find out that the ones on the infected machine are just creations of the malware.

    I also doubt that this warrants the tedious task of wiping everything and rebuilding from start, since the system can be recovered. Actually I managed to stop it before it fully unloaded anyhow, so I never even suffered it's symptoms. Of course I'd like to be clean of the remnant registry pieces.
  6. #4
  7. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,997
    Rep Power
    9397
    Google is your friend.
    Code:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter “Enabled” = “0′
    Leave it. Configure the phishing filter in IE directly
    
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
    Remove it
    
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache “%UserProfile%\Desktop\flash_player_installer\flash_player_installer.exe”
    Doesn't matter
    
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” =”1′
    Leave it. Configure proxy settings in IE directly
    
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1′
    Change to "0"
    
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = “no”
    Leave it
    
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ?ProxyOverride” = “”
    Leave it. Configure proxy settings in IE directly
    
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation? = “1′
    Leave it
    Standard disclaimers of "muck with the registry at your own risk" and "not my fault if something gets screwed up".
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2010
    Posts
    3
    Rep Power
    0

    Thumbs up


    Nicely done, thanks, Requinix!

IMN logo majestic logo threadwatch logo seochat tools logo