SEARCH

The How-To Geek Forums Have Migrated to Discourse

How-To Geek Forums / Windows 7

Malware Problem

(14 posts)
  • Started 1 year ago by VerSalieri
  • Latest reply from VerSalieri
  • Topic Viewed 512 times

VerSalieri
Posts: 6

Hello, I'm having a problem and hoping to find some advice here.

A couple of days ago, the Microsoft security scanner caught a virus infection (Trojan:Win32/Sefnit.A, according to Microsoft Security Essentials*). It was partially removed (I don't know what that means, whether a restart is required or the infection is gone but its traces and consequences on my laptop still exist..), after a little search I came across a cleanup utility for this virus so I decided to try it out.
There were 3 tools involved:
the first was a registry file, supposedly to disable the virus: I opened it with notepad and to my experience-lacking eye I cleared it as harmless (the entries involved corresponded to Firefox and IE which the virus actually infects).
the 2nd was an optimizer program which thankfully I noticed the name and looked it on WOT and didn't install.
So my questions are:

1) How can I delete the registry entries that I added?
2) How can I remove the infection completely?
Any help would be greatly appreciated.

*It's worth noting that Microsoft Security Essentials didn't catch it in a full scan a two days before I tried Microsoft Security Scanner (even though it states it's been in the database since 2011).

Posted 1 year ago
Top
 
Lighthouse
Lighthouse
Posts: 13598

VerSalieri hi.
I would suggest a clean install of W7. Would this be a big problem ?

Posted 1 year ago
Top
 
Xhi
Xhi
Posts: 6298

I think you are a little confused. Just because the item has been in the database since 2011 does not mean it has been on your computer since 2011. It could have gotten on your computer in the two days between the scans. What evidence do you have that it is still on your computer. Microsoft Security Scanner should both find it and remove it. What evidence do you have that it is still there?

Posted 1 year ago
Top
 
Ruja
Posts: 230

If you still have the registry file, please post it here (with a "DO NOT RUN THIS" banner or similar) so we can check what you did exactly with that.

If you want to be more sure about removing the infection you could try another free scanners. I would recommend using ESET Online Scanner (http://www.eset.com/home/products/online-scanner/) or ESET Rogue Applications Remover (http://kb.eset.com/esetkb/index?page=content&id=SOLN2372). But MSE shoud have done a good job already.

Posted 1 year ago
Top
 
VerSalieri
Posts: 6

@lighthouse: I might eventually do so, but I would like to try something else first, that would save me a lot of time backing up and restoring my data.

@Xhi: A couple of days ago, an internet explorer window poped up with emoticons displayed on it (which was strange because there was no browser open, none). So I decided to run a full scan using MSE and Nod's Online scanner (I keep it installed on my system). Nothing was caught, then I tried the Microsoft security scanner which yielded positive results for an infection. Then today, I ran Microsoft Security Scanner and MSE again (it was running during my first post) and again MSE didn't catch anything while MSS did (and again it said the infection was partially removed). By the way, there's no evidence that the infection still exists other than the tool reported "Partially removed"..my system is a bit sluggish, but that might be due to other reasons. But then again, if it wasn't for that pop up I wouldn't have performed a manual scan at all.

@Ruja: "http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" Don't Download Or Execute This!!
This is where i got the original registry file.

Thank you guys for the quick response.

Edit: your link was a direct download link which is not allowed. Particularly in this case! -- GMod

Posted 1 year ago
Top
 
VerSalieri
Posts: 6

I apologize for that, I should have known better.
Can I copy the text from the registry file and paste it here?

Posted 1 year ago
Top
 
Xhi
Xhi
Posts: 6298

Yes

Posted 1 year ago
Top
 
VerSalieri
Posts: 6

This is it:
_______________________________________________________________________________________
Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\.exe\shell]

[-HKEY_CLASSES_ROOT\.exe\DefaultIcon]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"

[HKEY_CLASSES_ROOT\exefile]
"Content Type"=-

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"IsolatedCommand"=-

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
"IsolatedCommand"=-

[HKEY_CLASSES_ROOT\.bat]
@="batfile"

[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[-HKEY_CURRENT_USER\SOFTWARE\Classes\.exe]

[-HKEY_CURRENT_USER\Software\Classes\exefile]

[-HKEY_CLASSES_ROOT\secfile]

[-HKEY_CURRENT_USER\Software\Classes\secfile]

[-HKEY_CLASSES_ROOT\pezfile]

[-HKEY_CURRENT_USER\Software\Classes\pezfile]

[-HKEY_CLASSES_ROOT\sezfile]

[-HKEY_CURRENT_USER\Software\Classes\sezfile]

[-HKEY_CLASSES_ROOT\ah]

[-HKEY_CURRENT_USER\Software\Classes\ah]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
@="firefox.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]
@="firefox.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="iexplore.exe"
_______________________________________________________________________________________

Posted 1 year ago
Top
 
Ruja
Posts: 230

Ok, I've checked all the keys with respect to my Windows 7 32-bit installation. Almost everything looks ok, except for the following:
___________________________
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
"IsolatedCommand"="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
"IsolatedCommand"="\"%1\" %*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
@="\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]
@="\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -safe-mode"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\""
___________________________

The first two, I don't know what they are exactly, they have to do with running EXEs in a specific way. The last three, about the web browsers, they list the path to the browsers that can be selected as the browser for the "Internet" button on top of Windows Vista Start Menu, but I believe that they have no effect on Windows 7. Also, these may be different in a 64-bit version of Windows, probably with "Program Files (x86)" instead of "Program Files".

My recommendation: If everything is working ok then leave it as it is now. If you have trouble with running EXE programs, or running your web browsers, try to restore these entries by saving this text to a REG file and running it. If you have further questions just ask and we will try to help you.

Posted 1 year ago
Top
 
ispalten
ispalten
Posts: 6259

The first 2 control the OPEN on the CONTEXT menu. You need them. Some malware will insert themselves into there, hence the need to clean, not remove them. See THIS. These are on my W7 x64 system.

That script will both remove, the ones with a '-' as the first character, and add, those without the '-', so what has been added is OK, the real question is what was lost with say "[-HKEY_CLASSES_ROOT\.exe\shell]", as I have other keys other than the ones put back. Same for any it deleted. The user might need some that the script was unaware of.

Irv S.

Posted 1 year ago
Top
 
Ruja
Posts: 230

I don't have in my system any of the keys that were deleted by the script that was posted by VerSalieri, so I assume they can be deleted safely as far as Windows 7 is concerned. If other software needed those keys, I don't know, but there is no way of knowing that at this time.

The two keys regarding the "Open" item in the Context Menu were changed to a dash (-), which does not seem a problem, except that maybe you can't open EXE files from context menu. Anyways restoring the "%1" %* value as I show would help with that.

Similarly for the other three keys, I believe they have little incidence on system usage, although I've been thinking, it's probably unsafe to have values just with the EXE name and not the whole path (i.e. it's better to have "C:\Program Files\Internet Explorer\iexplore.exe", with quotes, rather than iexplore.exe).

So I think I'm going to change my recommendation, and suggest that you run my script as a REG file.

Posted 1 year ago
Top
 
VerSalieri
Posts: 6

First, after re-using the ESET online scanner once more and rechecking with MSE and MSS, my system is at last clean. I'm starting to like the color green.

Now, I checked the link that ispalten supplied, [HKEY_CLASSES_ROOT\htafile\shell\open\command] had the value [C:\Windows\SysWOW64\mshta.exe "%1" %*], should I change it to ("%1" %*) only. There's no entry for [HKEY_CLASSES_ROOT\htfile..], the "htfile" folder doesn't exist. The other three all have the default value ("%1" %*).
As to what was lost, could it be those keys were only added by some installed software? I mean, in a fresh installation of windows 7 would these keys exist?

@Ruja: I altered the firefox entries to include the target instead of just the name (manually, since I have a 64 bit system). As to the IE entry, I have it disabled (I removed access to it via default programs in control panel right after activating windows and downloading ff).

Really, thank you all for your patience with me on this matter.

On another Note: I found an opera folder in the registry [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\], I assume it's safe to delete it now that opera in uninstalled?
(I was looking for a simple mail client, somewhat similar to Outlook Express in its simplicity)

Posted 1 year ago
Top
 
ispalten
ispalten
Posts: 6259

"(I was looking for a simple mail client, somewhat similar to Outlook Express in its simplicity)"

Have you looked at Thunderbird? I like it a lot better than any Outlook version and it works fine in W8 (https://www.mozilla.org/en-US/thunderbird/).

As for 'missing' entries, it isn't only Windows installed entries that can be lost but application created ones too when a HIVE is deleted. Just like you found left overs from an Opera install, other installs could put entries anywhere. Generic 'cleaners' that remove HIVES will delete these are they 'think' no other apps could create entries there, and that is the root problem.

As for deleting programs, I'd uses something a little better than Windows Add/Remove, like REVO UNINSTALLER, there is a free older version and a newer Pro. If you are running x64 you do need the PRO version. It really does find a lot of left-overs to clean out of the disks and registry, but like anything else, before you do delete something make sure something else doesn't need it. If in doubt, LEAVE it. Some games uses overlays or installers to run, and if you have more than one, like GameHouse does, if you delete those other games from them will not run.

Irv S.

Posted 1 year ago
Top
 
VerSalieri
Posts: 6

I recently moved from XP to Windows 7 -completely avoided that Vista fiasco, so I'm constantly being told- and the transition has been smoother than I imagined. I'm currently using Thunderbird, I like it but the last version I tried on XP , which was almost two years ago, lacked a certain protocol that I used (I think it was called MAPI 2.0 or something like that).
I'm not using REVO now, but did use the free version on xp. I made a mistake once using REVO uninstall on a software called Fritz developed by a company called ChessBase. Unfortunately, there was another product called ChessBase (obviously produced by ChessBase) which used shared files and registry keys with Fritz.. so you can imagine the mess I made... the program didn't work, I tried reinstalling but file associations weren't working, icons weren't displayed correctly,after that I decided to just stick with C Cleaner. It's a lot less aggressive.

Anyway, thanks a lot for your time guys. I really appreciate the help.

Posted 1 year ago
Top
 



Topic Closed

This topic has been closed to new replies.