How-To Geek

Hello, I'm having a problem and hoping to find some advice here.

A couple of days ago, the Microsoft security scanner caught a virus infection (Trojan:Win32/Sefnit.A, according to Microsoft Security Essentials*). It was partially removed (I don't know what that means, whether a restart is required or the infection is gone but its traces and consequences on my laptop still exist..), after a little search I came across a cleanup utility for this virus so I decided to try it out.
There were 3 tools involved:
the first was a registry file, supposedly to disable the virus: I opened it with notepad and to my experience-lacking eye I cleared it as harmless (the entries involved corresponded to Firefox and IE which the virus actually infects).
the 2nd was an optimizer program which thankfully I noticed the name and looked it on WOT and didn't install.
So my questions are:

1) How can I delete the registry entries that I added?
2) How can I remove the infection completely?
Any help would be greatly appreciated.

*It's worth noting that Microsoft Security Essentials didn't catch it in a full scan a two days before I tried Microsoft Security Scanner (even though it states it's been in the database since 2011).

I think you are a little confused. Just because the item has been in the database since 2011 does not mean it has been on your computer since 2011. It could have gotten on your computer in the two days between the scans. What evidence do you have that it is still on your computer. Microsoft Security Scanner should both find it and remove it. What evidence do you have that it is still there?

@lighthouse: I might eventually do so, but I would like to try something else first, that would save me a lot of time backing up and restoring my data.

@Xhi: A couple of days ago, an internet explorer window poped up with emoticons displayed on it (which was strange because there was no browser open, none). So I decided to run a full scan using MSE and Nod's Online scanner (I keep it installed on my system). Nothing was caught, then I tried the Microsoft security scanner which yielded positive results for an infection. Then today, I ran Microsoft Security Scanner and MSE again (it was running during my first post) and again MSE didn't catch anything while MSS did (and again it said the infection was partially removed). By the way, there's no evidence that the infection still exists other than the tool reported "Partially removed"..my system is a bit sluggish, but that might be due to other reasons. But then again, if it wasn't for that pop up I wouldn't have performed a manual scan at all.

@Ruja: "http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" Don't Download Or Execute This!!
This is where i got the original registry file.

Thank you guys for the quick response.

Edit: your link was a direct download link which is not allowed. Particularly in this case! -- GMod

Yes

Ok, I've checked all the keys with respect to my Windows 7 32-bit installation. Almost everything looks ok, except for the following:
___________________________
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
"IsolatedCommand"="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
"IsolatedCommand"="\"%1\" %*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
@="\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]
@="\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -safe-mode"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\""
___________________________

The first two, I don't know what they are exactly, they have to do with running EXEs in a specific way. The last three, about the web browsers, they list the path to the browsers that can be selected as the browser for the "Internet" button on top of Windows Vista Start Menu, but I believe that they have no effect on Windows 7. Also, these may be different in a 64-bit version of Windows, probably with "Program Files (x86)" instead of "Program Files".

My recommendation: If everything is working ok then leave it as it is now. If you have trouble with running EXE programs, or running your web browsers, try to restore these entries by saving this text to a REG file and running it. If you have further questions just ask and we will try to help you.

I don't have in my system any of the keys that were deleted by the script that was posted by VerSalieri, so I assume they can be deleted safely as far as Windows 7 is concerned. If other software needed those keys, I don't know, but there is no way of knowing that at this time.

The two keys regarding the "Open" item in the Context Menu were changed to a dash (-), which does not seem a problem, except that maybe you can't open EXE files from context menu. Anyways restoring the "%1" %* value as I show would help with that.

Similarly for the other three keys, I believe they have little incidence on system usage, although I've been thinking, it's probably unsafe to have values just with the EXE name and not the whole path (i.e. it's better to have "C:\Program Files\Internet Explorer\iexplore.exe", with quotes, rather than iexplore.exe).

So I think I'm going to change my recommendation, and suggest that you run my script as a REG file.

"(I was looking for a simple mail client, somewhat similar to Outlook Express in its simplicity)"

Have you looked at Thunderbird? I like it a lot better than any Outlook version and it works fine in W8 (https://www.mozilla.org/en-US/thunderbird/).

As for 'missing' entries, it isn't only Windows installed entries that can be lost but application created ones too when a HIVE is deleted. Just like you found left overs from an Opera install, other installs could put entries anywhere. Generic 'cleaners' that remove HIVES will delete these are they 'think' no other apps could create entries there, and that is the root problem.

As for deleting programs, I'd uses something a little better than Windows Add/Remove, like REVO UNINSTALLER, there is a free older version and a newer Pro. If you are running x64 you do need the PRO version. It really does find a lot of left-overs to clean out of the disks and registry, but like anything else, before you do delete something make sure something else doesn't need it. If in doubt, LEAVE it. Some games uses overlays or installers to run, and if you have more than one, like GameHouse does, if you delete those other games from them will not run.

Irv S.