Repairing Windows Registry After Malware Infection

After suffering a malware attack, sometimes the windows registry causes your system to become unstable, or sometimes unusable. While we could recommend many different applications to automate most of the repairs, we will instead focus on how to do these repairs manually (with Regedit and MSConfig), because sometimes, you won’t have the necessary tools or applications at hand.

To save time you can use a registry cleaner or attempt a system restore to take your computer back in time before the damage to the registry was done.

This article also assumes three things:
1) You know how to use Regedit.
2) You know how to use MSConfig.
3) You know how to backup the windows registry and/or any other windows tools listed.

Do keep in mind that these solutions are designed for more experienced users, and as usual, you’ll want to keep a backup of the windows registry in case things go from bad to worse.

The five registry keys listed below are areas that you’ll want to take special interest in, as they’re one of the most common places that malware will “hide” itself in order to start running again, even after you have shut down the process. If you find references to the offending piece of malware in any of the entries below, delete them after killing off their processes, and deleting the offending files.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

The next area, and even more insidious area that malware can disguise itself is in the Winlogon area of the registry. The two keys this concerns are listed below. The first one is obvious and easy enough to get rid of, as when the the “Notify” key is expanded, each of the services that start up after the user logs on are shown, along with the file that is used to implement any of the services. After the offending piece of malware is deleted, simply delete the associated registry key.

The second key involving one of Winlogon’s many entries is the value “Explorer.exe” under “Shell”. Unless you have a customized shell that you’re using to run windows from, this value should never actually change. Malware can often exploit this technique, allowing it to load before Windows Explorer does, thus enabling it to further disguise itself. If the file is deleted and the shell entry is not changed, windows will usually throw an error, since the offending piece of malware no longer exists to load Explorer.exe afterwards.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon – Shell – “Explorer.exe”

Sometimes, a malware infection will also cause Windows to behave strangely after removal. Below is a registry that may be of help and/or interest in getting your system functioning normally again. The two registry keys listed under Image File Execution Options are “iexplorer.exe” and “explorer.exe”. Normally, those two keys should never be listed under the “Image File Execution Options” category.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

The next registry key involves Internet Explorer and Browser Helper Objects. These entries control the toolbars and other bells and whistles of Internet Explorer. Malware also likes to hide here quite a bit, disguising itself as a control. Simply delete the offending key after the file has been deleted.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Malware will sometimes attempt to hijack internet requests. Although extremely uncommon, it does happen. The list below shows what the values should be. If they’re not, then trouble is most likely brewing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes
“ftp”=”ftp://”
“gopher”=”gopher://”
“home”=”http://”
“mosaic”=”http://”
“www”=”http://”

ActiveX Controls are also occasionally used to run and/or distribute malware. Once you navigate to this specific registry key, look for “StubPath” values with each ActiveX CLSID, which will usually be a giveaway for malware entries.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\

MSConfig is pretty easy to use. You can either run it from the start menu, or the task manager under “File”>”New Task (Run…)”, and typing in msconfig. This particular built-in windows tool not only handles registry entries, but also a few system files where malware can disguise itself, which will be described below:

Under the “SYSTEM.INI”, and “WIN.INI” tab, there will be a list of commands dealing with startup entries and other system settings. Although these two files aren’t used by default on Windows XP systems and later, they can still be an entry point for malware to restart, and can sometimes make things a bit of a pain. The two lines to look for in WIN.INI are “load=” or “run=”. SYSTEM.INI’s weakness lies with the “shell=” command.

The services tab also lists processes that are used while windows is running. Some of them are optional, some of them are required. Generally speaking, malware doesn’t usually create itself as a process under system services, but sometimes it does. This is another good place to look for and disable malware. The last, and most common place to look is the “startup” tab. Anything that you don’t recognize as being part of a legit application is generally safe to disable.

The aforementioned methods of clearing specific registry entries after a malware attack may not work in every case, but in most cases they will.

We strongly recommend novice users to just use a registry cleaning program like PC Health Advisor or Registry Booster. You should also run a full virus scan using an antivirus client like Spyware Doctor with Antivirus or something like Malwarebytes.

VN:F [1.9.8_1114]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.8_1114]
Rating: 0 (from 0 votes)
Be Sociable, Share!

Speak Your Mind

*

RegistryCleanersReviewed.com merely provides the information on this site as a resource. All information is provided as opinion only. We do make a commission from many of the products reviewed on this site. We cannot be held liable for any damages of the product or service. Each product or service is a trademark of the respective owner. RegistryCleanersReviewed.com does not produce or support any registry cleaner.