Finding the registry

C

Charlie

I have a friend whose PC was infected by a variety of malware. They
prevented him doing anything such as running an antivirus program.
I was able to clean his hard drive by using it as an external drive on my
system and then running a virus checker and was able to detect and delete
more than a dozen infections. But now there is apparently a rogue registry
entry that keeps the HD searching and searching and doesn't allow anything
else to work because the cpu is at 100% almost continuously.

What I would try to do next is go back to running the drive externally and
edit the particular registry key manually.

Things that have not been successful so far include regedit, msconfig,
add/remove or system restore or running any utilities from a flash drive.

When the drive is out of the box and connected as an external drive I plan
to delete the folder that has the offending application.
But then I want to access the registry and search for and delete the
unwanted key.

A Google search showed lots of cures that required getting rid of the
offending key.

How do I locate the registry from outside of a Windows environment?

Charlie
 
K

Ken Blake, MVP

I have a friend whose PC was infected by a variety of malware. They
prevented him doing anything such as running an antivirus program.
I was able to clean his hard drive by using it as an external drive on my
system and then running a virus checker and was able to detect and delete
more than a dozen infections. But now there is apparently a rogue registry
entry that keeps the HD searching and searching and doesn't allow anything
else to work because the cpu is at 100% almost continuously.


You say a "variety." I assume that means multiple infections. You
removed more than a dozen, but everything is not yet correct.

In my view, for anyone who has multiple infections, the only real
solution is a clean reinstallation of Windows. It's highly unlikely
that you can be successful in removing multiple infections and getting
rid of the damage they've already done.
 
P

PA Bear [MS MVP]

While I admire your efforts, I think you're going to need expert assistance
on this one.

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup, http://aumha.net/viewforum.php?f=30
or other appropriate forums.**
 
P

Pegasus [MVP]

Charlie said:
I have a friend whose PC was infected by a variety of malware. They
prevented him doing anything such as running an antivirus program.
I was able to clean his hard drive by using it as an external drive on my
system and then running a virus checker and was able to detect and delete
more than a dozen infections. But now there is apparently a rogue registry
entry that keeps the HD searching and searching and doesn't allow anything
else to work because the cpu is at 100% almost continuously.

What I would try to do next is go back to running the drive externally and
edit the particular registry key manually.

Things that have not been successful so far include regedit, msconfig,
add/remove or system restore or running any utilities from a flash drive.

When the drive is out of the box and connected as an external drive I plan
to delete the folder that has the offending application.
But then I want to access the registry and search for and delete the
unwanted key.

A Google search showed lots of cures that required getting rid of the
offending key.

How do I locate the registry from outside of a Windows environment?

Charlie

Have a look at this link: http://support.microsoft.com/kb/307545. It tells
you where the current registry files are and where you will find the System
Restore registry files. Note that the machine you're trying to fix is in my
opinion badly compromised and should be reloaded after formatting the disk.
While virus scanners can and do disable virus infections, they cannot
possibly undo all of the damage that the viruses inflicted. This machine
probably has numerous corrupted files and many registry entries that prevent
it from performing properly. You could spend many hours looking for needles
in a haystack and probably never quite get there or else you could spend two
hours and get a clean, robust installation that is guaranteed to work.
 
D

Dan H

Agree with post suggesting reformat/reinstall. In shop we usually give it
one earnest try at removal and if that doesn't work will likely backup files
and reinstall. As said a 2 hour reinstall beats mutliple scans and reboots
as far as the timing issue. Not that in theory it couldn't be fixed but at
$90 an hour customers tend to get upset if repair time takes too long when a
reformat reinstall is a (pretty much) guaranteed fix at a (pretty much)
guarantee labor time.

thinking of that $1200 invoice :)
 
R

RobF

|
| | ~~~~~~~snip

| Have a look at this link: http://support.microsoft.com/kb/307545. It tells
| you where the current registry files are and where you will find the
System
| Restore registry files. |
~~~~~~~~snip

Thanks for the link. Very useful (in future, hopefully not soon). OEM is
mentioned in the text of that web site - Original Equipment Manufacture ?
Does that mean only the computer, or could it mean also the OS that was
purchased alone and installed? TIA for your information,
 
D

db

perhaps, you should
open task manager
and see which process
is riding the cpu heavily.

you can add more columns
to the process window by
going to view.

in addition you can use
freeware like process
explorer to pin down the
location of the files the
rogue process is linked
to.

most assuredly if you
remove the covert files,
the processes will end.

further, if you utilize a
simple reg cleaner like
"eusing",

it will find the rogue keys
you believe to have and
because they have no
files linking them,

you will be able to delete
those ophaned keys.

---------------

incidentally, usually when
after the infections are
cleaned up/out,

there may be system files
that became contaminated,
corrupted and maybe the
anti virus zapped them as
well.

so it would not be unreasonable
to initiate a "repair installation"
with a genuine windows cd.

a repair installation will also
wipe away the restore points
and create a new one,

keeping in mind that the
old points will have the ability
to restore the infections.
--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- Microsoft Partner
- @hotmail.com
~~~~~~~~~~"share the nirvana" - dbZen
 
G

Gerry

Charlie

What "virus checker" did you run? Something like Malwarebytes might be
worth a try.

Malwarebytes' Anti-Malware
1.37 -freeware (if you upgrade you pay).
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Run Malwarebytes' and turn off your current anti-virus
before you do to avoid a conflict. Disregard the invitation on the web
site regarding the Registry Optimiser -a Registry Optimiser is not a
helpful utility.

Does the excessive CPU usage run in Safe Mode? Does it stop if you
remove the connection from the router / modem to the computer, so that
there is no internet connection?

Your plans for dealing with the problem seem misconceived. Forget about
the registry. You do not know what the problem is and messing in the
Registry can easily make the problem worse. You may be able to identify
the rogue process if malwarebytes does not stop it, by using a
combination of Process Explorer and Autoruns. Task Manager, is similar
but not nearly as effective as Process Explorer. However, one of the
first tools malware often targets is Task Manager, so it is quite
possible that it is not working.

As others have pointed the system may be too severely damaged to easily
restore. You should backup any important data files first to removable
media. Then assess the situation regarding programmes and drivers, which
would need to be installed if you decide to do a clean install of
Windows XP. See if you have all the disks you will need to reinstall.
Write down a plan for reinstalling and try to guess how long it will
take and how difficult doing a clean install of Windows XP might be?
Have you done a clean install before? It is not easy and you need to
know the sequence for carrying the tasks. It is a demanding task if you
have not done it before.

The other side to the equation is how long will it take to repair the
system. A Repair Install, which is non-destructive might not take too
long but it would be pointless if you have active malware on the
computer.


--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
P

Pegasus [MVP]

RobF said:
|
| | ~~~~~~~snip

| Have a look at this link: http://support.microsoft.com/kb/307545. It
tells
| you where the current registry files are and where you will find the
System
| Restore registry files. |
~~~~~~~~snip

Thanks for the link. Very useful (in future, hopefully not soon). OEM is
mentioned in the text of that web site - Original Equipment Manufacture ?
Does that mean only the computer, or could it mean also the OS that was
purchased alone and installed? TIA for your information,

AFAIK, it works for all flavours of WinXP. I have yet to find out why
Microsoft put the OEM remark there.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top