Sunday, September 27, 2009

common virus attack places in registry

If you pc get infected by a virus your registry will be modified by the virus, this ensures virus to keep coming back, number of registry locations modified and they are described as follows.

Location 1
  • Open registry editor
  • First navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • In the right side see if there is suspected key (specially look for a key that running locations such as C:\WINDOWS\ or C:\WINDOWS\system32)
  • Delete the suspected key
Location 2
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Also in here look for a suspected keys as described above, and delete them
Location 3
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • In the right side find "Shell" key and verify its value data set as Explorer.exe if it is changed, erase the existing value and change it back to Explorer.exe
  • Also find "Uihost" key and verify its value data set as logonui.exe
  • Last find "Userinit" key and verify its value data set as C:\WINDOWS\system32\userinit.exe, there shouldn't be anything after comma, if it does erase the value data and change it back to C:\WINDOWS\system32\userinit.exe,
Note - if you successfully removed virus from your system, but you haven't correct registry you might see error messages within login process, for a example Userinit key is defferent than described above, you will get error message before desktop came, also can take more time to login process.

1 comment:

  1. I was never able to knew about the features of registry Software without landing to this page. After reading this page i can say that registry cleaners are necessary for each pc.