I recently had to fix my computer’s registry after installing a rogue program. However, I could not remove that program from the startup list in msconfig. I had already uninstalled the program, manually searched and deleted all remaining files related to the program and searched through the Windows 7 registry using the regedit command and cleared most signs of it. But reference to the program in the startup list of the msconfig application continued to exist. Believing that I might have missed something out, I downloaded CCleaner and ran it seeking to find exactly what I had missed out while attempting to manually fix the registry. What I observed was very intriguing and this is what I hope to find an answer for.
CCleaner showed that there was one registry item that was not fixed. I, however, was certain I had fixed it. Using CCleaner, I issued a command to open the registry so I could look at it. Being certain I had not seen that or many of the listed items, I issued a regedit command from the Start menu and searched the same location. I discovered that I was now looking at two versions of the Windows 7 registry. I have a screenshot of them side by side for comparison:
You may observe that the registry keys are exactly the same, but the contents are not. What I would really like to know is what CCleaner had opened. It certainly seems to have access to a registry I could not edit with regedit!
I will be grateful if someone could enlighten me.
BTW, I have already removed the unwanted value and the program reference no longer shows up in the msconfig’s startup list.
Remove any extra/leftover browser add-ons, extensions, plugins, search engine providers, and toolbars that got installed by the malicious application. (However, JRT and Adwcleaner should’ve taken care of most of these).
Run CCleaner
CCleaner by itself will not clear out a malicious application. It basically just cleans out temporary, orphaned, and incorrect files and registry entries. It will not get rid of a malicious program, but it can cleanup some of the leftover remnants after removing it with anti-malware tools.
Is there any reason you cannot backup your important files to an external drive then reformat your hard drive and reinstall your OS and programs? Fact of the matter is that antivirus programs are not entirely effective.
That’s not usually necessary if only a couple of things snuck in. However, this may be the better approach if the computer is completely loaded with malware.
Note that there is a difference between antivirus software and anti-malware software. You need both.
Thank you all for responding. The issue here, for me, is not how to get rid of the malware or virus. I am pretty good at that and can clear most of it without much help from the anti-virus or anti-malware softwares. So I don’t waste money on expensive software and the basic protection afforded by Microsoft’s anti-virus software is more than sufficient.
My question is why there are two different versions of registry and which particular registry did CCleaner open that I could not have accessed via regedit?
Everything I listed is free. I’m an IT guy by day, and those are the cleaning tools I use these days to clean out a malware infection as a professional in the field.
Additionally, there are several free antivirus software packages available–not just Microsoft Security Essentials. Avast, AVG, ClamAV, plus a few others are all free.
Finally, to help block malware from actually getting in through your browser, I recommend using spybot’s immunize feature. Again, another free tool.
My question is why there are two different versions of registry and which particular registry did CCleaner open that I could not have accessed via regedit?
There is only one registry. I suspect that the malware is writing entries to the registry as soon as it notices that they are missing.
I get all that. I should make it clear that there are no virus/spyware/malware on my system now. It is fairly evident from the screenshot there could be more than one registry. Both registries are opened side-by-side. They are different. They are not the same. One was opened with regedit command from the start menu. The other was opened using CCleaner by selecting a registry entry and clicking on “Open in RegEdit”. What I have is evidently two different registries. Compare the entries. They are significantly different.
Did you do a comparison after you ran the cleaner (rather than just analyze)? Are you looking at a backup of the registry?
Or, it could be a difference between permissions levels between what CCleaner is using and opening regedit directly–although you should be prompted for elevated privileges to access regedit either way.
Are there any values listed for those registry entries?
First, a disclaimer… I don’t know what I’m talking about :weyes:
I seem to remember reading once-upon-a-time that certain elements of the registry were protected from being altered or deleted; and that if Windows detected any alteration, it would promptly replace the altered items with its stored values.
If that’s accurate, it seems reasonable that the malware could have written into the protected area of the registry (on disk) and Windows is busily writing it to the active registry in RAM.
Is that possible, FF, or did I watch too much Twilight Zone?
Yes, there are some special registry keys that are protected, though I don’t know which ones off the top of my head.
However, the registry paths in the screenshots are not protected areas–they are one of a few places that define what programs load at startup.
I’m guessing that either malware keeps re-adding them, or SutharsanJIsles is trying to compare a running version of the registry against a cached version of the registry.
Perhaps it’s a permissions issue. Registry keys have permissions just like files, and if you opened a command prompt without “run as administrator” you or cccleaner may not be able to view all the same keys. You can review the security settings for the keys in question and see if there is something you can see that would explain your problem.
