D7‎ > ‎Online Manual‎ > ‎Usage‎ > ‎

Malware Removal

NOTE content on this page is not consistent with new v7+ version of D7............ I'll update this page soon - stay tuned!

D7 Auto Mode

You’ll see this on several tabs, but this is the most frequently used.  It merely runs every function and program that is checked, in that order.  

D7 Auto (on the Malware tab ONLY) also has the feature that if D7 crashes or the system restarts, D7 will automatically pick up where it left off (as best as it can) the next time the system (or D7) restarts.  

Beside the D7 Auto Mode Start button, in the current theme's highlighted text (usually light blue) you'll see several options that also utilize the check box configuration you have on this tab.  Like Select All and Select None, the Save Config and Load Defaults options apply only to the check box configuration on this tab.  

Pre-Removal and Post-Removal Items

Some of these may require a little explanation.  When inside the D7 interface, rest the mouse cursor over the top of the label (e.g. Reset Hidden Volume) to see the tooltiptext popup, further explaining what a function does.  

Each of these items, (with one exception), will be unchecked after the item is run in D7 Auto Mode.
  • Custom App x - These are configurable with your own apps, via D7 > D7 Config > Custom Stuff or by clicking on the label.  
  • Kill Explorer.exe - Simple, this is the only item that will remain checked throughout the entire D7 Auto process.  This is because in the event Explorer is restarted somehow, it will be terminated again before D7 Auto proceeds.  
  • Reset Hidden Volume - This option unhides all files (hidden by malware) on the target partition, in the case of the Malware tab that is the operating system partition.  
  • Kill Rename Ops - This deletes the PendingFileRenameOperation value in the registry that renames/deletes files on reboot.  
  • Fix Shell/Run - Import default values for the shell to launch EXE, COM, BAT, CMD, SCR, and REG files.  These locations in the registry are HKCR\xxx\Shell\Open\Command where xxx = exefile, comfile, etc.  
  • Remove Policies - This deletes all registry values relating to Windows group policy settings - often used by malware.  In a domain environment, this is safe to use, but on a subsequent login you may want to do a gpupdate /force to refresh all policies on the computer that are *supposed* to be there.  
  • Clear Proxy Settings - Now works with Firefox!  
  • Delete Temp Files - This deletes temp files, temporary internet files, cookies, and history on all user accounts, and in %windir%\temp
  • Purge System Restore - Deletes all but the last 3 restore points on Windows XP.  I leave the last three to give you something to work with incase you need to restore a registry backup for some reason.  
  • Install Support App - This installs the support application of your choice on the PC.  This is configurable in D7 > D7 Config > Install Support App.  This option is also currently available on the Maintenance tab.  
  • Repair Permissions - Set default permissions on Windows directories and registry keys by running these commands:  
    • secedit /analyze /db %windir%\sectest.db /cfg %windir%\inf\defltwk.inf /log %windir%\security\logs\secanalyze.log
    • secedit /configure /db %windir%\sectest.db /cfg %windir%\inf\defltwk.inf /log %windir%\security\logs\secrepair.log
    • secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
  • Reset Networking - Performs these commands:
    • Deletes Winsock registry keys on Windows XP.
    • netsh winsock reset
    • netsh winsock reset catalog
    • netsh interface ip reset c:\int-resetlog.txt
    • netsh interface reset all
    • netsh interface ip delete arpcache
    • ipconfig /flushdns
    • ipconfig /registerdns
    • Reinstalls TCP/IP on Windows XP
    • ipconfig /release all
    • ipconfig /renew all
  • Repair Lots of Stuff - Performs these repairs (also individually available on the Repair tab):
    • WMI/WBEM (This also fixes issues with Windows Security Center thinking anti-virus is installed that isn't - usually a fraudulent one that you just removed...)
    • Windows Update Services (which repairs the Automatic Updates and BITS services)
    • System Restore
    • Windows Firewall.
  • Restart Explorer.exe - Restarts explorer if it was terminated previously by D7 Auto.  This option never needs to be checked.  

D7 Pre-Malware Scan and Malware Scan Behavior

Here’s a quick breakdown of what is done.  
  • The registry hives of all user profiles on the system are loaded.  
  • The OPTIONAL Pre-Malware Scan deletes blacklisted file and registry objects, by name.  Nothing fancy, just crude name/location checking.  Nothing here for random or evolving names, unfortunately, but works great for frequently removed adware or junk programs.  
  • FindQs is run.  This is a concept you can examine in the Batch file section of this website.  Note that if you continually get notepad popups from FindQs with non-malicious entries, you must terminate the minimized FindQs command window before closing the results (in notepad).  
  • The Malware Scan window runs a check every time you click a node to the left.  These are all registry entries and file system locations that I used to check by hand.  Ugh.  
  • The Malware Scan window only reports items that do not appear in the whitelists.  The theory behind this is that once you know something is good, why be bothered with it cluttering up your lists.  If you really want to see everything, you have the option of deleting the whitelists in the \Defs folder.  
  • Whitelists and Blacklists are kept in plain text format, however there is a crude definition editor for the lists.  
  • Whitelists and Blacklists are created and maintained by whoever uses D7 (that’s you.)  In the Malware Scan window you have the option to whitelist and blacklist certain items.  
  • Functionality is provided to “Update” or MERGE the the definition files.  It is designed to be a centralized location like a network share, where you can store and sync with a master copy of the definition files.  Using this method, you can easily keep in sync your definitions from your flash drive, or other locations, or with other technicians and their definitions.  
  • D7 whitelist/blacklist definitions ARE NOT DESIGNED TO UPDATED OR MAINTAINED BY ME, ONLY BY YOU!  I do not release updates to the definition files, that’s up to you.  You may use the sample definition files provided in the D7 download for your reference, or delete them if you don’t trust them, and you will create your own over time and D7 usage.

D7 Malware Scan Registry Search Locations

Due to the nature of Malware Scan’s whitelisting, most of these nodes on the left will be empty, (that’s a good thing.)

Not every registry location where malware can hide is searched, but I’m off to a decent start.  Here is a quick explanation of the search locations Malware Scan can find in each section:

  • Misc - These entries give you the option to manually change the value, and a backup is also created of the existing value.  Note that you must hit the Apply Changes button to save any changes made.  
    • Gina DLL value  (usually blank)
    • AppInit_DLLs value  (usually blank)
    • UIHost value  (usually logonui.exe)
    • System value  (usually blank)
    • Userinit value  (usually userinit.exe)
    • HKLM and HKCU Shell values (ya know, explorer.exe should be the only thing here, and normally there is no defined HKCU Shell value.)
  • Misc2 - More entries where you can manually change the value.  Note that you must hit the Apply button to save any changes made.  
    • Taskman value (usually blank) this value, if present, launches an alternate program when you CTRL-ALT-DELETE
    • Magnifier value (usually magnify.exe)
    • Narrator value (usually narrator.exe)
    • On Screen Keyboard value (usually osk.exe)
  • Run Keys - This screen contains all entries populated from the SOFTWARE\Microsoft\Windows\CurrentVersion under HKLM, HKCU, and all user profile registry hives.  Registry keys queried are the Run, RunOnce, and Policies\Explorer\Run
  • Services - This screen obviously contains all entries found in HKLM\System\CurrentControlSet and ControlSet00x keys Services subkey.  
  • Enum\Root - This screen pulls it’s data from HKLM\System\CurrentControlSet and ControlSet00x keys in the Enum\Root subkey.  (I apologize for not including a more comprehensive whitelist for this section, as I only recently added detection of this area.)
  • BHOs - SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
  • BootExecute - The HKLM\System\CurrentControlSet (and ControlSet00x) \Control\Session Manager BootExecute value.  
  • IFEO - Image File Execution Options.  This entry located in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ and contains debugger values for legitimate applications.  This is a bit of a clone of my other function, the IFEO Modifier which has it’s own launcher in D7 (and is it’s own project, please visit the project page on www.foolishit.com for more information on this registry location and it’s potential uses for malware, AND for US.)  
  • KnownDLLs - This key is located in HKLM\CurrentControlSet (and ControlSet00x) \Control\Session Manager\KnownDlls
  • LoadRun - These are the legacy values Load and Run located in HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
  • LogonNotify - Subkeys of HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
  • Safe Mode Svcs - These are services that load in safe mode.  The subkeys here are located in HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot (\Minimal and \Network) which are really pointers for the standard services.
  • Scheduled Tasks - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  • ShellExecuteHooks - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  • Shell Value - Same as on Misc node, however this one scans all Shell values for all user profiles on the system.  
  • SSODL - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • StartMenuInternet - This displays the values that control launching your default web browser from the Start Menu.  Malware often places itself in these keys before the legitimate entry.  There is no delete or repair function in D7 here, just open the registry path and fix the value manually if it contains a rogue entry.  

D7 Malware Scan File System Search Locations

Items here that appear in RED aren’t necessarily bad, they are just hidden in the file system.  Any file that wants to hide itself in my opinion is worth a better look than a file that stands out in the open.  
  • Hosts File - This one is a no brainer, right?
  • Task Scheduler - Not to be confused with the registry location Scheduled Tasks, these are the file system objects (*.job) that represent items in the Windows Task Scheduler.  
  • Startup Folders - The Startup folder (ya know, in the start menu) of each user, and the All Users profile is scanned here.  
  • Out of Place Files - Here is where it actually gets a little interesting.  This concept feature searches for files that just don’t seem like they should belong where they are.  Most of these locations can contain legitimate objects in subdirectories, but they don’t rarely contain legitimate objects in these directories themselves, usually it’s malware in my experience.  So I have D7 just check for anything “out of place” …Specifically, it finds *.EXE, *.DLL, *.SYS, and *.DAT in these locations (but NOT in their subdirs):
    • %userprofile%\Application Data  
    • %userprofile%\Local Settings\Application Data
    • %userprofile%\AppData
    • %userprofile%\AppData\Local
    • %userprofile%\AppData\LocalLow
    • %userprofile%\AppData\Roaming
    • %userprofile%\AppData\Local\Microsoft
    • %userprofile%\AppData\LocalLow\Microsoft
    • %userprofile%\AppData\Roaming\Microsoft
    • It hits up the above locations in each user profile, also in the %allusersprofile% (and \program data\ of course)
    • %program files%
    • %program files(x86)%
  • Temp Dir - This checks for *.EXE and *.DLL in the temp directories and their subs of each user profile and \Windows\Temp.  There might be a lot of legitimate stuff in there, UNLESS you used the delete temp files function PRIOR to checking this area.  If you did, then what’s left is running / in-use and maybe you should take a closer look.  
  • Find New Files... - This function searches for all new files (by default within the past 30 days) in the \Windows, \Windows\System32, and all user profile app data and temp folders.  
  • Windows Dir, System32 and System32\Drivers - This is more of an experiment, but has proven helpful.  By applying whitelisting to every file found in these directories, you are left with hopefully few results.  (I wish I could say this for the System32 scan) but hopefully in those results you’ll see some malware if present.  This is my answer to Find New Files... not finding malware that has modified it’s date/time stamp.  
  • ADS (Quick) - Scans for alternate data streams in the following locations: 
    • \Windows directory (no subdirs)
    • \Windows\System32 directory (with sudirs)
    • \ProgramData (if exist, with subdirs)
    • %userprofile%\Application Data (for each user profile)
    • %userprofile%\Application Data\Local Settings\Application Data (for each user profile)
    • %userprofile%\Appdata (for each user profile)
  • ADS (Full) - Scans for alternate data streams on the entire volume.