Good afternoon everyone,
I wanted to quickly ask anyone here who does any manual cleaning of malware, what registry keys do you check right of the bat? Since even the smallest of viruses edit various parts of the registry, usually for persistence or to protect themselves, what must you check in order to confirm/deny a virus infection?
And to add to this, I was wondering if anyone had heard of the AppInit_DLLs key. This key is a very dangerous one because it lists all DLLs that are loaded by default whenever a GUI application is loaded. The key is located under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows and is a REG_SZ value by the name of AppInit_DLLs. Normally, this key should be empty on most machines (though I'm not certain if any specific software uses this key, so make sure to double-check anything before deleting stuff and blaming me) and even Microsoft recommends that no one use this key for any reasons and warns that future versions of windows may not support it. On modern versions of Win (Vista, 7, 8?) there is also the LoadAppInit_DLLs key in the same location which should normally be set to 0x0 to indicate that no DLLs from AppInit_DLLs should be loaded, but when set 0x1, it does load. (I'm not 100% certain on that last part, I never really got a chance to test it)
It's funny because according to a study of computer security experts told to inspect a random machine for the presence of a virus, the first thing that they always do it always jump for some kind of a GUI program.