So, its been one of those weeks for me. I have had 3 machines so far infected with various malware. I would love to find some of these people who get of on writing malware and just stick a nuclear warhead in their pants and detonate it, but that isn’t happening. So being the IT person I am, I run into the infamous clean or rebuild scenario.
Of course rebuilding the machine is the best answer overall, mostly because you know that you have a clean machine when you are done. The problem is that a good portion of the time your clients have too much on the machine, software they no longer have the install media for, and of course have nothing backed up.
So we, as IT people, let out a big sigh and try to see what we can do. We get out our tool kit which in my case includes:
The problem is that all of a sudden you can’t seem to get the last little bits and pieces out of the system. There a files that just won’t delete and registry entries that just keep coming back. Of course this is by the malware’s design as it loads the one or two files up upon startup, even in safe mode, and that one file becomes locked by the system. That same file keeps putting the registry entries back in. So what is a poor technician to do?
Well, if you are lucky enough to have a copy of ERD 2003 or something similar, there is hope. ERD (which I have had for years) doesn’t load any of the windows files, nor the registry. Plus it has a registry editor in it. Now deleting the malicious files is as simple as knowing where they are hiding. Removing the registry entries is pretty easy also.
Yet there is one last trick. See while we all know about HKLMSoftwareMicrosoftWindowsCurrent VersionRun and cleaning that, make sure you do two more things. One is use the find feature to search for the filenames of the malware listed in the run key. Also go to HKLMSoftwareMicrosoftWindows NTCurrent VersionWindows and see if there is an appinit key with values in it. If there is, open the key and remove anything in it. It should be blank. This one little spot is where it loads the crap into the Windows/explorer shell.
Now boot back into Windows and re-run the programs listed above. Odds are that you will get rid of just about any and all infections this way. Also you can do the ERD trick first, especially if you can’t seem to run any Anti-malware software on the machine. It works wonders.