And great video podcast!! enjoy your site very much!

Also, a great trick to remove files loaded by winlogon.exe (from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify) is to terminate winlogon.exe because sometimes you can’t remove the file handles in place to the malware. Unfortunately terminating winlogon.exe will crash your system with a blue screen. So first, terminate smss.exe, THEN terminate winlogon.exe, and problem solved. Better terminate explorer.exe too for it’s handles to other potential malware, and might as well use a 3rd party file manager.

You can get around all file/directory/registry permissions by using a WinPE based boot CD, but if you don’t want to go that route, you can try my own completely free no-ad/no-nags app GetSystem.exe from FoolishIT.com which launches an application under system rights. It can also launch explorer.exe as a shell. System rights are essentially better than administrator rights, ignoring permissions for one thing… Note my website is probably down right now I just revamped it, moved it, etc. etc. but try back later.

As for the person commenting on using safe mode, in my experience that’s only good for stopping network activity. Some malware will implant itself as a service of course, but sometimes it will also start in safe mode (yes services can start in safe mode, for a list of which ones do, check HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal and HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network for Safe mode with networking. These are pointers to the service names back in HKLM\SYSTEM\CurrentControlSet\Services.

That’s about all I have time for at the moment. Just some things to think about. Keep up the great work!

Wow, I’ve not known anyone but myself to check the file modified dates in \windows and system32. But two things: 1. Also check system32\drivers, you can flush out some malware that installs itself as a driver here a lot easier than peering into the registry or via a 3rd party util. 2. Some malware, while having a file with the most recent date, will create copies of itself with random date/time stamps or those matching other windows core files. It can be time consuming but you can cross reference each malware file you find via the time/date stamp method by then sorting by size and checking file size down to the byte.

Also, many times malware can modify a core windows file (e.g. userinit.exe) or replace it entirely with it’s own code. SFC may be of some help, other times you’ll find yourself comparing file versions (I’ve never seen malware spoof company info in the file though I would expect to anyday.

Of course the previously mentioned program files is a given.

But then there’s the registry. Even autoruns.exe won’t find the Windows value in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems which can sometimes contain some malware spoof like basesrv64.dll or some other such nonsense, many times putting a 32 or 64 on the end of an otherwise legitimate file name as seen in other areas.

Additionally there is one easy way to constantly reinfect. The default value of HKCR\exefile\shell\open\command is “%1″ %* normally, (%1 runs the file, %* passes any parameters you pass to the exe) can be replace by say “%1″ “C:\windows\system32\killer.exe” %* or anything like that. This way, each time you (or windows) starts a new EXE, the killer app is launched. This can also happen with .COM, .CMD, .BAT, and .REG files for importing which normally contain regedit.exe %1 as a value… among other keys. You can prepare a registry file to merge containing default entries for these keys, but again if either the exefile or regfile key is infected you are SOL unless you load the registry from another machine, a linux boot cd, or winpe based boot cd (which is how I prefer to work if time allows, so that I don’t have anything hidden from normal tools via rootkit.) Also worthy of note is that reglite from resplendence has an amazing ability to see things rootkits and other restricted keys unlike any other 3rd party registry editor. Regdelnull is a good util to use in a batch file and……

Well there’s just so much to cover with the registry….

Very nice video. I tend to follow about the exact same steps. I just wanted to leave a comment for anyone fighting any of the various Scareware apps such as Antivirus 2009, Spyguard 2008, MS Antispyware 2009, or Antivirus 360. All of the programs stem from the trojan Virtumonde which is a rootkit.

My wifes laptop was recently (friday) infected with MS Antispyware 2009. After doing just about exactly what Bryce did, I still some funny activity such as Malwarebytes not running and firefox randomly closing. I ran ComboFix which detected the dll files from the rootkit. ComboFix at this point wants to reboot in order to delete the malicious DLL’s.

After a reboot and ComboFix trashing the DLL’s I was able to run Malwarebytes and finishing cleaning the laptop.

I hope this helps someone in the future.

Bryce, I have just found this site and I have to say, it is refreshing to find someone on the same knowledge level. I would enjoy chatting with you further if you could e-mail me sometime. caleyDOTw AT gmail DOT COM

Anyway this video really helps me put together and take anti-malware to a higher level.

Thanks again!

Thanks Bryce!!!