Today I ran my standard gamut of tricks for cleaning up an infected Win7 laptop. HDD out of the patient, into the cradle, and scanned/cleaned with a clean and well updated machine. Easy enough; HDD back into the patient, then back on the bench to make sure that all the [i]s were dotted and [t]s were crossed.
Not so easy. IE ran just fine, downloaded and installed Microsoft Security Essentials and rebooted, per expectation. But on reboot, I found that MSE just would not load... So I downloaded Malwarebytes. Malwarebytes just would not load. OK, let's look at regedit. Win+R "regedit".
"Windows cannot find c:\windows\regedit.exe..."
Long story short: I took the HDD out of the patient and put in back into the cradle to look at the registry (the "Load Hive" trick, if you're wondering) with my clean machine. While fumbling around, I found a feature of Windows called "Image File Execution Options".
The VXer had inserted a registry key with every conceivable tool used to combat viruses into the {HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\} key so that every time the desired executable started to run Windows tried to debug it or shunt it's operation to a malware file. So I just deleted every key under that key and put the laptop back together.
Voilà! Problem solved.
No comments:
Post a Comment