1

I have a computer with a virus. I've finally located one of the registries that is creating problems. If I change or delete the registry and then delete a particular process, it will recreate the registry key and subsequently the process.

Is there a way I can use this information to my advantage to determine what is recreating the registry? (And then banish it forever)

Thanks.

Meowbits
  • 135
  • 1
  • 6
  • [Process Monitor](http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) can do that with proper [filtering](http://blogs.technet.com/b/appv/archive/2008/01/24/process-monitor-hands-on-labs-and-examples.aspx). Anyway, check [How do I get rid of malicious spyware, malware, viruses or rootkits from my PC?](http://superuser.com/questions/100360/how-do-i-get-rid-of-malicious-spyware-malware-viruses-or-rootkits-from-my-pc) if you haven't already. – and31415 Mar 20 '14 at 11:13
  • Your main problem is that you are trying to disinfect an infected running system. If you really want to remove a virus from a system boot a clean system (e.g. from boot cd) and use it for virus scanning and removal. Otherwise you will not succeed as a typical virus consists of multiple of executables checking each other and restarting/restoring them. – Robert Mar 20 '14 at 12:51

1 Answers1

4

You can use: 1) procmon. Which is available for download from Microsoft at:

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

and then add a filter, select to filter by operation and set the filter value to be one of the registry operations that you suspect... I would suggest filtering by (RegSetValue) or could look for everything that has "Reg" in it. It is pretty straight forward, but it would be much more efficient if you knew when the suspicious process is accessing the registry.

2) regshot. available at:

http://sourceforge.net/projects/regshot/

RegShot can take a snapshot of your registry. Then once you suspect that something has taken place, you can take another snapshot and compare (diff) the two snapshots to see what changed.

I wish you good luck.

Ghassan
  • 336
  • 2
  • 4