0

Long story short, a program that shouldn't have been run on this machine has been, and it's created a naughty .sys file that is being loaded right after pci.sys (as determined by NBTLog.txt)

I've had a look a BCDEdit, EasyBCD and a number of Registry keys but I can't seem to determine where about winstart.exe actually gets the list of sys files to load from!

The sys file itself is running in high elevation and appears to be defeating all attempts to remove it; I could (probably should) make a Linux USB boot disc and use it to delete the sys file, but I'd really appreciate understanding the mechanics here.

((FWIW: the problem stemmed from a sibling running a Trainer for some game; he has been suitable chastised))

Russ Clarke
  • 128
  • 3
  • Also, I've found the critter in the Registry: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_KOCTISRST and it's associated service; but the virus actually stops me from editing those keys. – Russ Clarke Nov 14 '10 at 21:21
  • Well, I appear to have removed the sys file by deleting it from a live cd; but I'd still love to know the answer to this problem! – Russ Clarke Nov 14 '10 at 22:36

2 Answers2

0

I think COMMAND.COM is what you are looking for.

Check out: http://www.computorcompanion.com/LPMArticle.asp?ID=73 and http://en.wikipedia.org/wiki/COMMAND.COM for some good starter information.

unhappyCrackers1
  • 977
  • 1
  • 6
  • 18
  • Erm, nope the Virus had installed itself as a system driver and was prohibiting me from doing anything with the file as it was scanning FS activity and failing if you tried to do anything with the .sys file. Running the MS-DOS command interpreter on an NTFS partition probably wasn't going to work! – Russ Clarke Dec 10 '10 at 12:35
0

The most dependable way to deal with malware on Windows is to reinstall everything. In large-scale IT deployments in which the operating system and applications are configured and installed using a disk image, it is a waste of time trying to manually "clean up" the system, especially because you will probably miss a place where the malware is hiding.

You might want to consider making a known clean disk image (as well as regular backups of data) to quickly recover from if despite all precautions, something happens in the future (not just because of malware but also because of hardware problems such as hard drive failures). Windows 7 includes a built-in backup tool capable of imaging to NTFS-formatted hard drives.

Set a password on your account, have your children use limited-privilege ("Standard") accounts, and ensure that any software installed is trustworthy and secure. For malware that does not use a local exploit to escalate privileges (recently, some have become publicly known), the infection should (in theory) be contained to that user account.

Even better, if possible, is to limit the running software to that on a whitelist. Windows 7 Enterprise and Ultimate editions include AppLocker, the successor to the Software Restriction Policy feature included in Windows XP Professional and Windows Vista Business.

Community
  • 1
PleaseStand
  • 246
  • 1
  • 6