More along the lines of malware disinfection

I thought I would ask this considering the level of response I had on 
the last thread I started, in the hope that someone might suggest a 
technique for this problem.

When removing malware of one sort or another, I have had the situation 
quite a few times where a dodgy dll/exe couldn't be removed/renamed in 
normal or any safe mode, and attempts to remove its links from the 
registry to stop it from starting result in the malware recreating those 
links instantly (for example, a bit of malware inserts itself into the 
winlogon notify list).  Normally I will boot off the XP CD to the 
recovery console and rename the offending file(s) there, however, the 
Windows XP recovery console does not allow you into the "Documents and 
Settings" folder (access denied), and I have had it once or twice where 
a bit of malware is stored inside that directory structure and has full 
privs on the system.

On one occasion I tried inserting an extra command into the session 
manager's BootExecute key, just telling it to delete the file in 
question.  Admittedly I was hastily trying multiple strategies, so I 
don't know whether this particular strategy worked, but I doubt it did 
since the delete command is stored in cmd.exe.  Perhaps a batch file 
could have done it but I doubt that the BootExecute system would allow 
commands to spawn other processes.

Anyway, any ideas, as I probably will come up against this scenario again :)


--
Mike Moratz-Coppins
mike@mikeymike.org.uk
http://www.mikeymike.org.uk/