I have a computer with a virus. I've finally located one of the registries that is creating problems. If I change or delete the registry and then delete a particular process, it will recreate the registry key and subsequently the process.
Is there a way I can use this information to my advantage to determine what is recreating the registry? (And then banish it forever)
Thanks.
You can use: 1) procmon. Which is available for download from Microsoft at:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
and then add a filter, select to filter by operation and set the filter value to be one of the registry operations that you suspect... I would suggest filtering by (RegSetValue) or could look for everything that has "Reg" in it. It is pretty straight forward, but it would be much more efficient if you knew when the suspicious process is accessing the registry.
2) regshot. available at:
RegShot can take a snapshot of your registry. Then once you suspect that something has taken place, you can take another snapshot and compare (diff) the two snapshots to see what changed.
I wish you good luck.
