'Virus Protector' Removal

I came across an infection going by the name of "Virus Protector" today. It had taken over the Windows XP shell via:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

...replacing the value 'Explorer.exe' with its own executable (randomly generated filename) located under C:\Windows\system32\. It had also disabled the task manager via the registry at:


This combination left no entry point for online repair since even Safe Mode boots whatever shell the Winlogon refers it to.

I removed the hard drive and hooked it up to a diagnostic machine. I cleaned the temp files and ran a virus scan as a matter of course, but a certain methodology I used makes this article worth writing -- if only to me.

Guessing, at that time, that the Winlogon\shell value was the culprit I used LoadHive.exe to mount the software portion of the infected machine's registry located under C:\Windows\system32\config\.

Upon inspecting the Winlogon\shell value I found it redirected, (of course) but as I was accessing the registry offline now, correcting the corrupted key by editing the value at the registry wasn't the easiest solution. Instead, I made a copy of C:\Windows\explorer.exe, renamed it to match the name of the infection, and pasted it in place of the virus. This allowed me to boot the computer normally and continue the repair by unlocking the registry, which had also been disabled "by my Administrator." Thereafter I edited the Winlogon\shell's value back to its correct value of simply "Explorer.exe," thus defeating Virus Protector.

The End

P.S.: Pretty neat how you can close off a machine entirely just by hijacking the Winlogon\shell and disabling task manager, ain't it?

[ Update: Why didn't I just edit the Winlogon\shell value via Loadhive.exe, you ask? I have no good answer. I just got it in my head that Loadhive was a read-only tool. It's not. Changes made after a hive is loaded are written to the hive as they usually would be. So nevermind any of this, I guess. Just change the shell value when you're in regedit and be done with it. ]


Post a Comment