My tricks for cleaning infections on XP

It's a good time to mention that one of my plans for this blog is to shoot for a middle ground. I'm not planning on describing computer topics for the basic user or the guru, but for folks who are fairly adept. Similarly, the flight topics assume that the reader either is a pilot, studying to be one, or maybe plays a lot of flight simulators.

The first thing which isn't immediately obvious about Windows even if you work with it a lot is that "System" is a authority level which is above "Administrator". "Administrator" is a little confusing since it is a default username as well as an authority level for users along with "Limited". The important bit is that a program or service running as "System" can override orders from Administrator.

Malware running as admin can promote itself to system, but scanning programs just run as the user that invoked them. As a security measure, the whole system authority isn't real hot.


PsExec by Mark Russinovich is described as a remote execution tool, and it does have many nifty features, but the cool part for us is that it lets you elevate your malware scanner to run as "System"

Personally, I have had the best luck with Spybot Search & Destroy. The batch file command I use to elevate and run Spybot S&D is simply:

C:\tekmoose\systernals\psexec\psexec -s -i "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

The first part is the full path to the psexec executable. Your path will probably differ.
[I have a whole suite of utilities I just copy into "C:\tekmoose" on every PC I work on -- it saves time if I find later I need this or that tool.]

-s runs command as "System"

-i runs interactively -- overwise you can't see it or tell it what to do

And then finish with the full path to your malware scanner - quoted because of the spaces.

If you want to make it easier on the scanner, after you get it started, start the task manager and start killing extraneous processes. You can even kill windows explorer and the scanner will keep on chugging without being distracted by malware that wraps itself around explorer.

Other problems I've used psexec to overcome include:
A] Service Pack failing to install because of locked files

C:\tekmoose\systernals\psexec\psexec -s -i c:\tekmoose\xpsp2.exe

B] Locked out of task manager

c:\tekmoose\systernals\PsExec\psexec -s -i taskmgr.exe

C] Cannot save the needed change in regedit

c:\tekmoose\systernals\PsExec\psexec -s -i regedit.exe

The newest version of PsExec claims to work on Vista, but I haven't tried it. The older versions did not.