Here is a new trick of malware, booting only to the command prompt. Since malicious software changes daily to stay ahead of antivirus programs it has a one-day window to cause havoc. Further, the black hats are always two-steps ahead. They probably know Windows better than the programmers at Microsoft do. This new trick is to boot into a command prompt and not load the explorer.exe file. Most programs that start when you boot are loaded only when the explorer.exe file does. Many antivirus real-time scanners and update procedures are only loaded when explorer.exe is. By preventing that file to open, the antivirus does not update. If the antivirus does not update, it does not know about the new malware on the computer.

The fix is simple enough. You will first need to remove the file that starts the malware. Try safe mode first. Although a new trick of some malware is to cause the computer to immediately reboot when starting in safe mode so you may need to use the Windows Vista/7/8 DVD to manually remove the file in the places malware like to hide.

Once the malware is removed, open the registry editor: regedit.exe. Navigate to the registry hive HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. Look for the keys shell and ParseAutoexec. The ParseAutoexec key is probably set to 1, that is the default value. You might want to change it to 0 so that the autoexec.bat is not run by default. If you see the shell key, you should either delete it or change the value to explorer.exe. If the shell key is absent, Windows defaults to global entry. Next, check the global entry by navigating to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon hive and make sure the shell key’s value is explorer.exe.

After that, in the command prompt run the explorer.exe file and then do a malware scan to clean out any remnant files.

Advertisement