As for me there is simple practical test if it’s worth cleaning up – does computer survive initial antivirus scan.

If it does – there isn’t likely to be issues that registry cleanup and such won’t fix.

If it doesn’t – likely system was harmed beyond simple fix (but there are typical exceptions that are easy to recognize and fix like blank desktop).

I hate to say this, because I love a technical challenge, but there’s a practical limit when dealing with malware-infected systems!

I mean, if this is a home system (maybe yours!), you might be comfortable spending several days in a heroic rescue attempt.

In a business environment (where time equals money), anything over a couple of hours would merit a complete format and rebuild. To lessen the impact, one would use a bootable rescue CD/DVD and backup the C:\User (or Document and Settings) folders first.

I am out of any more ideas without encountering such for myself and having hands on experience with the case.

Personally and in general I’d try to find anti-malware scanner that handles it or wrote something in AutoIt to loop through registry branch and nuke hijacks.

The last time I experienced this was yesterday on a system with XP. I really do see this problem every other day.

I need to find a quicker way of deleting 100′s of registry entries. Since I’m the one setting up my customers Anti-virus, I can go find the appropriate .exe and find them under the image file execution registry entry. I delete it and everything is good to go . The only problem is, if they change anti-viruses in the future, odds are there will be an .exe entry that will still exist for the new antivirus they choose. I just can’t sit there and delete 100′s of entried 1 by 1. The only thing I can do is attack the appropriate entries that will let the anti-virus I want to use work. (Most the time I’m putting MSE on machines. As I said before there are only 2 .exe I usually have to clear from this list to get MSE to work.)

Sorry, I had never encountered such situation (and I used Autoruns on countless computers).

I’d check if there is correct profile set in Autoruns and if it runs with admin permissions. Other than that my only guess is that registry might have corrupted security settings (nastiest malware does that) which prevent access.

I disagree. 100′s of anti-virus and other executables are hijacked and pointing to Svchost.exe

What I have been doing to get around this is just deleting the entries that were necessary for me to install MSE. (MsMpEng.exe and msseces.exe) There are too many entries for me to delete them all. I can’t select more than one at a time. So I scan down the list and get the obvious executables that stand out.

That tool you recommend above does not list ANY of these hijacked .exe I was hoping that tool would allow me to delete multiple registry entries quickly and in larger multiples than just 1 at a time.

A large percentage of the virus ridden computers I repair have this exact problem I mentioned.

Not all entries in that registry branch are image hijacks. Actually in practice very few (if any at all) of those hundreds of entries have anything to do with it.

Autoruns only shows those entries that matter – the ones with debugger parameter set, which is only case when executable or library is actually hijacked.

I have 100′s of items that I just can’t delete one by one. Although Autoruns seems like a helpful program, it doesn’t do what you say it does. At least not for me.

Thanks anyways.