Quote
Not a REG expert but could a program (reg entry) be written through the registry to redownload a bad app and reexecute it?
In other words I delete a virus exe but get the exe back because of a reg entry that keeps retrieving the app?
Yes and No.
I started explaining how this could be done but realized what I was writing was something that I don't beleive in making public (proof of concept exploits).
Yes, it is possible that an unpatched system (or with modified security settings) could be set to download and run code locally just by settings in the registry but an up to date system with the security settings set to default will at the least, warn you before doing anything like this.
EzPcFix is designed to show you all the places that apps can get loaded from so after removing a rootkit, you should run EzPcFix and find where it's getting started from.
Here's what I'm asking from anyone using this utilty to find rootkits...
If a rootkit is found, run EzPcFix (from PE/ubcd4win) to see where it's getting started from.
If you can't find it with EzPcFix then do a search in the registry with EzPcFix running and your registry hives loaded and see where it's getting started from. If it's a location that EzPcFix isn't searching then I really, really need to know about it so I can update EzPcFix to look in that location.
Thanks,
Tom