Regedit on externally connected malware infected HD

Sorry, wrong question.

This does sound like a good idea. I was looking at Bart's last night. I ran into an issue because I could not copy off the XP install files to the machine to create the bootable CD. I will try it with a different CD I have and see if that works.

That said, what I did since I didn't have a bootable CD was to pull the HD out, hook it up to a sata to usb drive connector and then plugged it in to my laptop as an external drive. This let me run antivirus and adware against it and clean most of the disk. The HD had "police pro" virus so there is also a registry entry I need to clean.  I want to fix it before I put the HD back in the PC it came from and boot from it so I was hoping there was a way to edit the ntuser.dat file while it is still connected to my PC.

Can you put the drive back into the original machine, put on the same network and use the 'connect network registry' from the regedit file menu on your good machine? or because you have cleaned the files on the dirty hard drives, hook the drive(s) back to the original machines and run a registry cleaner.

Start regedit,
- for any key under HKCU key: select HKEY_USERS in the left pane, choose "Load Hive" from the file menu, browse to the ntuser.dat in the respective user's profile folder.
- for any key under HKLM key: select HKEY_LOCAL_MACHINE in the left pane, choose "Load Hive" from the file menu, browse to %Systemroot%\system32\config (of the old drive, obviously); open "system" for HKLM\System, "software" for HKLM\Software

Enter any name for the key when asked (VIRUSFIX or whatever). Edit away.
Once you're done, highlight the key(s) you've added, and choose "Unload hive".

Since all you are trying to do is remove spyware, you could just end the svchost process that the service is running on and delete the executable or dll. You will need to see the PID in Task Manager (View - Select Columns) and Process Explorer http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx to know which process to end. If you were using Vista, a Services column would already exist with the PID associated with them.

The registry keys aren't the problem - it's the processes that are running (and they do re-create the registry keys!). But taking out the services will kill the spyware.  If you are unsure of the processes (because they are cryptic) just use Google to help. As the last step, you can go into Regedit and remove the keys.

Let me know how that works!

Dave

If the bad files have already been removed when you slaved the drive then you could try connecting the drive back and run scanners like MalwareBytes, Combofix etc to finish off leftovers.

The risk of removing the infection by slaving the drive is if there were nasties that hooks in the crucial location in the registry and the loading point was not removed might make the pc unbootable but it's just in those rare cases.

So you could try putting it back even though it's not thoroughly cleaned.

MalwareBytes:
http://www.malwarebytes.org/mbam.php

ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I was able to use parts of what each of you said. I tried the BARTs PE but it didn't work out for what I was doing. Slaving the drive worked out fine and I have done it many times before. You are right that there is always a risk but if you know the virus you are dealing with the risk is limited and cleaning the drive works well. Ultimately I was able to resolve the issues on the one system. The other system I had to rebuild because the damage from the spyware was too deep.

Ultimately what I was looking to do was clean up the registry as a slave drive and I did still do not see a true way to do that.  I think that Bart's PE is the closest answer to what I was looking for.

Thanks for everyone's assistance.