Faced with a malware that won't disappear, I had to write an application to delete it, since deleting it when the malware is running won't do any good, as the malware will just write itself back to the location again.

The malware activated itself by writing a key to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

I remembered reading about MoveFileEx in the past, and knew that it can delete files on reboot. On my current system, I did not have any IDEs available, so I was thinking of downloading a freeware IDE when I suddenly remembered that I have the Microsoft .NET Framework on my system, and knew that there is a C# compiler there.

So I wrote a quick and dirty application to delete files and directories.

And here it is. To compile it, just run %windir%\Microsoft.NET\Framework\v2.0.50727\csc.exe or %windir%\Microsoft.NET\Framework\v3.5\csc.exe DeleteOnReboot.cs and run it like so:

DeleteOnReboot FullPathToFileName
DeleteOnReboot C:\TEMP\DeleteThis.exe

DeleteOnReboot.cs

using System;
using System.Runtime.InteropServices;
using System.IO;
class MainClientApp
{

const int MOVEFILE_REPLACE_EXISTING  = 1;
const int MOVEFILE_COPY_ALLOWED = 2;
const int MOVEFILE_DELAY_UNTIL_REBOOT  = 4;
const int MOVEFILE_WRITE_THROUGH  = 8;

[DllImport("kernel32.dll", SetLastError=true)]
static extern int MoveFileExA (string AExistingFileName, string ANewFileName, int AFlags);

   public static void Main(string[] args)
   {
     if (args.Length==0) return;
    string FileToDelete = args[0];
    if (File.Exists(FileToDelete)||Directory.Exists(FileToDelete))  {
       System.Console.WriteLine("{0} marked for deletion on reboot", new Object[] {FileToDelete});
       MoveFileExA(FileToDelete, null, MOVEFILE_DELAY_UNTIL_REBOOT);
      } else
      {
        System.Console.WriteLine("File \"{0}\" doesn't exist.", new Object[] {FileToDelete});
      }
   }
}