Malware hiding in Drivers?

This past week has been interesting.  Malware writers have found a new method of hiding from the trusted Malware removal tools.  One of the symptoms is that MalwareBytes AntiMalware cannot remove the little buggers - even in Safe Mode in Windows, because they are masquerading as DRIVERS.  And because they load even in Safe Mode, the files are locked and cannot be edited or deleted.  Here are some of the filenames that I've fought with recently:
aoyylw.sys
63fb6fa8
PnkBstrA  \___ PunkBuster
PnkBstrB  /
TSKNF400.sys
catchme

The only way I've found to get these little buggers cleared out is to:

1. Boot from ERD Commander 2006+, then
2. use the Administration Tools to load the Drivers and Services control panel. 
3. From there, you should be able to spot the offending drivers and change them to DISABLE. 
4. Then, while the Drivers and Services window is still open,
5. use the Registry Editor to find the Hive Keys related to the files and delete them (always make a Backup of the Registry FIRST). 
6. After the Registry is cleaned, close out the Drivers and Services, then open it again to ensure that they are no longer listed.

When you reboot to Windows in Safe Mode with Networking, you should be able to run Stinger (from http://www.mcafee.com/) or www.PandaSecurity.com/ActiveScan to find the remnants of the infected files. and clean them out manually.

From that point, you should be able to boot normally, and run your favorite AntiMalware program as a final check.

One additional note:  A couple of these pieces of malware seem to change the Permissions, and won't allow the MSCONFIG -> StartUp to be changed cleanly or allow Windows Updates to load properly.   If this happens, you can run Dial-A-Fix and select "Security" then "Reset Permissions".  That should clear the rest.  You may also need to run Dial-A-Fix to ReInstall IE if you are having difficulty getting the browser to work properly.

Post a comment here if you have found any other helpful tricks...