Usually there will be another program in memory that will do so, but that program will be well hidden due to the registry, as you have said.
For that, there are 3 tools.
Hijackthis:
http://tinyurl.com/2vhrjo
Autoruns:
http://tinyurl.com/rnl5p
Process explorer:
http://tinyurl.com/y6nw5d
You must run Combofix and Smitfraudfix BEFORE running these programs mind you.
There are some nasty malware variants that disable the copying and pasting of file on any profile and will nuke the profile you’re working in.
So, you use Autoruns to determine which processes (roughly) have files running in them. In autoruns, once it finishes its first scan, click options up on the top, than click “Verify Code Signatures” and “Hide signed Microsoft entries.” You can now browse by section to see what starts up when the PC runs (Logon = standard startups in msconfig, Winlogon = in winlogon, LSA = Lsass, ect) You should also doublecheck with Hijackthis.
Don’t fix ANYTHING until you have used process explorer.
If Process explorer hit CTRL + F to bring up a find menu. Search for the suspicious files (example: ohnoes.dll <- Yes, that exists). Find out which processes they are running in (Most likely are explorer.exe, iexplore.exe, lsass.exe, winlogon.exe and svchost.exe). Programs and files that run in process explorer that are a deep purple are usually bad files (Packed files). Just make sure they’re not one of your virus/spyware scanners.
Regardless, keep Hijackthis open while you perform these steps. In process explorer, right click on the program that is infected with the file. Left click on properties. Finally, click on “threads”. From there you should look for all signs of your suspicious file. Left click on them, than click on “suspend” down below. That will keep it in stasis as long as too many of its friends aren’t running. Hunt down all malicious processes you can in this manner. If a ctrl-f search says a file is in a program but it’s not in threads view, that is not something to worry about.
Once everything is suspended. KILL THOSE MOTHER BUGGERS in Hijackthis.
Kill all the suspended threads in the processes in Process Explorer.
If ones are in autoruns that are not in hijackthis, right click on them and delete them there. Use a program like NotMyFault to cause a bluescreen, than shut your PC down. Load windows back up and check for signs of infection to be sure. If there are none, reboot twice more to see if any symptoms come back. If not, you’re in the clear.