JP Vossen on 9 Jan 2010 14:29:51 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Edit Windows Registry from Linux LiveCD?

A cousin has gotten "Internet Security 2010" and our initial t-shooting 
has failed.  The malware is still resident in Safe Mode, and it will not 
allow a DOS prompt, regedit or even notepad to run.  We tried: Start, 
Run, Notepad; Start, Progs, Accessories, Notepad; And browsing to 
C:\Windows and double-clicking notepad.exe.  All failed.

So I'm going to have him burn an Ubuntu LiveCD, install SSH server and 
I'll SSH in and delete files per  Something 
like (untested):

mount /dev/sda1 /mnt	# Assuming his Windows XP is on /dev/sda1
rm -rf /mnt/c
rm -rf /mnt/Program?Files/InternetSecurity2010
find /mnt -iname 'IS2010.exe' \
        -o -iname '41.exe' \
        -o -iname 'winhelper86.dll' \
        -o -iname 'winlogon86.exe' \
        -o -iname 'winupdate86.exe' \
        -o -iname 'Internet Security 2010.lnk' | xargs echo rm
cd windows/system32/config/
cp -av default  REG_BACKUP.default
cp -av security
cp -av software
cp -av system   REG_BACKUP.system
cp -av sam      REG_BACKUP.sam

I'd also like to clean up the registry a bit, so any ideas how to do 
that from the LiveCD?  Various places found via Google suggest running a 
Windows-based third-party RegEdit tool under Wine, and this looks 
promising (worked in a VM anyway, though I didn't test writing):
PCRegedit  is a Linux Live CD based, easy-to-use tool to create, delete, 
edit the windows registry key-values without booting from Windows.

Any other ideas for cleaning up the malware?  (I haven't seen the PC but 
it's old, running XP, and he has no CDs for it, I suspect it's some old 
whitebox.  I doubt he updates it, and he was using IE and Outlook 
Express.  He did have Comcast's Macafee A/V on it.)

JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --