James Barrett on 9 Jan 2010 18:31:25 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Edit Windows Registry from Linux LiveCD?

"chntpw", a GPL, linux-based utility:


this article states it is available in apt, package name is chntpw (easy enough)

I've only ever used the utility to change a forgotten password, and I
can say it works flawlessly for that. it also has a registry edit
function.  I've never used it for that, and can not attest to its
effectiveness or flawlessness.


James Barrett

On Sat, Jan 9, 2010 at 5:29 PM, JP Vossen <jp@jpsdomain.org> wrote:
> A cousin has gotten "Internet Security 2010" and our initial t-shooting
> has failed.  The malware is still resident in Safe Mode, and it will not
> allow a DOS prompt, regedit or even notepad to run.  We tried: Start,
> Run, Notepad; Start, Progs, Accessories, Notepad; And browsing to
> C:\Windows and double-clicking notepad.exe.  All failed.
> So I'm going to have him burn an Ubuntu LiveCD, install SSH server and
> I'll SSH in and delete files per
> http://www.2-spyware.com/remove-internet-security-2010.html.  Something
> like (untested):
> mount /dev/sda1 /mnt    # Assuming his Windows XP is on /dev/sda1
> rm -rf /mnt/c
> rm -rf /mnt/Program?Files/InternetSecurity2010
> find /mnt -iname 'IS2010.exe' \
>        -o -iname '41.exe' \
>        -o -iname 'winhelper86.dll' \
>        -o -iname 'winlogon86.exe' \
>        -o -iname 'winupdate86.exe' \
>        -o -iname 'Internet Security 2010.lnk' | xargs echo rm
> cd windows/system32/config/
> cp -av default  REG_BACKUP.default
> cp -av security REG_BACKUP.security
> cp -av software REG_BACKUP.software
> cp -av system   REG_BACKUP.system
> cp -av sam      REG_BACKUP.sam
> I'd also like to clean up the registry a bit, so any ideas how to do
> that from the LiveCD?  Various places found via Google suggest running a
> Windows-based third-party RegEdit tool under Wine, and this looks
> promising (worked in a VM anyway, though I didn't test writing):
> http://www.pcregedit.com/
> PCRegedit  is a Linux Live CD based, easy-to-use tool to create, delete,
> edit the windows registry key-values without booting from Windows.
> Any other ideas for cleaning up the malware?  (I haven't seen the PC but
> it's old, running XP, and he has no CDs for it, I suspect it's some old
> whitebox.  I doubt he updates it, and he was using IE and Outlook
> Express.  He did have Comcast's Macafee A/V on it.)
> Thanks,
> JP
> ----------------------------|:::======|-------------------------------
> JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
> My Account, My Opinions     |=========|      http://www.jpsdomain.org/
> ----------------------------|=========|-------------------------------
> "Microsoft Tax" = the additional hardware & yearly fees for the add-on
> software required to protect Windows from its own poorly designed and
> implemented self, while the overhead incidentally flattens Moore's Law.
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug