LeRoy on 10 Jan 2010 08:20:48 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Edit Windows Registry from Linux LiveCD? 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

JP Vossen wrote:
> A cousin has gotten "Internet Security 2010" and our initial t-shooting
> has failed.  The malware is still resident in Safe Mode, and it will not
> allow a DOS prompt, regedit or even notepad to run.  We tried: Start,
> Run, Notepad; Start, Progs, Accessories, Notepad; And browsing to
> C:\Windows and double-clicking notepad.exe.  All failed.
>
> So I'm going to have him burn an Ubuntu LiveCD, install SSH server and
> I'll SSH in and delete files per
> http://www.2-spyware.com/remove-internet-security-2010.html.  Something
> like (untested):
>
> mount /dev/sda1 /mnt	# Assuming his Windows XP is on /dev/sda1
> rm -rf /mnt/c
> rm -rf /mnt/Program?Files/InternetSecurity2010
> find /mnt -iname 'IS2010.exe' \
>         -o -iname '41.exe' \
>         -o -iname 'winhelper86.dll' \
>         -o -iname 'winlogon86.exe' \
>         -o -iname 'winupdate86.exe' \
>         -o -iname 'Internet Security 2010.lnk' | xargs echo rm
> cd windows/system32/config/
> cp -av default  REG_BACKUP.default
> cp -av security REG_BACKUP.security
> cp -av software REG_BACKUP.software
> cp -av system   REG_BACKUP.system
> cp -av sam      REG_BACKUP.sam
>
>
> I'd also like to clean up the registry a bit, so any ideas how to do
> that from the LiveCD?  Various places found via Google suggest running a
> Windows-based third-party RegEdit tool under Wine, and this looks
> promising (worked in a VM anyway, though I didn't test writing):
>
> http://www.pcregedit.com/
> PCRegedit  is a Linux Live CD based, easy-to-use tool to create, delete,
> edit the windows registry key-values without booting from Windows.
>
>
> Any other ideas for cleaning up the malware?  (I haven't seen the PC but
> it's old, running XP, and he has no CDs for it, I suspect it's some old
> whitebox.  I doubt he updates it, and he was using IE and Outlook
> Express.  He did have Comcast's Macafee A/V on it.)
>

I have used with success NT Password from
http://pogostick.net/~pnh/ntpasswd/

It not only will remove forgotten passwords from the registry, but is a
full registry editor.

For keeping malware, viruses, and other nasties that Windows seems to be
constantly contaminated with I use Sunbelt Software.
http://www.sunbeltsoftware.com/
They will provide you with a 30 day free trial.

- --
 Rev. LeRoy D. Cressy  mailto:leroy@lrcressy.com   /\_/\
                       http://lrcressy.com        ( o.o )
                       Phone:  215-535-4037        > ^ <
		       Cell:   267-307-3527

gpg fingerprint:  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA

For info on enigmail:    http://lrcressy.com/linux/mozilla.pdf
For info on gpg:         http://www.gnupg.org/

Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBS0n+TquxGqN1iGbbAQKJIwf+NWpuszOC+rzt8v1b2Z4clvSSRY2/59ml
Ji0YXwMkFv3jUOpyRm2ZhyrsiZVJxS/9pjhMkVH1gR87vyGXujeohsL86KNZMUGK
b8cJx46Ade+0qu0O+ocswP0yISTzpmf1MEHo8RLc8fQPgzEXaKX1/qlnWSRoCluL
pZYdfLeGHXtKPscdN31elQMKhV1H8RKsBzicOhGfYx4bdgauBwnQrRbkL9DwaI5R
onNkml4djyrOmfHXluhTMAZNYWswHVD6TkpQIPaQRXdcN656O+7VQxyt3U9GIjK+
OIaGD0Ksr2WBP7PttT7SZGA4s8K3AOqQH0GeczhLPcDNTd3dYGzwDg==
=zXgV
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug