Edmond Rodriguez on 10 Jan 2010 09:02:41 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Edit Windows Registry from Linux LiveCD?


I have helped with removing malware on a few machines.  It seemed to me that once the executable was removed, the registry did not matter so much, though it did need to be cleaned up. But in my case, I was able to boot Windows from the very start.  

So what is the danger if any, of using Linux to remove the executables , then trying to reboot windows, and if it boots, using the Windows tools to clean up the registry.  Perhaps that is out of the question, since trying to boot never even got to the point of running the malware executable?

Getting a remote connection though is another matter, and very complicated (windows remote desktop assistance) for anyone not computer savvy  (the person being helped has to set permission to allow remote connections, then all this invitation stuff, have to use MSN messenger or attach invitations to email).

BTW, how does one deal with the port mapping of the router of a person you are trying to help (when using something like ssh)?  I guess there are some software tools, that maybe use STUN server (I think that is the right word) like technology to punch through routers.  Is there such software that one can install and run to punch through a non port mapped router for using ssh?  Or that person connects to you and opens a terminal for you on your machine (but you have to explain how to do that). 

I have read in a few forums that Windows remote desktop assistance can punch through a non port mapped router (I have never tried it).  

With Windows, there are numerous online companies that offer remote desktop capabilities without router issues.  Some are free for non business use.  I just wonder which can be trusted (perhaps all of them) and are good and secure. 




----- Original Message ----
> From: JP Vossen <jp@jpsdomain.org>
> To: plug@lists.phillylinux.org
> Sent: Sat, January 9, 2010 5:29:29 PM
> Subject: [PLUG] Edit Windows Registry from Linux LiveCD?
> 
> A cousin has gotten "Internet Security 2010" and our initial t-shooting 
> has failed.  The malware is still resident in Safe Mode, and it will not 
> allow a DOS prompt, regedit or even notepad to run.  We tried: Start, 
> Run, Notepad; Start, Progs, Accessories, Notepad; And browsing to 
> C:\Windows and double-clicking notepad.exe.  All failed.
> 
> So I'm going to have him burn an Ubuntu LiveCD, install SSH server and 
> I'll SSH in and delete files per 
> http://www.2-spyware.com/remove-internet-security-2010.html.  Something 
> like (untested):
> 
> mount /dev/sda1 /mnt    # Assuming his Windows XP is on /dev/sda1
> rm -rf /mnt/c
> rm -rf /mnt/Program?Files/InternetSecurity2010
> find /mnt -iname 'IS2010.exe' \
>         -o -iname '41.exe' \
>         -o -iname 'winhelper86.dll' \
>         -o -iname 'winlogon86.exe' \
>         -o -iname 'winupdate86.exe' \
>         -o -iname 'Internet Security 2010.lnk' | xargs echo rm
> cd windows/system32/config/
> cp -av default  REG_BACKUP.default
> cp -av security REG_BACKUP.security
> cp -av software REG_BACKUP.software
> cp -av system   REG_BACKUP.system
> cp -av sam      REG_BACKUP.sam
> 
> 
> I'd also like to clean up the registry a bit, so any ideas how to do 
> that from the LiveCD?  Various places found via Google suggest running a 
> Windows-based third-party RegEdit tool under Wine, and this looks 
> promising (worked in a VM anyway, though I didn't test writing):
> 
> http://www.pcregedit.com/
> PCRegedit  is a Linux Live CD based, easy-to-use tool to create, delete, 
> edit the windows registry key-values without booting from Windows.
> 
> 
> Any other ideas for cleaning up the malware?  (I haven't seen the PC but 
> it's old, running XP, and he has no CDs for it, I suspect it's some old 
> whitebox.  I doubt he updates it, and he was using IE and Outlook 
> Express.  He did have Comcast's Macafee A/V on it.)
> 
> Thanks,
> JP
> ----------------------------|:::======|-------------------------------
> JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
> My Account, My Opinions     |=========|      http://www.jpsdomain.org/
> ----------------------------|=========|-------------------------------
> "Microsoft Tax" = the additional hardware & yearly fees for the add-on
> software required to protect Windows from its own poorly designed and
> implemented self, while the overhead incidentally flattens Moore's Law.
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug



      
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug