|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Edit Windows Registry from Linux LiveCD?
|
I will preface this by saying my cousin gave up and is going to BestBuy
to see what they say or maybe to just replace the PC... :-( (Sigh, I
know, but not my call...)
Having said that, I think this is still a useful thread, and I wanted to
address a number of points.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Date: Sat, 09 Jan 2010 20:52:30 -0500
> From: "Brian Vagnoni" <bvagnoni@v-system.net>
>
> What windows affliction do they have?
Windows XP, and as Art notes it is, in fact, installed on the hard
drive. Unfortunately. :-)
All they do is email and web, so they are perfect candidates for Ubuntu,
which I will demo next time I'm in S. Jersey.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Date: Sat, 9 Jan 2010 21:31:19 -0500
> From: James Barrett <jadoba@jadoba.net>
--and-- From: "brent timothy saner" <brent.saner@gmail.com>
>
> "chntpw", a GPL, linux-based utility:
> http://pogostick.net/~pnh/ntpasswd/
I've used the bootable versions of that to blank passwords (changing
them has never worked for me) several times over the years, but I'd
forgotten it was also an editor of sorts, and I hadn't known it was in
the repos. Nice!
Just tried it in a VM. It's in Universe which is not in the stock
/etc/apt/sources.list. NBD.
chntpw -e /mnt/WINDOWS/system32/config/software
cd Microsoft\Windows\CurrentVersion\Run
ls
works. Looks like it'd be clunky, and there is no command history, but
I could work with it. There is an "rdel <keyname>" (recursive del)
command. Scriptable as follows.
Interesting, this did not work as it complained that the key didn't
exist, but it did since I'd just created it:
echo -e "rdel Microsoft\\Windows\\CurrentVersion\\Run\\JP1\nq\ny\n" \
| chntpw -e /mnt/WINDOWS/system32/config/software
But this did work but shouldn't have, since I also created a value
inside JP1:
echo -e "dk Microsoft\\Windows\\CurrentVersion\\Run\\JP1\nq\ny\n" \
| chntpw -e /mnt/WINDOWS/system32/config/software
Pretty cool anyway.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Date: Sun, 10 Jan 2010 09:37:14 -0500
> From: Steven Phillips <stevenclphillips@gmail.com>
>
> I've cleaned out about 6 or 8 boxes with this crap on it in recent
> weeks.
How? Are you using a LiveCD of some sort? Because as noted elsewhere I
can't get it to allow me to run anything.
> What you need to do is clean out every temporary folder in
> every user account, and all the contents of the temporary folders in
> the windows folder. Empty the prefetch folder too.
I have a batch file that does temp files, but it hard-codes the user
names IIRC and won't work under Ubuntu. But that's easy enough to do in
bash. Easier actually, as for;do;done is a real PITA in batch which is
why I just hardcoded mine.
# UNTESTED, and will generate errors for missing stuff
CDRIVE='/mnt'
WINDOWS="$CDRIVE/WINDOWS"
SETTINGS="$CDRIVE/Documents and Settings"
rm -rf "$CDRIVE/temp/*"
rm -rf "$WINDOWS/temp/*"
rm -rf "$WINDOWS/prefetch/*"
for user in "$SETTINGS/*"; do
rm -rf "$SETTINGS/$user/Local Settings/Temp/*"
rm -rf "$SETTINGS/$user/Local Settings/Temporary Internet Files/*"
done
Did I miss anything?
> Check the hosts
> file, because some variants will write an entry to a malevolent dns
> server for all the popular search engines.
Yup, we tried to do that, that's how I found out that Notepad won't
work. Start, run, cmd won't work either, BTW. I didn't try
TaskMangler, File, New Task, but I suspect that won't work either.
> Look for av2009 also.
Did Google for something similar since I was aware that it had
previously been called that, but I didn't find anything better than the
2010 ones.
> Copy and paste everything into the editor between the x's making
> regedit4 the top line.
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> REGEDIT4
> [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains]
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains]
[...]
Am I to assume that the leading '-' deletes the regkey? If so, that is
really cool! I've been creating *.reg files since the mid-1990's and I
never knew that! (OTOH, did you know that regedit /s \some\regfile.reg
will do a *S*ilent import?)
> If you can keep it from loading from all the temp folders, you can
> clean it up fairly easily, it's just time consuming.
Yup, that's the trick.
>
http://www.computing.net/answers/security/google-redirect-antivirus-2009/24977.html
Interesting.
> http://www.2-spyware.com/remove-antivirus-2009.html
Yeah, that's the one I've been working from.
> Download and install Malwarebytes Anti Malware from cnet.
I would, but as I mentioned it won't let me run *anything* so I doubt
it'll let me run that, even if I could download it from that infected
machine, which I can't.
> download and install Windows Defender from Uncle Winkie's website
> (M$), not because I have any confidence in it's efficiency, but
> because it offers and easy way to delete programs from starting up.
> Much better than using msconfig.
Same issues as above. I was planning on giving him StartupCPL (Google
for it) which is much more simple and less scary than the better
SysInternals AutoRuns.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Date: Sun, 10 Jan 2010 09:02:36 -0800 (PST)
> From: Edmond Rodriguez <erodrig_97@yahoo.com>
>
> I have helped with removing malware on a few machines. It seemed to
> me that once the executable was removed, the registry did not matter
> so much, though it did need to be cleaned up.
[...]
> So what is the danger if any, of using Linux to remove the
> executables, then trying to reboot windows, and if it boots, using
> the Windows tools to clean up the registry.
That was the original plan. I just figured two things. First, if it
was easy to do from Linux, I could do it myself rather than trying to
talk him through regedit over the phone. Second, if I missed any exes,
but cleaned the registry so they never ran...
> Getting a remote connection though is another matter, and very
> complicated (windows remote desktop assistance) for anyone not
> computer savvy (the person being helped has to set permission to
> allow remote connections, then all this invitation stuff, have to use
> MSN messenger or attach invitations to email).
Not if I am doing it via SSH command line from the Ubuntu Live CD. He
types "sudo aptitude install openssh-server && ifconfig" into a terminal
window and he's done. (I find it a hell of a lot easier to tell someone
what to type than to try to describe GUI operations over the phone.)
> BTW, how does one deal with the port mapping of the router of a
> person you are trying to help (when using something like ssh)? I
> guess there are some software tools, that maybe use STUN server (I
> think that is the right word) like technology to punch through
> routers. Is there such software that one can install and run to
> punch through a non port mapped router for using ssh? Or that person
> connects to you and opens a terminal for you on your machine (but you
> have to explain how to do that).
Good point. I'm not sure they have a firewall or anything. I was going
to have him plug the PC directly into his Comcast cable modem, which
should work. If not, then it gets sticky. I had half-formed thoughts
of having him SSH into one of my servers, and then just doing SSH port
forwarding to allow me to tunnel back to his side. There are other ways
to do it too, Google "reverse shell".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Date: Sun, 10 Jan 2010 12:54:02 -0500
> From: "Arthur S. Alexion" <arthur@alexion.com>
>
> some of these nasty extortion-ware programs keep hidden re-install
> instructions in the registry so that removing the executable only
> solves the problem until the next boot and auto reinstall.
I haven't read that this one does, but yeah, that was in the back of my
mind.
Thanks again to everyone!
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP |:::======| http://bashcookbook.com/
My Account, My Opinions |=========| http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|