Re: [PLUG] plug Digest, Vol 62, Issue 14

[Steven Phillips <stevenclphillips@gmail.com>]

Sorry, I must not have been as clear as I thought I was. (hangs head)
Yes I use a livedisk, Parted Magic, which loads completely into memory and then ejects the cd. It has low memory usage compared to Ubuntu and it seems to load on more machines than Ubuntu or Knoppix. That way, I can bypass Windows altogether and don't have to worry about fighting a compromised system. It's graphical, which is useful to me, as my Linux skills are not much to be proud of. 
Steve

How?  Are you using a LiveCD of some sort?  Because as noted elsewhere I
can't get it to allow me to run anything.

Parted Magic link here 
http://sourceforge.net/projects/partedmagic/files/

Steve
 

 > What you need to do is clean out every temporary folder in
 > every user account, and all the contents of the temporary folders in
 > the windows folder.  Empty the prefetch folder too.

I have a batch file that does temp files, but it hard-codes the user
names IIRC and won't work under Ubuntu.  But that's easy enough to do in
bash.  Easier actually, as for;do;done is a real PITA in batch which is
why I just hardcoded mine.

Since it's for side jobs, I'm not really worried about scripting it. I clean it out using the PM file manager.
Steve

 

 > Check the hosts
 > file, because some variants will write an entry to a malevolent dns
 > server for all the popular search engines.

Yup, we tried to do that, that's how I found out that Notepad won't
work.  Start, run, cmd won't work either, BTW.  I didn't try
TaskMangler, File, New Task, but I suspect that won't work either.

I edit the hosts file using leafpad in PM. Hosts location here,

XP  Home

c:\windows\system32\drivers\etc\hosts
Windows NT/2000/XP Pro
c:\winnt\system32\drivers\etc\hosts or c:\windows\system32\drivers\etc\hosts

Steve

 > Look for av2009 also.

Did Google for something similar since I was aware that it had
previously been called that, but I didn't find anything better than the
2010 ones.

 It comes under a number of different names. The infestations I normally see come from Facebook/Myspace, although the YouPorns of the world are rife with it too. It can drop differently named icons on the desktop as well.
Steve

 

 > Copy and paste everything into the editor between the x's making
 > regedit4 the top line.
 > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 > REGEDIT4
 > [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains]
 > [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains]
[...]

Am I to assume that the leading '-' deletes the regkey?  If so, that is
really cool!  I've been creating *.reg files since the mid-1990's and I
never knew that!  (OTOH, did you know that regedit /s \some\regfile.reg
will do a *S*ilent import?)


 > If you can keep it from loading from all the temp folders, you can
 > clean it up fairly easily, it's just time consuming.

Yup, that's the trick.


 >
http://www.computing.net/answers/security/google-redirect-antivirus-2009/24977.html

Interesting.


 > http://www.2-spyware.com/remove-antivirus-2009.html

Yeah, that's the one I've been working from.


 > Download and install Malwarebytes Anti Malware from cnet.

I would, but as I mentioned it won't let me run *anything* so I doubt
it'll let me run that, even if I could download it from that infected
machine, which I can't.

Sure, I know what you're going through. That's why I do all of the prep work from Linux. On one machine I ended up putting fix.reg in the startup folder so it would load before Internet Antivirus did. Again, cleaning out the temp folders cripples it and give you some time to work. Once you've done that and run fix.reg, you can get back to installing Malwarebytes.
Steve

 

 > download and install Windows Defender from Uncle Winkie's website
 > (M$), not because I have any confidence in it's efficiency, but
 > because it offers and easy way to delete programs from starting up.
 > Much better than using msconfig.

Same issues as above.  I was planning on giving him StartupCPL (Google
for it) which is much more simple and less scary than the better
SysInternals AutoRuns.

Ditto the answer above.
Steve
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 > Date: Sun, 10 Jan 2010 09:02:36 -0800 (PST)
 > From: Edmond Rodriguez <erodrig_97@yahoo.com>
 >
 > I have helped with removing malware on a few machines.  It seemed to
 > me that once the executable was removed, the registry did not matter
 > so much, though it did need to be cleaned up.
[...]
 > So what is the danger if any, of using Linux to remove the
 > executables, then trying to reboot windows, and if it boots, using
 > the Windows tools to clean up the registry.

That was the original plan.  I just figured two things.  First, if it
was easy to do from Linux, I could do it myself rather than trying to
talk him through regedit over the phone.  Second, if I missed any exes,
but cleaned the registry so they never ran...

Before I forget, on one machine, there were literally hundreds of registry key entries for this, yet on another there were only five or six (go figure), which is why I did the housekeeping first. Gotta get rid of the files first.
Steve

 

Good point.  I'm not sure they have a firewall or anything.  I was going
to have him plug the PC directly into his Comcast cable modem, which
should work.  If not, then it gets sticky.  I had half-formed thoughts
of having him SSH into one of my servers, and then just doing SSH port
forwarding to allow me to tunnel back to his side.  There are other ways
to do it too, Google "reverse shell".

Chances are 50/50 that AV2010 has shut down automatic updates and the firewall by shutting down the service.
Just FYI,
Steve



 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 > Date: Sun, 10 Jan 2010 12:54:02 -0500
 > From: "Arthur S. Alexion" <arthur@alexion.com>
 >
 > some of these nasty extortion-ware programs keep hidden re-install
 > instructions in the registry so that removing the executable only
 > solves the problem until the next boot and auto reinstall.

I haven't read that this one does, but yeah, that was in the back of my
mind.

An emphatic "yes" on that, particularly if the user is running as an admin account.
Steve


 

------------------------------

Message: 5
Date: Sun, 10 Jan 2010 16:45:39 -0500
From: "John Karr" <brainbuz@brainbuz.org>
Subject: Re: [PLUG] Edit Windows Registry from Linux LiveCD?
To: "'Philadelphia Linux User's Group Discussion List'"
       <plug@lists.phillylinux.org>
Message-ID: <059301ca923e$40423970$c0c6ac50$@org>
Content-Type: text/plain;       charset="us-ascii"

If the hardware is still good, why not just reinstall the OS?

By the way when dealing with a badly infected computer that is what I
recommend over attempting a repair.

Well, that would be the voice of reason, wouldn't it? ;^)
There are a bunch of reasons why they don't want reinstalls, not wanting to buy another computer, not having backups, not having the original disks...
And since I work cheaper than Geek Squad, that's the route they generally want to go.


I hope my comments were helpful!
Steve

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug