ccarlin
join:2000-12-28
Deerfield, IL
moderated:
March 21st, @11:46PM
| Cleaning mom's machine remotely
So no anti-virus software will detect or remove the annoying virus she picked up thru MSN. One of those stupid click here and she ran some com file.
Basically the Winlogon/Userinit key has a file added to it. How can I remotely kill the process (it is attached to winlogon) and then remove the key/file. The file is locked by winlogon (tried several unlock programs didn't work). And of course removing the key just gets it rewritten by the program over and over again. If the machine was here I am sure I could just boot to safe mode, or to a live linux cd or hell even DOS and just nuke the file, but I am going thru logmeinrescue to try and clean this.
Any suggestions (she lives several hundreds of miles away and is not very computer competent). |
|
anon101
@cox.net
| In the past, I have just located the file and renamed it (like add xxx to end of name, progxxx.exe)
Then reboot, the program will not be found and will be unable to start. Windows usually just bypasses anything it doesn't find at startup. Then delete it. Works most of the time for me.
You can probably walk mom through this on the phone. Just explore to the file, right click and rename it. |
|
trickyrick
join:2005-03-31
UK | reply to ccarlin
Try getting her to boot into safe mode with networking and see if LMI Rescue can get you in... |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Does she know the name of the exploit ? That would help. You need safe mode and some tools that will find it and kill it on the next reboot.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
edit:
March 22nd, @09:21AM
| reply to ccarlin
since she got it via MSN then most likely these are the things you are looking for on those types of exploits..and the links will show you how other found then and cleared the problem.
»blogs.msdn.com/matt_pietrek/arch···862.aspx
»forums.spybot.info/archive/index···621.html
»www.castlecops.com/t144656-wmf_e···eak.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
ccarlin
join:2000-12-28
Deerfield, IL
| reply to ccarlin
Well her antivirus picked it up eventually took a few days for the sig to get it. But the cure was worse then the disease it removed the file but left the entry in the registry in the userinit key. So now when she starts the machine it just logs on then logs back off again. So the only way to fix this is to edit the registry off-line. I tried a Hiren's Boot CD but just couldn't get the registry editor to load. So may next attempt will be getting her a BartPE cd with a registry editor on it.
My sister got the same virus (from my mom) and I was able to walk her thru booting to a linux boot cd and renaming the file and copying the userinit.exe to the virus file name and rebooted and cleaned up successfully.
I don't know much about the BartPE stuff but I am hoping if I build the CD from my machine (using my windows image) and send it to her she can use it on her machine. Can anyone confirm this? |
|
zteardrop
join:2005-12-20
Brooklyn, NY
| said by ccarlin  :Well her antivirus picked it up eventually took a few days for the sig to get it. But the cure was worse then the disease it removed the file but left the entry in the registry in the userinit key. So now when she starts the machine it just logs on then logs back off again. Which antivirus is she using ? |
|
ccarlin
join:2000-12-28
Deerfield, IL | AVG Free Edition |
|
EGeezer
Spring is here
Premium
join:2002-08-04
Central Ohio
clubs:
 ·AT&T CallVantage
 ·RoadRunner Cable
| reply to zteardrop
Just out of curiosity, what virus(es) did she pick up? I had a friend with a recent infection that his SAV didn't pick up, it turned out to be a dropper and a bot/rootkit. I recommended a scratch and reload.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
mikenolan7
Premium
join:2005-06-07
Torrance, CA
 ·Sprint Mobile Broa..
·RoadRunner Cable
| reply to ccarlin
If you really don't want to have her wipe the machine, there might be an easier path than talking her through BartPE. There is an O'Reilly book called "Knoppix Hacks" that comes with a Knoppix boot CD inside the back cover. Inside are step by step instructions on how to set up an SSH server in Knoppix (which only requires a few mouse clicks). There are also instructions on how to download and install chntpw once you are running Knoppix.
She could boot the disk, make a few mouseclicks, and set up the server. You could connect remotely, download and install chntpw and edit the registry with that. I have seen the book at Fry's, or you could order it from any technical bookshop with next day delivery. The price is $35. There are two editions out, I have purchased both, and they have been well worth the investment. The first edition included a boot CD, the second edition includes a boot DVD, so make sure she has a DVD reader before she gets a second edition. Of course, if you are familiar with Knoppix, you could do the same without spending $35.
Chntpw is very powerful software, if you go that way, do be careful.  |
|
ccarlin
join:2000-12-28
Deerfield, IL
| Just went with the BartPE CD method. I created one sent it to her and had her boot up with it then just walked her thru (painfully slow) editing the registry entry. I have no idea what virus it was other than it came via MSN and attached to winlogon via the registry. It opens a port thru the MS firewall as well. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to ccarlin
If you did not get it all cleaned off..best to look at this thread..my guess is that she still has more crap that came with that download.
Please Help! Msn Virus!
------------------------------------------------------------
The other day when I was on MSN messenger I got a virus from a contact. It's blocking certain sites and slowing down the computer. I did a McAfee search and nothing has come up. It disabled task manager and registry edit for me also. Here's the HTJ log:
»www.techsupportforum.com/securit···rus.html
F3 - REG:win.ini: load=C:\WINDOWS\system32\jwsgmvkbz\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\jwsgmvkbz\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,igxxgpb.exe
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
