Re: Cleaning mom's machine remotely in Security

Re: Cleaning mom's machine remotely in Security http://www.dslreports.com/forum/r20206552 en Fri, 25 Jul 2008 14:10:51 EDT Fri, 25 Jul 2008 14:10:51 EDT Re: Cleaning mom's machine remotely http://www.dslreports.com/forum/remark,20227927 Name Game : If you did not get it all cleaned off..best to look at this thread..my guess is that she still has more crap that came with that download.

Please Help! Msn Virus!

------------------------------------------------------------

The other day when I was on MSN messenger I got a virus from a contact. It's blocking certain sites and slowing down the computer. I did a McAfee search and nothing has come up. It disabled task manager and registry edit for me also. Here's the HTJ log:
»www.techsupportforum.com/securit···rus.html

F3 - REG:win.ini: load=C:\WINDOWS\system32\jwsgmvkbz\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\jwsgmvkbz\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,igxxgpb.exe
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,20227927 Wed, 26 Mar 2008 11:10:14 EDT Re: Cleaning mom's machine remotely http://www.dslreports.com/forum/remark,20227820 ccarlin : Just went with the BartPE CD method. I created one sent it to her and had her boot up with it then just walked her thru (painfully slow) editing the registry entry. I have no idea what virus it was other than it came via MSN and attached to winlogon via the registry. It opens a port thru the MS firewall as well. ]]> http://www.dslreports.com/forum/remark,20227820 Wed, 26 Mar 2008 10:48:24 EDT Re: Cleaning mom's machine remotely http://www.dslreports.com/forum/remark,20216860 mikenolan7 : If you really don't want to have her wipe the machine, there might be an easier path than talking her through BartPE. There is an O'Reilly book called "Knoppix Hacks" that comes with a Knoppix boot CD inside the back cover. Inside are step by step instructions on how to set up an SSH server in Knoppix (which only requires a few mouse clicks). There are also instructions on how to download and install chntpw once you are running Knoppix.

She could boot the disk, make a few mouseclicks, and set up the server. You could connect remotely, download and install chntpw and edit the registry with that. I have seen the book at Fry's, or you could order it from any technical bookshop with next day delivery. The price is $35. There are two editions out, I have purchased both, and they have been well worth the investment. The first edition included a boot CD, the second edition includes a boot DVD, so make sure she has a DVD reader before she gets a second edition. Of course, if you are familiar with Knoppix, you could do the same without spending $35.

Chntpw is very powerful software, if you go that way, do be careful. :)]]> http://www.dslreports.com/forum/remark,20216860 Mon, 24 Mar 2008 12:34:47 EDT Re: Cleaning mom's machine remotely http://www.dslreports.com/forum/remark,20216474 EGeezer : Just out of curiosity, what virus(es) did she pick up? I had a friend with a recent infection that his SAV didn't pick up, it turned out to be a dropper and a bot/rootkit. I recommended a scratch and reload.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )]]> http://www.dslreports.com/forum/remark,20216474 Mon, 24 Mar 2008 11:21:17 EDT Re: Cleaning mom's machine remotely http://www.dslreports.com/forum/remark,20216413 ccarlin : AVG Free Edition]]> http://www.dslreports.com/forum/remark,20216413 Mon, 24 Mar 2008 11:09:04 EDT Re: Cleaning mom's machine remotely http://www.dslreports.com/forum/remark,20216382 zteardrop :

said by ccarlin

:

Well her antivirus picked it up eventually took a few days for the sig to get it. But the cure was worse then the disease it removed the file but left the entry in the registry in the userinit key. So now when she starts the machine it just logs on then logs back off again.

Which antivirus is she using ?]]> http://www.dslreports.com/forum/remark,20216382 Mon, 24 Mar 2008 11:03:10 EDT Re: Cleaning mom's machine remotely http://www.dslreports.com/forum/remark,20215917 ccarlin : Well her antivirus picked it up eventually took a few days for the sig to get it. But the cure was worse then the disease it removed the file but left the entry in the registry in the userinit key. So now when she starts the machine it just logs on then logs back off again. So the only way to fix this is to edit the registry off-line. I tried a Hiren's Boot CD but just couldn't get the registry editor to load. So may next attempt will be getting her a BartPE cd with a registry editor on it.

My sister got the same virus (from my mom) and I was able to walk her thru booting to a linux boot cd and renaming the file and copying the userinit.exe to the virus file name and rebooted and cleaned up successfully.

I don't know much about the BartPE stuff but I am hoping if I build the CD from my machine (using my windows image) and send it to her she can use it on her machine. Can anyone confirm this?]]> http://www.dslreports.com/forum/remark,20215917 Mon, 24 Mar 2008 09:11:12 EDT Re: Cleaning mom's machine remotely http://www.dslreports.com/forum/remark,20206552 Name Game : since she got it via MSN then most likely these are the things you are looking for on those types of exploits..and the links will show you how other found then and cleared the problem.

»blogs.msdn.com/matt_pietrek/arch···862.aspx

»forums.spybot.info/archive/index···621.html

»www.castlecops.com/t144656-wmf_e···eak.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/]]> http://www.dslreports.com/forum/remark,20206552 Sat, 22 Mar 2008 09:20:01 EDT Re: Cleaning mom's machine remotely http://www.dslreports.com/forum/remark,20206527 Name Game : Does she know the name of the exploit ? That would help. You need safe mode and some tools that will find it and kill it on the next reboot.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,20206527 Sat, 22 Mar 2008 09:11:49 EDT Re: Cleaning mom's machine remotely http://www.dslreports.com/forum/remark,20206441 trickyrick : Try getting her to boot into safe mode with networking and see if LMI Rescue can get you in...]]> http://www.dslreports.com/forum/remark,20206441 Sat, 22 Mar 2008 08:23:45 EDT Re: Cleaning mom's machine remotely http://www.dslreports.com/forum/remark,20205853 anon : In the past, I have just located the file and renamed it (like add xxx to end of name, progxxx.exe)
Then reboot, the program will not be found and will be unable to start. Windows usually just bypasses anything it doesn't find at startup. Then delete it. Works most of the time for me.
You can probably walk mom through this on the phone. Just explore to the file, right click and rename it. ]]> http://www.dslreports.com/forum/remark,20205853 Sat, 22 Mar 2008 00:41:51 EDT Cleaning mom's machine remotely http://www.dslreports.com/forum/remark,20205624 ccarlin : So no anti-virus software will detect or remove the annoying virus she picked up thru MSN. One of those stupid click here and she ran some com file.

Basically the Winlogon/Userinit key has a file added to it. How can I remotely kill the process (it is attached to winlogon) and then remove the key/file. The file is locked by winlogon (tried several unlock programs didn't work). And of course removing the key just gets it rewritten by the program over and over again. If the machine was here I am sure I could just boot to safe mode, or to a live linux cd or hell even DOS and just nuke the file, but I am going thru logmeinrescue to try and clean this.

Any suggestions (she lives several hundreds of miles away and is not very computer competent).]]> http://www.dslreports.com/forum/remark,20205624 Fri, 21 Mar 2008 23:43:24 EDT