9

I'm dealing with a Windows 7 that has got a virus that starts immediately on startup, locking the screen. It also runs in safemode (even with command prompt only). Only option is to switch the computer off by press and holding the power button.

The computer also has an Ubuntu installation, so Linux access is easy. I have been searching for a way to edit windows startup applications from Ubuntu, but with no success.

Is such a thing possible? I.e., how can I edit windows registry from Linux? If not possible, what other option do I have?

Improve this question
0

3 Answers 3

Reset to default
8

You can:

  • mount the windows partition in Ubuntu

  • install chntpw:

    sudo apt-get chntpw

This program will allow you to edit the registry key in Windows. You can then edit the following registry keys in order to edit which programs startup in windows.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

DISCLAIMER: Editing the registry on a windows machine is risky. You can easily make the system inoperable if you edit the wrong keys.

Improve this answer
2
  • 1
    Both answers don't indicate you should not be out right deleting those keys, just specific enteries, malicous enteries within them.
    – Ramhound
    Commented Jul 9, 2013 at 19:27
  • I was just pointing to the places where the information is stored. I never mentioned to delete the keys, only to 'edit' them.
    – Atari911
    Commented Jul 9, 2013 at 22:24
12

Boot from the CD windows 7.

enter image description here

Press Shift + F10. In cmd run regedit.

enter image description here

Mount the registry hives from your HDD.

enter image description here

enter image description here

enter image description here

enter image description here

enter image description here

enter image description here

enter image description here

enter image description here

Remove startup items.

See too \SOFTWARE\Wow6432Node\ analogy key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\DEFAULT\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon

HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths 
HKLM\Software\Microsoft\Windows\CurrentVersion\Controls Folder 
HKLM\Software\Microsoft\Windows\CurrentVersion\DeleteFiles 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer 
HKLM\Software\Microsoft\Windows\CurrentVersion\Extensions 
HKLM\Software\Microsoft\Windows\CurrentVersion\ExtShellViews 
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings 
НКM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage 
HKLM\Software\Microsoft\Windows\CurrentVersion\RenameFiles 
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup 
HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs 
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions 
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\drivers.desc 
HKLMXSoftware\Microsoft\Windows NT\CurrentVersion\Drivers32\0 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Embedding 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\MCI 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\MCI Extensions 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Ports 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WOW 
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\

cmd autorun:

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
AutoRun

HKEY_CURRENT_USER\Software\Microsoft\Command Processor
AutoRun

filesystem.

Powershell autorun:

%ALLUSERSPROFILE%\Documents\Msh\profile.msh
%ALLUSERSPROFILE%\Documents\Msh\Microsoft.Management.Automation.msh_profile.msh

%USERPROFILE%\My Documents\msh\profile.msh
%USERPROFILE%\My Documents\msh\Microsoft.Management.Automation.msh_profile.msh

Init MS-DOS environment 64-bit Windows:

%windir%\SysWOW64\AUTOEXEC.NT
%windir%\SysWOW64\CONFIG.NT

Init MS-DOS environment 32-bit Windows:

%windir%\system32\AUTOEXEC.NT
%windir%\system32\CONFIG.NT

later it will be possible to write a script to automatically remove trojans from the registry and file system ... + 7 days

//TODO: script ...

Measures to prevent virus activity

disable autorun drive command:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f
Improve this answer
5
  • Nice, could you explain how to "Mount the registry hives from your HDD."?
    – terdon
    Commented Jul 9, 2013 at 18:01
  • Cool! Didn't know you can start a shell from the setup. How did you take screenshots of the setup, though?!
    – Shahbaz
    Commented Jul 9, 2013 at 21:27
  • @Shahbaz Virtualbox, Vmware player, Vmware workstation ... and other)
    – STTR
    Commented Jul 9, 2013 at 21:33
  • @sttr, haha, yeah I came to that conclusion after I wrote the comment. Thanks for the effort, but I'm contemplating whether I should accept the second answer, since while your solution solves my problem, the other answer is probably more fit for future visitors since it matches the question title.
    – Shahbaz
    Commented Jul 9, 2013 at 21:41
  • @Shahbaz Throw a coin)
    – STTR
    Commented Jul 9, 2013 at 21:45
0

DISCLAIMER: I haven't tried this since I don't use Windows, but it might work.

Windows startup programs are found in the folder C:\Users\(User-Name)\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (for user-specific startup programs) or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup for global startup programs. Any program that has a shortcut in one of those folders will be started automatically.

I don't know if this is the only way to define start up programs (and rather suspect it isn't) but if you find a weird program name in there, it may well be your virus. just delete it and try again. You can also remove all startup programs just in case.

Now, if your virus is running as a service this will not work since they are governed differently. Given that the virus also starts when booting into safe mode, this seems quite likely. Still it is probably worth a try.

Improve this answer
4
  • 1
    Yeah, but that is almost always empty and very few programs install shortcuts there. There are a lot of applications that get themselves in startup (which can be seen for example through msconfig) and I doubt they present themselves as files other than their original .exe file.
    – Shahbaz
    Commented Jul 9, 2013 at 21:29
  • @Shahbaz yes, I didn't think it would be that easy...
    – terdon
    Commented Jul 10, 2013 at 4:16
  • easy when you can get in in the first place ;)
    – Shahbaz
    Commented Jul 10, 2013 at 8:21
  • @Shahbaz you can access the folders through Linux, if the virus had been there, it would have been easy to disable.
    – terdon
    Commented Jul 10, 2013 at 18:22

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .