DOS based malware removal

Hello,

This week I had a laptop that had a lot of malware. I wasn't able to log in the system as I'd be immediately logged out. Even in safe mode as administrator. My first action was hooking up the HDD on another system to clean as much as I can, deleted all temps and all files that were modified in the past week. After that I did a repair install and after reactivating the system. This time I wasn't logged out, but explorer wouldn't load, and ctrl alt del didn't do anything. It just sat at a blue screen with the mouse. Was able to move the mouse so the system wasn't locked up. I even tried a usb keyboard with no luck.

I was trying to get programs like SDfix to run in dos, but that didn't work. In the end, I had to image the HDD, format and move all the my doc's and e-mail back to guarantee the system up and running for the person the next day.

What would work best in this type of situation? I doubt it will be the last I'll run into.

 

Sometimes, it's all you can do to back up the docs, emails, favorites, etc and format and reload. Some malware infections are beyond cleaning. I do lots of malware removal and occasionally a system is messed up there's not alot that can be done. However, booting to a remote CD (like a Barts PECD or the UBCD4Win) can be helpful. They have malware removal tools built-in and you can manually explore the drive and delete files or back up files if needed. In your situation, it sounds like you were pressed for time and you did the best thing you could do. Even if you had been able to get the system booting up normally, it would have been difficult to really say the system was totally clean. I have 'cleaned' up some PCs that were totally infested only to have the active infections spring back to life after a couple of days.... everything looked OK but after a little while the malware came back to life.

[dlb]
:major

 

The problem I usually face is the customer having lost the software and product keys. I work in a shop dealing with multiple small private businesses/home users and usually the best solution is to remove the spyware. Formatting the system is almost always a last resort.

I've had very few cases where the stuff regenerated outside the shop. Usually the customer goes back to the sites where he/she originally got infected. Or do without an anti virus program.

 

This happens ALL the time, or they have a bootlegged Office, or they think Office is built in to XP, and after a format they see Office is gone and they go through the roof.

This is usually not an issue as you can usually extract the key using Barts PECD or the UBCD4Win; they have built-in key extractors (even though they don't work 100% of the time). And if the built in extractors don't work, there's always Produkey. You can run it from a floppy or flash drive, and if you launch it from the run line using the "regfile" switch and point it to the software hive, it will read the product key for Windows and Office off of a slaved hard drive (or drive C: if you boot to a live PE disc like the UBCD4Win)

 

Windows XP does not do DOS. There is no such thing in Windows anymore. You have a Command Console and a Recovery Console, both look like DOS; but they aren't.

Tools like SDFix, ComboFix, SmitFraudFix, MGTools, and many others are WinBatch (Windows Batch) Files; and will not run in DOS. They use commands and implement features that are only available in Windows.

Immediately being logged out of an account while logging in is because the wrong value is stored in the registry at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, "Userinit". This can be corrected by editing the registry using tools from either Barts PECD, UBCD4Win, or the Offline NT Password & Registry Editor, Bootdisk/CD; if you know how to use it. The userinit value on most systems should be "C:\WINDOWS\system32\userinit.exe", it's case sensitive. Some OEM systems don't use the default Microsoft install settings, Gateway. So, your UserInit value could be something exotic like "C:\WINNT\system32\userinit.exe".

Now, if you added a SATA drive and decided to load Windows on it, and make it your boot drive without first unplugging the IDE Drive, the drive letter of your Boot Drive would be F.

 

Thanks for the reply shaodw, I greatly appreciate it. I'll be adding that info to my notes.

I was able to load the registry hives on the system that I did the scans on and had seen the key you specified was directed to a file something like jfkjkldjf.ini and knew it was malware that screwed up the log in process. After correcting it, the system still logged me out and it's about the time the customer had asked to just format it and reinstall to use it over the weekend.

I was looking at the UBCD4Win and am wondering about updating the virus definitions if that will require a new cd being burned for each update, or if the software can just have the updated files on the system's hdd.

 

There is a thread about updating AV signatures on UBCD4WIN at their forums.

http://ubcd4win.com/forum/index.php?showtopic=10424

Essentially, if you want to include the latest defs as part of the UBCD4WIN you wll have to create a new CD each time you update the AV defs.

 

Thank you for all the information. I'm sure this will come in very handy.